Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report spjYwLgrAT.exe

Overview

General Information

Sample Name:spjYwLgrAT.exe
Analysis ID:391243
MD5:862207538f0dfc88d7854b9ee3d396fd
SHA1:9595e11755334331cd7e27785b5c32eb8d9d7a75
SHA256:ff5d04582ebc24f95416e178c35178b30db559438b66848afe8038e4028c07ab
Tags:exeFinderBot
Infos:

Most interesting Screenshot:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • spjYwLgrAT.exe (PID: 6844 cmdline: 'C:\Users\user\Desktop\spjYwLgrAT.exe' MD5: 862207538F0DFC88D7854B9EE3D396FD)
    • spjYwLgrAT.tmp (PID: 6932 cmdline: 'C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp' /SL5='$1F0260,7711994,721408,C:\Users\user\Desktop\spjYwLgrAT.exe' MD5: CB77AA222F1B8AB878BA0F86A08C361B)
      • wmfdist.exe (PID: 7092 cmdline: 'C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exe' /Q:A /R:N MD5: F59090E9A8070D7FBBDCC8895D2169A3)
      • synchredible.exe (PID: 7140 cmdline: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exe MD5: 3D53CAC88565DAB574DC062A2854557B)
        • WerFault.exe (PID: 1496 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1044 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\is-8QN4V.tmpReversingLabs: Detection: 41%
Multi AV Scanner detection for submitted fileShow sources
Source: spjYwLgrAT.exeReversingLabs: Detection: 24%
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_10001000 ISCryptGetVersion,2_2_10001000
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_10001130 ArcFourCrypt,2_2_10001130

Compliance:

barindex
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeUnpacked PE file: 6.2.synchredible.exe.400000.0.unpack
Source: spjYwLgrAT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Source: unknownHTTPS traffic detected: 172.67.197.238:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.21.100:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: spjYwLgrAT.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: AppxSip.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdb' source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msacm32.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: wextract.pdb source: wmfdist.exe, is-BJJUE.tmp.2.dr
Source: Binary string: pnrpnsp.pdbW source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb; source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.682005246.00000000054F0000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: msg711.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: wextract.pdbU source: wmfdist.exe, 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, is-BJJUE.tmp.2.dr
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: imaadp32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: mintdh.pdb] source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: OpcServices.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: version.pdb` source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbz source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: l3codeca.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb6 source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msimg32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbC source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbQ source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb( source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: mintdh.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msadp32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: tdh.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msgsm32.pdb. source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: msg711.pdb0 source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: msgsm32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.691022055.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdbf source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb5 source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: C:\Development\openssl-1.0.0d-i386-win32\out32dll\libeay32.pdb source: is-ML68I.tmp.2.dr
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: imaadp32.pdb" source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: OpcServices.pdb! source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: C:\Development\openssl-1.0.0d-i386-win32\out32dll\ssleay32.pdb source: is-4VO1P.tmp.2.dr
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbl source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: AppxSip.pdb< source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0040B268 FindFirstFileW,FindClose,0_2_0040B268
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040AC9C
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_005E9B24 FindFirstFileW,GetLastError,2_2_005E9B24
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0040CBFC FindFirstFileW,FindClose,2_2_0040CBFC
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_006411A0 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,2_2_006411A0
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,2_2_0040C630
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_01001C7F lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcmpA,lstrcmpA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_01001C7F

Networking:

barindex
Performs DNS queries to domains with low reputationShow sources
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeDNS query: nikolakigreate.xyz
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeDNS query: nikolakigreate.xyz
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeDNS query: nikolakigreate.xyz
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: fd80fa9c6120cdeea8520510f3c644ac
Source: unknownDNS traffic detected: queries for: nikolakigreate.xyz
Source: synchredible.exe, 00000006.00000002.709539724.000000000163F000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt
Source: synchredible.exe, 00000006.00000002.709627161.0000000001654000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: synchredible.exe, 00000006.00000002.709539724.000000000163F000.00000004.00000020.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crtoml
Source: is-S2O44.tmp.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: is-S2O44.tmp.2.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: is-S2O44.tmp.2.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: synchredible.exe, 00000006.00000002.709627161.0000000001654000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: synchredible.exe, 00000006.00000002.709776285.000000000167A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
Source: synchredible.exe, 00000006.00000003.675419065.000000000166F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: synchredible.exe, 00000006.00000002.709776285.000000000167A000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crlh
Source: synchredible.exe, 00000006.00000002.709627161.0000000001654000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: is-S2O44.tmp.2.drString found in binary or memory: http://ocsp.comodoca.com0
Source: synchredible.exe, 00000006.00000002.709627161.0000000001654000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.co
Source: synchredible.exe, 00000006.00000002.709776285.000000000167A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com
Source: synchredible.exe, 00000006.00000002.709627161.0000000001654000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
Source: synchredible.exe, 00000006.00000003.675419065.000000000166F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: is-S2O44.tmp.2.drString found in binary or memory: http://ocsp.thawte.com0
Source: is-S2O44.tmp.2.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: is-S2O44.tmp.2.drString found in binary or memory: http://s.symcd.com06
Source: is-S2O44.tmp.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: is-S2O44.tmp.2.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: is-S2O44.tmp.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: is-S2O44.tmp.2.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: is-S2O44.tmp.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: is-S2O44.tmp.2.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: spjYwLgrAT.exe, 00000000.00000003.727908542.00000000023B1000.00000004.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.720003051.0000000002671000.00000004.00000001.sdmpString found in binary or memory: http://www.c_synchredible.com
Source: spjYwLgrAT.exe, 00000000.00000003.654112081.00000000025E0000.00000004.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000003.657694916.0000000003490000.00000004.00000001.sdmpString found in binary or memory: http://www.c_synchredible.com:http://www.c_synchredible.com:http://www.c_synchredible.com
Source: spjYwLgrAT.exe, 00000000.00000003.727908542.00000000023B1000.00000004.00000001.sdmpString found in binary or memory: http://www.c_synchredible.comA
Source: spjYwLgrAT.exe, 00000000.00000003.654466854.00000000025E0000.00000004.00000001.sdmp, spjYwLgrAT.tmp, spjYwLgrAT.tmp, 00000002.00000000.656872790.0000000000401000.00000020.00020000.sdmp, spjYwLgrAT.tmp.0.drString found in binary or memory: http://www.innosetup.com/
Source: spjYwLgrAT.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: spjYwLgrAT.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: is-4VO1P.tmp.2.drString found in binary or memory: http://www.openssl.org/V
Source: synchredible.exe, synchredible.exe, 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, is-ML68I.tmp.2.drString found in binary or memory: http://www.openssl.org/support/faq.html
Source: is-ML68I.tmp.2.drString found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: spjYwLgrAT.exe, 00000000.00000003.654466854.00000000025E0000.00000004.00000001.sdmp, spjYwLgrAT.tmp, spjYwLgrAT.tmp.0.drString found in binary or memory: http://www.remobjects.com/ps
Source: synchredible.exeString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: synchredible.exe, 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://clients2.google.com/service/update2/crxversion6.1.6needs_syncnever_activated_since_loadedpat
Source: is-S2O44.tmp.2.drString found in binary or memory: https://d.symcb.com/cps0%
Source: is-S2O44.tmp.2.drString found in binary or memory: https://d.symcb.com/rpa0
Source: is-S2O44.tmp.2.drString found in binary or memory: https://d.symcb.com/rpa0.
Source: synchredible.exe, 00000006.00000003.675419065.000000000166F000.00000004.00000001.sdmp, synchredible.exe, 00000006.00000003.675366169.000000000166A000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: synchredible.exeString found in binary or memory: https://test.com/
Source: synchredible.exe, 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmpString found in binary or memory: https://test.com/session.restore_on_startupsession.startup_urlssuper_mac
Source: spjYwLgrAT.exe, 00000000.00000003.727779680.0000000002322000.00000004.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.719431473.0000000002593000.00000004.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.722165499.0000000003590000.00000004.00000001.sdmpString found in binary or memory: https://www.ascomp.de/
Source: spjYwLgrAT.tmp, 00000002.00000002.722165499.0000000003590000.00000004.00000001.sdmpString found in binary or memory: https://www.ascompsoftware.com
Source: synchredible.exe, 00000006.00000002.709627161.0000000001654000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
Source: unknownHTTPS traffic detected: 172.67.197.238:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.21.100:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004A0E24
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_0100263F ExitWindowsEx,5_2_0100263F
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_010018B5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,5_2_010018B5
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004254D00_2_004254D0
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004A86600_2_004A8660
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0040ECB40_2_0040ECB4
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00431F500_2_00431F50
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0041073E2_2_0041073E
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0063FC482_2_0063FC48
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0040AFF42_2_0040AFF4
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_01007E025_2_01007E02
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_0100791E5_2_0100791E
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_0100878E5_2_0100878E
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_010080E25_2_010080E2
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeCode function: 6_2_0040321D6_2_0040321D
Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\COMP Software\C_Synchredible\is-8QN4V.tmp 3A1222B61C66674B1135225F0174CA6D51F1AB3F18662790F3AD32D47D9B9537
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: String function: 005EA59C appears 31 times
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: String function: 005BC3D8 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: String function: 005D3750 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: String function: 005F3814 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: String function: 005D3A34 appears 60 times
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: String function: 005F3590 appears 37 times
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1044
Source: spjYwLgrAT.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: spjYwLgrAT.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-56MJT.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-56MJT.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: spjYwLgrAT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spjYwLgrAT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spjYwLgrAT.tmp.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: spjYwLgrAT.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spjYwLgrAT.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-56MJT.tmp.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: is-56MJT.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: is-56MJT.tmp.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: spjYwLgrAT.exe, 00000000.00000003.727825420.0000000002368000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs spjYwLgrAT.exe
Source: spjYwLgrAT.exe, 00000000.00000002.728682198.00000000025A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs spjYwLgrAT.exe
Source: spjYwLgrAT.exe, 00000000.00000002.728541435.00000000024B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs spjYwLgrAT.exe
Source: spjYwLgrAT.exe, 00000000.00000003.654466854.00000000025E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs spjYwLgrAT.exe
Source: spjYwLgrAT.exe, 00000000.00000000.653896455.00000000004B8000.00000002.00020000.sdmpBinary or memory string: OriginalFileName vs spjYwLgrAT.exe
Source: spjYwLgrAT.exeBinary or memory string: OriginalFileName vs spjYwLgrAT.exe
Source: spjYwLgrAT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
Source: classification engineClassification label: mal76.troj.evad.winEXE@8/18@3/2
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_01004560 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,GetLastError,FormatMessageA,5_2_01004560
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004A0E24 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004A0E24
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_010018B5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,5_2_010018B5
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0041A5FC GetDiskFreeSpaceW,0_2_0041A5FC
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0060107C GetVersion,CoCreateInstance,2_2_0060107C
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004A16FC FindResourceW,SizeofResource,LoadResource,LockResource,0_2_004A16FC
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Program Files (x86)\COMP SoftwareJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7140
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpMutant created: \Sessions\1\BaseNamedObjects\B7E1622F4E8F
Source: C:\Users\user\Desktop\spjYwLgrAT.exeFile created: C:\Users\user\AppData\Local\Temp\is-K28GB.tmpJump to behavior
Source: C:\Users\user\Desktop\spjYwLgrAT.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\spjYwLgrAT.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\spjYwLgrAT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: is-HE97M.tmp.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: is-HE97M.tmp.2.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: is-HE97M.tmp.2.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: is-HE97M.tmp.2.drBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: is-HE97M.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: is-HE97M.tmp.2.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: is-HE97M.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: is-HE97M.tmp.2.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: is-HE97M.tmp.2.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: is-HE97M.tmp.2.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: is-HE97M.tmp.2.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: is-HE97M.tmp.2.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: spjYwLgrAT.exeReversingLabs: Detection: 24%
Source: spjYwLgrAT.exeString found in binary or memory: rting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file after having checked the co
Source: synchredible.exeString found in binary or memory: Accept-Additions
Source: synchredible.exeString found in binary or memory: List-Help
Source: synchredible.exeString found in binary or memory: MMHS-Exempted-Address
Source: synchredible.exeString found in binary or memory: Originator-Return-Address
Source: synchredible.exeString found in binary or memory: id-cmc-addExtensions
Source: synchredible.exeString found in binary or memory: /installers/pp
Source: synchredible.exeString found in binary or memory: set-addPolicy
Source: spjYwLgrAT.exeString found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\spjYwLgrAT.exeFile read: C:\Users\user\Desktop\spjYwLgrAT.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\spjYwLgrAT.exe 'C:\Users\user\Desktop\spjYwLgrAT.exe'
Source: C:\Users\user\Desktop\spjYwLgrAT.exeProcess created: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp 'C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp' /SL5='$1F0260,7711994,721408,C:\Users\user\Desktop\spjYwLgrAT.exe'
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess created: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exe 'C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exe' /Q:A /R:N
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess created: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exe C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exe
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1044
Source: C:\Users\user\Desktop\spjYwLgrAT.exeProcess created: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp 'C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp' /SL5='$1F0260,7711994,721408,C:\Users\user\Desktop\spjYwLgrAT.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess created: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exe 'C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exe' /Q:A /R:NJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess created: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exe C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: spjYwLgrAT.exeStatic file information: File size 8462126 > 1048576
Source: spjYwLgrAT.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: AppxSip.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdb' source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msacm32.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: wextract.pdb source: wmfdist.exe, is-BJJUE.tmp.2.dr
Source: Binary string: pnrpnsp.pdbW source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbk source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb; source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.682005246.00000000054F0000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: pnrpnsp.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: NapiNSP.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: msg711.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: wextract.pdbU source: wmfdist.exe, 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, is-BJJUE.tmp.2.dr
Source: Binary string: winnsi.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: imaadp32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: mintdh.pdb] source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: OpcServices.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: version.pdb` source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: ole32.pdbz source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: l3codeca.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb6 source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msimg32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: winnsi.pdbC source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdbQ source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb( source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: mintdh.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msadp32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: tdh.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: msgsm32.pdb. source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: msg711.pdb0 source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: msgsm32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.691022055.0000000005A61000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdbf source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: winrnr.pdb5 source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: C:\Development\openssl-1.0.0d-i386-win32\out32dll\libeay32.pdb source: is-ML68I.tmp.2.dr
Source: Binary string: wmswsock.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: imaadp32.pdb" source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: OpcServices.pdb! source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb- source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: C:\Development\openssl-1.0.0d-i386-win32\out32dll\ssleay32.pdb source: is-4VO1P.tmp.2.dr
Source: Binary string: msasn1.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: XmlLite.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdbl source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.691047530.0000000005A53000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.691181636.0000000005A50000.00000004.00000040.sdmp
Source: Binary string: AppxSip.pdb< source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.691137128.0000000005891000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp
Source: Binary string: rasadhlp.pdb source: WerFault.exe, 00000009.00000003.691035098.0000000005A5C000.00000004.00000040.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 00000009.00000003.691106951.0000000005A59000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeUnpacked PE file: 6.2.synchredible.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.resp:ER;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeUnpacked PE file: 6.2.synchredible.exe.400000.0.unpack
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_0100198B RegCreateKeyExA,wsprintfA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetModuleFileNameA,RegCloseKey,wsprintfA,lstrlenA,RegSetValueExA,RegCloseKey,LocalFree,5_2_0100198B
Source: spjYwLgrAT.exeStatic PE information: section name: .didata
Source: spjYwLgrAT.tmp.0.drStatic PE information: section name: .didata
Source: is-56MJT.tmp.2.drStatic PE information: section name: .didata
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004A7000 push 004A70DEh; ret 0_2_004A70D6
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004A7980 push 004A7A43h; ret 0_2_004A7A3B
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0043007C push ecx; mov dword ptr [esp], eax0_2_0043007D
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004990DC push ecx; mov dword ptr [esp], edx0_2_004990DD
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0045608C push ecx; mov dword ptr [esp], ecx0_2_00456090
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00430094 push ecx; mov dword ptr [esp], eax0_2_00430095
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00498140 push ecx; mov dword ptr [esp], edx0_2_00498141
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0045A16C push ecx; mov dword ptr [esp], edx0_2_0045A16D
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0045410C push 00454162h; ret 0_2_0045415A
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004251C8 push ecx; mov dword ptr [esp], eax0_2_004251CD
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0041A1D4 push ecx; mov dword ptr [esp], ecx0_2_0041A1D8
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00459260 push ecx; mov dword ptr [esp], edx0_2_00459261
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00430214 push ecx; mov dword ptr [esp], eax0_2_00430215
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00494220 push 004942FFh; ret 0_2_004942F7
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004223E4 push 004224E8h; ret 0_2_004224E0
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00458380 push ecx; mov dword ptr [esp], edx0_2_00458381
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00458390 push ecx; mov dword ptr [esp], edx0_2_00458391
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004953AC push ecx; mov dword ptr [esp], edx0_2_004953AD
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00493450 push ecx; mov dword ptr [esp], edx0_2_00493453
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00458464 push ecx; mov dword ptr [esp], ecx0_2_00458468
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00499470 push ecx; mov dword ptr [esp], edx0_2_00499471
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00457420 push ecx; mov dword ptr [esp], eax0_2_00457422
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004544AC push ecx; mov dword ptr [esp], edx0_2_004544AD
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0048D544 push ecx; mov dword ptr [esp], edx0_2_0048D546
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00429520 push ecx; mov dword ptr [esp], edx0_2_00429522
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0045A520 push ecx; mov dword ptr [esp], edx0_2_0045A521
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004595B4 push ecx; mov dword ptr [esp], edx0_2_004595B5
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00498604 push ecx; mov dword ptr [esp], edx0_2_00498605
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0041A6D8 push ecx; mov dword ptr [esp], ecx0_2_0041A6DB
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0049774C push ecx; mov dword ptr [esp], edx0_2_0049774D
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0049875C push ecx; mov dword ptr [esp], edx0_2_0049875D
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Program Files (x86)\COMP Software\C_Synchredible\is-8QN4V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Program Files (x86)\COMP Software\C_Synchredible\is-HE97M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OJHIB.tmp\_isetup\_iscrypt.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Program Files (x86)\COMP Software\C_Synchredible\is-S2O44.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Program Files (x86)\COMP Software\C_Synchredible\is-4VO1P.tmpJump to dropped file
Source: C:\Users\user\Desktop\spjYwLgrAT.exeFile created: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Program Files (x86)\COMP Software\C_Synchredible\is-56MJT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Users\user\AppData\Local\Temp\is-OJHIB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Program Files (x86)\COMP Software\C_Synchredible\is-ML68I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Program Files (x86)\COMP Software\C_Synchredible\is-BJJUE.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpFile created: C:\Program Files (x86)\COMP Software\C_Synchredible\is-A9EG2.tmpJump to dropped file
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_010022FF lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcmpiA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,lstrcpyA,lstrcpyA,GetShortPathNameA,wsprintfA,lstrcmpiA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,wsprintfA,LocalAlloc,GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,5_2_010022FF
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0062F3BC IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,2_2_0062F3BC
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_005A55A4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,2_2_005A55A4
Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Source: C:\Users\user\Desktop\spjYwLgrAT.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeCode function: 6_2_004011E0 rdtsc 6_2_004011E0
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpDropped PE file which has not been started: C:\Program Files (x86)\COMP Software\C_Synchredible\is-HE97M.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpDropped PE file which has not been started: C:\Program Files (x86)\COMP Software\C_Synchredible\is-S2O44.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpDropped PE file which has not been started: C:\Program Files (x86)\COMP Software\C_Synchredible\is-4VO1P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpDropped PE file which has not been started: C:\Program Files (x86)\COMP Software\C_Synchredible\is-56MJT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-OJHIB.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpDropped PE file which has not been started: C:\Program Files (x86)\COMP Software\C_Synchredible\is-ML68I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpDropped PE file which has not been started: C:\Program Files (x86)\COMP Software\C_Synchredible\is-A9EG2.tmpJump to dropped file
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0040B268 FindFirstFileW,FindClose,0_2_0040B268
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0040AC9C GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040AC9C
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_005E9B24 FindFirstFileW,GetLastError,2_2_005E9B24
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0040CBFC FindFirstFileW,FindClose,2_2_0040CBFC
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_006411A0 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,2_2_006411A0
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0040C630 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,2_2_0040C630
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_01001C7F lstrcpyA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,lstrcpyA,lstrcmpA,lstrcmpA,lstrcatA,lstrcatA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_01001C7F
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004A1628 GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,0_2_004A1628
Source: WerFault.exe, 00000009.00000002.705147323.0000000005473000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWx
Source: spjYwLgrAT.exe, 00000000.00000002.728394996.00000000023C0000.00000002.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.720303377.0000000002750000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.707594966.0000000005CB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000009.00000003.702478398.0000000005394000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: spjYwLgrAT.exe, 00000000.00000002.728394996.00000000023C0000.00000002.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.720303377.0000000002750000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.707594966.0000000005CB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: spjYwLgrAT.exe, 00000000.00000002.728394996.00000000023C0000.00000002.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.720303377.0000000002750000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.707594966.0000000005CB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: spjYwLgrAT.exe, 00000000.00000002.728394996.00000000023C0000.00000002.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.720303377.0000000002750000.00000002.00000001.sdmp, WerFault.exe, 00000009.00000002.707594966.0000000005CB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeCode function: 6_2_004011E0 rdtsc 6_2_004011E0
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeCode function: 6_2_0054E26C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0054E26C
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exeCode function: 5_2_0100198B RegCreateKeyExA,wsprintfA,RegQueryValueExA,RegCloseKey,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,FreeLibrary,GetSystemDirectoryA,lstrlenA,lstrlenA,lstrlenA,LocalAlloc,GetModuleFileNameA,RegCloseKey,wsprintfA,lstrlenA,RegSetValueExA,RegCloseKey,LocalFree,5_2_0100198B
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeCode function: 6_2_0055F471 mov eax, dword ptr fs:[00000030h]6_2_0055F471
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeCode function: 6_2_0055F4B5 mov eax, dword ptr fs:[00000030h]6_2_0055F4B5
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeCode function: 6_2_00556384 mov eax, dword ptr fs:[00000030h]6_2_00556384
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeCode function: 6_2_0054E26C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_0054E26C
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeCode function: 6_2_00495EE4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_00495EE4
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0062EBF4 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,2_2_0062EBF4
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_005A502C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,2_2_005A502C
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_005A41D0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,2_2_005A41D0
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_00405AC0 cpuid 0_2_00405AC0
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_0040B3B8
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: GetLocaleInfoW,0_2_0041E154
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: GetLocaleInfoW,0_2_0041E1A0
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0040A840
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: GetLocaleInfoW,0_2_004A0F2C
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,2_2_0040CD4C
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_0040C1D4
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: GetLocaleInfoW,2_2_005ED8D0
Source: C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmpCode function: 2_2_0060C184 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,2_2_0060C184
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_0041C4F8 GetLocalTime,0_2_0041C4F8
Source: C:\Users\user\Desktop\spjYwLgrAT.exeCode function: 0_2_004A7114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,0_2_004A7114
Source: C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter2Path InterceptionExploitation for Privilege Escalation1Masquerading2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
Default AccountsNative API1Boot or Logon Initialization ScriptsAccess Token Manipulation1Access Token Manipulation1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Process Injection2Process Injection2Security Account ManagerSecurity Software Discovery121SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery26Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
spjYwLgrAT.exe9%MetadefenderBrowse
spjYwLgrAT.exe24%ReversingLabsWin32.Trojan.Bomitag

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files (x86)\COMP Software\C_Synchredible\is-8QN4V.tmp100%Joe Sandbox ML
C:\Program Files (x86)\COMP Software\C_Synchredible\is-4VO1P.tmp0%MetadefenderBrowse
C:\Program Files (x86)\COMP Software\C_Synchredible\is-4VO1P.tmp0%ReversingLabs
C:\Program Files (x86)\COMP Software\C_Synchredible\is-8QN4V.tmp41%ReversingLabsWin32.Trojan.Tnega
C:\Program Files (x86)\COMP Software\C_Synchredible\is-A9EG2.tmp0%MetadefenderBrowse
C:\Program Files (x86)\COMP Software\C_Synchredible\is-A9EG2.tmp2%ReversingLabs
C:\Program Files (x86)\COMP Software\C_Synchredible\is-BJJUE.tmp3%MetadefenderBrowse
C:\Program Files (x86)\COMP Software\C_Synchredible\is-BJJUE.tmp11%ReversingLabs
C:\Program Files (x86)\COMP Software\C_Synchredible\is-HE97M.tmp0%MetadefenderBrowse
C:\Program Files (x86)\COMP Software\C_Synchredible\is-HE97M.tmp0%ReversingLabs
C:\Program Files (x86)\COMP Software\C_Synchredible\is-ML68I.tmp0%MetadefenderBrowse
C:\Program Files (x86)\COMP Software\C_Synchredible\is-ML68I.tmp0%ReversingLabs
C:\Program Files (x86)\COMP Software\C_Synchredible\is-S2O44.tmp3%MetadefenderBrowse
C:\Program Files (x86)\COMP Software\C_Synchredible\is-S2O44.tmp2%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp4%ReversingLabs
C:\Users\user\AppData\Local\Temp\is-OJHIB.tmp\_isetup\_iscrypt.dll3%MetadefenderBrowse
C:\Users\user\AppData\Local\Temp\is-OJHIB.tmp\_isetup\_iscrypt.dll0%ReversingLabs

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
6.2.synchredible.exe.400000.0.unpack100%AviraHEUR/AGEN.1108447Download File

Domains

SourceDetectionScannerLabelLink
nikolakigreate.xyz5%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.innosetup.com/0%URL Reputationsafe
http://www.innosetup.com/0%URL Reputationsafe
http://www.innosetup.com/0%URL Reputationsafe
http://www.innosetup.com/0%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://ocsp.thawte.com00%URL Reputationsafe
http://www.c_synchredible.comA0%Avira URL Cloudsafe
https://www.ascompsoftware.com0%VirustotalBrowse
https://www.ascompsoftware.com0%Avira URL Cloudsafe
http://www.c_synchredible.com0%Avira URL Cloudsafe
http://www.remobjects.com/ps0%URL Reputationsafe
http://www.remobjects.com/ps0%URL Reputationsafe
http://www.remobjects.com/ps0%URL Reputationsafe
http://www.remobjects.com/ps0%URL Reputationsafe
http://ocsp.digicert.co0%Avira URL Cloudsafe
http://www.c_synchredible.com:http://www.c_synchredible.com:http://www.c_synchredible.com0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
nikolakigreate.xyz
172.67.197.238
truetrueunknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.innosetup.com/spjYwLgrAT.exe, 00000000.00000003.654466854.00000000025E0000.00000004.00000001.sdmp, spjYwLgrAT.tmp, spjYwLgrAT.tmp, 00000002.00000000.656872790.0000000000401000.00000020.00020000.sdmp, spjYwLgrAT.tmp.0.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
  • URL Reputation: safe
unknown
http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNGis-ML68I.tmp.2.drfalse
    		high
    http://crl.thawte.com/ThawteTimestampingCA.crl0is-S2O44.tmp.2.drfalse
      		high
      http://www.openssl.org/Vis-4VO1P.tmp.2.drfalse
        		high
        https://test.com/synchredible.exefalse
          		high
          http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUspjYwLgrAT.exefalse
            		high
            http://ocsp.thawte.com0is-S2O44.tmp.2.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://test.com/session.restore_on_startupsession.startup_urlssuper_macsynchredible.exe, 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmpfalse
              		high
              http://www.c_synchredible.comAspjYwLgrAT.exe, 00000000.00000003.727908542.00000000023B1000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              		low
              https://www.ascompsoftware.comspjYwLgrAT.tmp, 00000002.00000002.722165499.0000000003590000.00000004.00000001.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinespjYwLgrAT.exefalse
                		high
                http://www.c_synchredible.comspjYwLgrAT.exe, 00000000.00000003.727908542.00000000023B1000.00000004.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.720003051.0000000002671000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                		low
                http://www.remobjects.com/psspjYwLgrAT.exe, 00000000.00000003.654466854.00000000025E0000.00000004.00000001.sdmp, spjYwLgrAT.tmp, spjYwLgrAT.tmp.0.drfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://www.ascomp.de/spjYwLgrAT.exe, 00000000.00000003.727779680.0000000002322000.00000004.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.719431473.0000000002593000.00000004.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000002.722165499.0000000003590000.00000004.00000001.sdmpfalse
                  		high
                  http://ocsp.digicert.cosynchredible.exe, 00000006.00000002.709627161.0000000001654000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.c_synchredible.com:http://www.c_synchredible.com:http://www.c_synchredible.comspjYwLgrAT.exe, 00000000.00000003.654112081.00000000025E0000.00000004.00000001.sdmp, spjYwLgrAT.tmp, 00000002.00000003.657694916.0000000003490000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		low
                  http://www.openssl.org/support/faq.htmlsynchredible.exe, synchredible.exe, 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, is-ML68I.tmp.2.drfalse
                    		high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    104.21.21.100
                    		unknownUnited States
                    		13335CLOUDFLARENETUSfalse
                    172.67.197.238
                    		nikolakigreate.xyzUnited States
                    		13335CLOUDFLARENETUStrue

                    General Information

                    Joe Sandbox Version:31.0.0 Emerald
                    Analysis ID:391243
                    Start date:18.04.2021
                    Start time:09:38:14
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 10m 47s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:spjYwLgrAT.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:23
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal76.troj.evad.winEXE@8/18@3/2
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 15.5% (good quality ratio 14.7%)
                    • Quality average: 78.1%
                    • Quality standard deviation: 27.1%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 52.255.188.83, 23.218.209.198, 92.122.145.220, 104.42.151.234, 104.43.193.48, 20.50.102.62, 92.122.213.194, 92.122.213.247, 8.248.119.254, 8.253.207.121, 67.26.83.254, 67.27.157.126, 8.248.131.254, 52.155.217.156, 20.54.26.129, 20.82.210.154
                    • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    104.21.21.100spjYwLgrAT.exeGet hashmaliciousBrowse

                      Domains

                      No context

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      CLOUDFLARENETUSg1pr13E0Pl.exeGet hashmaliciousBrowse
                      • 104.21.18.24
                      spjYwLgrAT.exeGet hashmaliciousBrowse
                      • 104.21.21.100
                      tOoumozZw6.exeGet hashmaliciousBrowse
                      • 104.22.19.188
                      jugOYmJLWt.exeGet hashmaliciousBrowse
                      • 104.26.9.187
                      JSChk2v3o9.exeGet hashmaliciousBrowse
                      • 162.159.137.232
                      K7is14GW1m.exeGet hashmaliciousBrowse
                      • 162.159.128.233
                      02ca4397da55b3175aaa1ad2c99981e792f66151.exeGet hashmaliciousBrowse
                      • 1.2.3.1
                      02ca4397da55b3175aaa1ad2c99981e792f66151.exeGet hashmaliciousBrowse
                      • 1.2.3.1
                      SecuriteInfo.com.Trojan.GenericKD.36723138.25861.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      KdLJVb0Aoi.dllGet hashmaliciousBrowse
                      • 104.20.185.68
                      Jpsq8xSzdT.dllGet hashmaliciousBrowse
                      • 104.20.184.68
                      riqZtDR8j7.exeGet hashmaliciousBrowse
                      • 104.22.18.188
                      iIEubyMSNa.exeGet hashmaliciousBrowse
                      • 104.22.19.188
                      7yZsRpugG2.exeGet hashmaliciousBrowse
                      • 104.17.62.50
                      R31iR6jQNF.exeGet hashmaliciousBrowse
                      • 104.21.9.70
                      New Purchase Order - VINEY2104A.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      36n6PEjkoB.dllGet hashmaliciousBrowse
                      • 104.20.185.68
                      eaxwRxe5h5.exeGet hashmaliciousBrowse
                      • 104.21.84.3
                      MrZgDMb8ns.dllGet hashmaliciousBrowse
                      • 104.20.184.68
                      INV No. RDPLI2021-2111030.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      CLOUDFLARENETUSg1pr13E0Pl.exeGet hashmaliciousBrowse
                      • 104.21.18.24
                      spjYwLgrAT.exeGet hashmaliciousBrowse
                      • 104.21.21.100
                      tOoumozZw6.exeGet hashmaliciousBrowse
                      • 104.22.19.188
                      jugOYmJLWt.exeGet hashmaliciousBrowse
                      • 104.26.9.187
                      JSChk2v3o9.exeGet hashmaliciousBrowse
                      • 162.159.137.232
                      K7is14GW1m.exeGet hashmaliciousBrowse
                      • 162.159.128.233
                      02ca4397da55b3175aaa1ad2c99981e792f66151.exeGet hashmaliciousBrowse
                      • 1.2.3.1
                      02ca4397da55b3175aaa1ad2c99981e792f66151.exeGet hashmaliciousBrowse
                      • 1.2.3.1
                      SecuriteInfo.com.Trojan.GenericKD.36723138.25861.exeGet hashmaliciousBrowse
                      • 172.67.188.154
                      KdLJVb0Aoi.dllGet hashmaliciousBrowse
                      • 104.20.185.68
                      Jpsq8xSzdT.dllGet hashmaliciousBrowse
                      • 104.20.184.68
                      riqZtDR8j7.exeGet hashmaliciousBrowse
                      • 104.22.18.188
                      iIEubyMSNa.exeGet hashmaliciousBrowse
                      • 104.22.19.188
                      7yZsRpugG2.exeGet hashmaliciousBrowse
                      • 104.17.62.50
                      R31iR6jQNF.exeGet hashmaliciousBrowse
                      • 104.21.9.70
                      New Purchase Order - VINEY2104A.exeGet hashmaliciousBrowse
                      • 104.21.19.200
                      36n6PEjkoB.dllGet hashmaliciousBrowse
                      • 104.20.185.68
                      eaxwRxe5h5.exeGet hashmaliciousBrowse
                      • 104.21.84.3
                      MrZgDMb8ns.dllGet hashmaliciousBrowse
                      • 104.20.184.68
                      INV No. RDPLI2021-2111030.exeGet hashmaliciousBrowse
                      • 104.21.19.200

                      JA3 Fingerprints

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      fd80fa9c6120cdeea8520510f3c644acspjYwLgrAT.exeGet hashmaliciousBrowse
                      • 104.21.21.100
                      • 172.67.197.238
                      egGgMixHNS.exeGet hashmaliciousBrowse
                      • 104.21.21.100
                      • 172.67.197.238
                      egGgMixHNS.exeGet hashmaliciousBrowse
                      • 104.21.21.100
                      • 172.67.197.238
                      5KYnVcv9cf.exeGet hashmaliciousBrowse
                      • 104.21.21.100
                      • 172.67.197.238
                      5KYnVcv9cf.exeGet hashmaliciousBrowse
                      • 104.21.21.100
                      • 172.67.197.238
                      pjjaluln.exeGet hashmaliciousBrowse
                      • 104.21.21.100
                      • 172.67.197.238
                      KMSPico 11.1.2.exeGet hashmaliciousBrowse
                      • 104.21.21.100
                      • 172.67.197.238

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      C:\Program Files (x86)\COMP Software\C_Synchredible\is-4VO1P.tmpspjYwLgrAT.exeGet hashmaliciousBrowse
                        C:\Program Files (x86)\COMP Software\C_Synchredible\is-8QN4V.tmpspjYwLgrAT.exeGet hashmaliciousBrowse
                          C:\Program Files (x86)\COMP Software\C_Synchredible\is-A9EG2.tmpspjYwLgrAT.exeGet hashmaliciousBrowse
                            C:\Program Files (x86)\COMP Software\C_Synchredible\is-56MJT.tmpspjYwLgrAT.exeGet hashmaliciousBrowse

                              Created / dropped Files

                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-0F2JK.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2858
                              Entropy (8bit):3.6083486579223845
                              Encrypted:false
                              SSDEEP:48:yei1q97CE2+rAnknj9V9Lvara+iaiudupRCRfMufAuRa7T5XXPsV8i0Ck+++:t7MnkntGdiaigVMll7dXFz+
                              MD5:EC2FB2F8B94E5E9A96EAC375A7AEF4D4
                              SHA1:5A19A52936082A767598F1548B57A813E04A6D80
                              SHA-256:71224A07FF298650D5A5D8E8237B111397BF928135EA5D19CD15BF5DAAF55947
                              SHA-512:089487C30FD572A5788B18BBC032F1779478C82CD7002AD99B4B22ED719E5E0029AB7A27CCB1EC8E145DAFA03D1D819F05081853E2AA19FE148C26165A3B4CB2
                              Malicious:false
                              Reputation:low
                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.1.4.-.0.9.-.2.9.T.2.3.:.3.5.:.0.3...7.5.7.8.6.9.4.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.C.O.M.P.U.T.E.R.N.A.M.E.\.U.S.E.R.N.A.M.E.<./.A.u.t.h.o.r.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s. ./.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>..... . . . . . .<.U.s.e.r.I.d.>.C.O.M.P.U.T.E.R.N.A.M.E.\.U.S.E.R.N.A.M.E.<./.U.s.e.r.I.d.>..... . . . . . .<.L.o.g.o.n.T.y.p.e.>.I.n.t.e.r.a.c.t.i.v.e.T.o.k.e.n.<./.L.o.g.o.n.T.y.p.e.>..... . . . . . .<.R.u.n.L.e.v.e.l.>.L.e.a.s.t.P.r.i.v.i.l.e.g.e.<./.R.u.n.L.e.v.e.l.>..... . . . .<./.P.r.i.n.c.i.p.a.l.>..... . .<./.P.r.i.n.c.i.p.a.l.s.>..... . .<.S.e.t.t.
                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-4VO1P.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):302592
                              Entropy (8bit):6.538634574910777
                              Encrypted:false
                              SSDEEP:6144:lC1jhG6D2ah2oabpqW5Nf348FdOHyJCij3NIO08xZMQlAKrvc1CHzpRubDaoD3xD:lC1g6D2aUoabpqWr34JHyJCirNIO0eZU
                              MD5:ED6C5A5C6EB983E3BB5F221AA4140C38
                              SHA1:3CE93624FC3D0F39D62081337676421D3AD89F5B
                              SHA-256:55C95CB23EAE2483363A7E82DDDE0F5CE62034444A67EED22DD0009C00B69C3B
                              SHA-512:99254D0345B99FB25E8E7CFAC3E6B295A2A384005F623449CEB4E6371B92647D27BE8F534E2186BCD81E3574CA4DCCB923BA5F9AC154D7A73844ECC674C963FB
                              Malicious:false
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 0%, Browse
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: spjYwLgrAT.exe, Detection: malicious, Browse
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........=...S...S...S..}(..S......S......S......S...R.I.S.....[.S.......S.......S.......S.Rich..S.........PE..L......M...........!.....z...<.......................................................4..............................P'..p.......<.......8........................'..@...................................@............................................text....x.......z.................. ..`.rdata...............~..............@..@.data....P...P...6...4..............@....rsrc...8............j..............@..@.reloc...-...........p..............@..B................................................................................................................................................................................................................................................................................................................................
                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-56MJT.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2553685
                              Entropy (8bit):6.365458007111244
                              Encrypted:false
                              SSDEEP:49152:5fFRLtC2Y0SUQYZ4oVrbFoWmBOns67BOYP:5tRLtHVr9mBz6P
                              MD5:004698AA232747AE4C4C5DD5A98EAF36
                              SHA1:D989E833EE6306A563A4047D71F05E3D6AE6056C
                              SHA-256:50B906BE209D83A3D1A8131FEC841E8F20801B853F1FF7FEE44F4B3DDD695E8C
                              SHA-512:C9681A8EFFCB2458DAF3E520EB59D2F6FF7CEE3DDDBC9D9B8B632CD6D5D432761A3E290D7502DFA4433D5E910C10761611F909A24861E5E96DF8E28715302575
                              Malicious:false
                              Joe Sandbox View:
                              • Filename: spjYwLgrAT.exe, Detection: malicious, Browse
                              Reputation:low
                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...=.a\..................$...........$.......$...@...........................'...........@......@....................&.......%..5...0&..D................................................... &.....................D.%.@.....%......................text...P.$.......$................. ..`.itext...&....$..(....$............. ..`.data...$Z....$..\....$.............@....bss.....q...0%..........................idata...5....%..6....%.............@....didata.......%......L%.............@....edata........&......V%.............@..@.tls....D.....&..........................rdata..].... &......X%.............@..@.rsrc....D...0&..D...Z%.............@..@..............'.......&.............@..@........................................................
                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-8QN4V.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2314240
                              Entropy (8bit):7.71167692759723
                              Encrypted:false
                              SSDEEP:49152:XKVe2ImrMbqawzF3aIZloPE6N0mH24Jgdlx48DuTl0jwEpz:XKPlYG9jZlostOTqjNz
                              MD5:3D53CAC88565DAB574DC062A2854557B
                              SHA1:D0FB982AEF8D6927BD464D3EBB8A5B6504E6BE88
                              SHA-256:3A1222B61C66674B1135225F0174CA6D51F1AB3F18662790F3AD32D47D9B9537
                              SHA-512:6F3C70401D98BC54C2E2EADD2079BC0B0B1B9C3B01475CFAE3278A46B550DFEB7EC8169ACF3841BDAE608EB641F85F3A7AE0770E86E227B6BF8BBAFB367CEAAF
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 41%
                              Joe Sandbox View:
                              • Filename: spjYwLgrAT.exe, Detection: malicious, Browse
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........S..S..S..S..V..HF*.Q.....Q..<.._..<..Q..1..A..S........P..e...R.....R..RichS..........................PE..L.....s`.................0...........:.......@....@..................................7$.....................................dD..............................................................@D.......................@.. ............................text...^,.......0.................. ..`.rdata.......@... ...@..............@..@.data........`.......`..............@....tls......... .......p..............@....resp...`....0......................`..`.rsrc................@!.............@..@................................................................................................................................................................................................................................................................
                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-A9EG2.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):332288
                              Entropy (8bit):6.447734819577227
                              Encrypted:false
                              SSDEEP:6144:F8B6FR5tLpIramDnfqBG/fApQTw4fPE+qBZr:SWR5xpMamTfq4/fAKlPEfPr
                              MD5:050BFAAF4F2E1E6F5762495EB8865E01
                              SHA1:B190CF4015B34687FD317BE02EB3DF18E92DB5AB
                              SHA-256:31BE5164DFDD42884C4DE0C04A2569FE9B0DB37262583D77120B2129F221B451
                              SHA-512:BE58AEACA08CB61564BB82E4C594B87A0CDE4BA8DCA3C09474D00C04C35FB4FFAF632458F7DEB1FDAF1240C7E8BCF5CAA87E575AAA151E3BF223C8A928E3BCC7
                              Malicious:false
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 0%, Browse
                              • Antivirus: ReversingLabs, Detection: 2%
                              Joe Sandbox View:
                              • Filename: spjYwLgrAT.exe, Detection: malicious, Browse
                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....)T.................h..........|w............@..............................................@..............................2........"...................0...[........................... ......................$...H............................text...x\.......^.................. ..`.itext.......p.......b.............. ..`.data................l..............@....bss.....O...............................idata..2...........................@....didata.............................@....tls.....................................rdata....... ......................@..@.reloc...[...0...\..................@..B.rsrc...."......."..................@..@....................................@..@........................................................
                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-BJJUE.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
                              Category:dropped
                              Size (bytes):4057200
                              Entropy (8bit):7.994581661173249
                              Encrypted:true
                              SSDEEP:98304:XVkSehP279p9AYebUpyfIcsaFLWrEW+nX9NqwX+a8geP8KCh/HY2:KSepaLAfU0IcsaFLWOCu8PJOQ2
                              MD5:F59090E9A8070D7FBBDCC8895D2169A3
                              SHA1:370E62290CAC6A6C7AA13442741CAF6671437A54
                              SHA-256:A6B53074CB4A3F9885F6E7D52C9E893B44CF4965000D899B2BF21508AC320023
                              SHA-512:45B9D9BD43B67C39B35A0F4007A2800847E65DA8F818BEF4B2F5858D95235FCA34708AB9B774324BC7E1EB9519CE5D2F4634034F7987C17E788D017F2FDF7D5A
                              Malicious:true
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 3%, Browse
                              • Antivirus: ReversingLabs, Detection: 11%
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......->..i_.i_.i_..|.d_.i_.._..|..h_..|.q_..|.h_.Richi_.........PE..L... .};.....................B=.....^Z........................................>.........................................................$==...........=.p............................................................................................text............................... ..`.data...............................@....rsrc....@=......>=.................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-C5450.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
                              Category:dropped
                              Size (bytes):3368
                              Entropy (8bit):3.639048894377841
                              Encrypted:false
                              SSDEEP:48:yei1q97GiWE2QnMfkab9CAnknu9V9OAMufAuRJvara+iniudupRCRh7T5XHPsV8i:tLnMfpVnknbAMlQGdinigb7dHFT4/
                              MD5:F89A807CD82F4D5853BE69A51631DFBA
                              SHA1:91C49A1460C4146F43BD8E856443CD5DFA25DBA3
                              SHA-256:E82D398E37AB44246911C6879D2CE0AE56A133EC06D8CCF1B65E13973591E42E
                              SHA-512:71541C030974BD6100E61B2CD51A73C04E31E507DB03C55418B4FF3093D0E6AEF1A5DAB54F777A518B2A625E6740D679A52D8E34298EB71202603E12B152226C
                              Malicious:false
                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.0.7.-.0.2.-.0.8.T.1.2.:.3.3.:.3.7...7.0.3.7.1.3.6.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.C.O.M.P.U.T.E.R.N.A.M.E.\.U.S.E.R.N.A.M.E.<./.A.u.t.h.o.r.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.L.o.g.o.n.T.r.i.g.g.e.r. .i.d.=.".8.0.0.7.7.e.3.0.-.4.9.5.a.-.4.1.5.2.-.b.8.5.f.-.2.1.1.4.7.9.1.1.9.0.5.3.".>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>....... . .<.U.s.e.r.I.d.>.C.O.M.P.U.T.E.R.N.A.M.E.\.U.S.E.R.N.A.M.E.<./.U.s.e.r.I.d.>..... . . . .<./.L.o.g.o.n.T.r.i.g.g.e.r.>..... . .<./.T.r.i.g.g.e.r.s.>..... . .<.P.r.i.n.c.i.p.a.l.s.>..... . . . .<.P.r.i.n.c.i.p.a.l. .i.d.=.".A.u.t.h.o.r.".>....... . .<.U.s.e.r.
                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-HE97M.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):645592
                              Entropy (8bit):6.50414583238337
                              Encrypted:false
                              SSDEEP:12288:i0zrcH2F3OfwjtWvuFEmhx0Cj37670jwX+E7tFKm0qTYh:iJUOfwh8u9hx0D70NE7tFTYh
                              MD5:E477A96C8F2B18D6B5C27BDE49C990BF
                              SHA1:E980C9BF41330D1E5BD04556DB4646A0210F7409
                              SHA-256:16574F51785B0E2FC29C2C61477EB47BB39F714829999511DC8952B43AB17660
                              SHA-512:335A86268E7C0E568B1C30981EC644E6CD332E66F96D2551B58A82515316693C1859D87B4F4B7310CF1AC386CEE671580FDD999C3BCB23ACF2C2282C01C8798C
                              Malicious:false
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 0%, Browse
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=S.v..?......!................X..............`......................... ......8......... .................................L................................'......................................................p............................text...............................`.0`.data...............................@.@..rdata..$...........................@.@@.bss..................................@..edata..............................@.0@.idata..L...........................@.0..CRT................................@.0..tls.... ...........................@.0..reloc...'.......(..................@.0B/4......`....0......................@.@B/19..........@......................@..B/35.....M....P......................@..B/51.....`C...`...D..................@..B/63..................8..............@..B/77..................F..............@..B/89..................R..
                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-ML68I.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):1197568
                              Entropy (8bit):6.8187850212650964
                              Encrypted:false
                              SSDEEP:24576:1K/T+jm+KpP/GDVxxnnxCJszyZ+u+hSRcCpN0VBpVrJwOJk2M:1Sc/zyZ+u4SRLgVBpVrJwOJk2M
                              MD5:B48547C727AD1DA641ED11E28BED4BC9
                              SHA1:C8EECE2BBE69BDFB64E71ED86D6E7C4F351B79C8
                              SHA-256:2EDBCED0BBAB3109E50A62EE45F129D26C80C2A57F1E0CF92C45B616C27B2AD6
                              SHA-512:1CCC6A4379CD19814E93A829087A2C7239946C23E20A1642C5BB268E22074AEA4A0DBBBFC8A62D033E92135F91B48A7C8623C1CAFEF2B5358956480C7FD98A88
                              Malicious:false
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 0%, Browse
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..N..x...x...x.....>.x.......x...y...x.5@....x...x...x.......x.......x.......x.......x.Rich..x.........................PE..L......M...........!.....B...@......#l.......`..................................................................................x.......8..........................pb..............................(...@............`..4............................text...4A.......B.................. ..`.rdata.......`.......F..............@..@.data...D....`...`...:..............@....rsrc...8...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................
                              C:\Program Files (x86)\COMP Software\C_Synchredible\is-S2O44.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):488232
                              Entropy (8bit):6.563881513842818
                              Encrypted:false
                              SSDEEP:12288:FXyuXXpRQ3b6J0l+7GZt4vIgkw2GL8U4/DMiOxxBnIWx2DN6Wd3GAbYW:UM236O+76ewgkw2GL8U4/DMiOxxBnIWp
                              MD5:59FC8060DCACD51C399F834BC15B654C
                              SHA1:A9DFACDFCFA3D14913B6A33356747C49BB23CE04
                              SHA-256:6E0EBDEEA8A567875591C5BC2BD61F6AF441938819FDB85B2165F30F1EC30168
                              SHA-512:590A4A0C6CA9B5951C64C0C2D2408EE7F9B6727D6E185E0CD885F340743B9489D6138B14FC640D8CF6BC3C4EC9C6040D7CF072A799EA2BA6A786CF010ADE185F
                              Malicious:false
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 3%, Browse
                              • Antivirus: ReversingLabs, Detection: 2%
                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...B..T.................J...........W.......p....@..............................................@..............................|........0...........>..(5...@..P............................0......................x...t............................text....2.......4.................. ..`.itext.......P.......8.............. ..`.data...T....p.......N..............@....bss.....P...........j...................idata..|............j..............@....didata..............|..............@....tls......... .......~...................rdata.......0.......~..............@..@.reloc..P....@......................@..B.rsrc....0.......0..................@..@.....................>..............@..@........................................................
                              C:\Program Files (x86)\COMP Software\C_Synchredible\unins000.dat
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:data
                              Category:dropped
                              Size (bytes):6845
                              Entropy (8bit):3.7502928630025965
                              Encrypted:false
                              SSDEEP:96:WEa1oWyWUvdk5Ea4biZzQCdfc1AGlE1jKjJaHhuJOcZX:q1oWTSd2Ea4mXf7fN2IHAl
                              MD5:F0731ECA8CCFB563810F76D5804BF891
                              SHA1:E452B7F32A169238DC7EE575BE51D65047A29E5C
                              SHA-256:BD2C09F6CAC39AC70490FC2647354DACC64949B1641F18F4D54F423CE8B99080
                              SHA-512:556F2082B644ECA6E51E769568542AA7C9D37FB56BB62E6A89562D8EE941A8A2D6C3C932FADA9EFF6F15C328009A35655EDB071FC36F018AB2EC7DA8874A9027
                              Malicious:false
                              Preview: .........................................................................................................................................................................................................................................................................................................................................................................................................................................................................t................7.1.5.5.7.5......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.C.O.M.P. .S.o.f.t.w.a.r.e.\.C._.S.y.n.c.h.r.e.d.i.b.l.e................'.4.f.. ..........x...IFPS....#........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TMSGBOXTYPE........
                              C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_synchredible.exe_53d2188fca887c3eee495e21245c332aedb7ec3_bc6977f1_05b13d68\Report.wer
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):14816
                              Entropy (8bit):3.7680868539361296
                              Encrypted:false
                              SSDEEP:192:NXe7BAUvEGhHRPhXXt3jXAZFziRd/u7sBS274ItoaHBC:lS7vRZX9jV7/u7sBX4ItVhC
                              MD5:37F75C03BE6EE258759046D981B70B64
                              SHA1:2311BD12F3A0CA989A3AF5C82866A3BCB999D392
                              SHA-256:62676FEE71CC56C211F950186A267CACB217B280A7940842EC8232984641039F
                              SHA-512:3930CCCF5F68F6AEBC32800CD4C8A598A07ADAB3431AA3C86D27966133C9A86702149ED2C04F6CEA83E42F851ABD4ACD0C440AFCEF2491BA67783B2E0AD79EE8
                              Malicious:false
                              Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.3.2.0.5.2.0.3.9.9.9.1.1.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.3.2.0.5.2.1.0.7.9.5.9.6.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.d.0.2.0.8.a.6.-.b.e.6.1.-.4.6.2.9.-.a.f.6.0.-.b.d.4.c.9.b.6.3.4.1.2.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.a.9.2.0.f.a.-.c.a.f.8.-.4.f.5.4.-.9.5.f.8.-.0.8.7.0.a.6.a.9.c.c.a.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.y.n.c.h.r.e.d.i.b.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.D.R.h.e.l.p.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.e.4.-.0.0.0.1.-.0.0.1.b.-.1.7.d.0.-.5.8.0.7.2.6.3.4.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.a.6.5.6.1.f.a.b.e.a.a.8.1.d.e.8.6.e.6.f.7.7.a.5.e.1.9.6.9.c.1.0.0.0.0.0.9.0.4.!.0.0.0.0.d.0.f.b.9.8.2.a.e.f.8.d.6.9.2.7.b.d.4.6.4.d.3.e.b.b.8.a.5.b.6.5.0.4.
                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CFF.tmp.dmp
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:Mini DuMP crash report, 15 streams, Sun Apr 18 07:40:06 2021, 0x1205a4 type
                              Category:dropped
                              Size (bytes):66532
                              Entropy (8bit):2.1172238331453346
                              Encrypted:false
                              SSDEEP:192:0M/167RNcqn/XXW8D5xLl/n6qMlISr4dUZOgg9MTKYpVaj+qj8qbuWY8kAei3OO0:r6VW4LR6qorpKVYpVe8qa9UjlW
                              MD5:D9564198780994BB3AF0C25F1FFD5B98
                              SHA1:1BC6BEA105BE3D038CE3A45E03F32CA76C9A8C5C
                              SHA-256:41AFCCD071B7A3D97C0D865B0D7D5A4AAC05AA4694C54A3096CCCBE1A494BF49
                              SHA-512:AF18FA59D1A53F457CCDAD67F1E69B9A88D76B0343D83716091A8501AF13B811DDC55AB5C08522C6CB43BE3A1B361A29AAB254D38AC8920416F32250C508E17F
                              Malicious:false
                              Preview: MDMP....... .......V.{`...................U...........B......H(......GenuineIntelW...........T...........L.{`.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2915.tmp.WERInternalMetadata.xml
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8410
                              Entropy (8bit):3.690516687599477
                              Encrypted:false
                              SSDEEP:192:Rrl7r3GLNi2Cjx606YdR6aXgmf6qzSqv+pDX89bUblsfb6jm:RrlsNipx606Yb6qgmfrSwUb+fO6
                              MD5:BF87521515F936DA392DF19CE50DC5EE
                              SHA1:8BCCA75567B0B1E1FDC040B48DCD28BE89DAE621
                              SHA-256:BFDAA453DA318851D80493144F0CFC8B5C8F4658C546D97998D68E8658F955AA
                              SHA-512:B520A851C019AA30D544529B31E19CE9237069436F94C5C3491A9125539D39889EE99C3E5C4160B2BC35CDD0FC18FCE1BF012874AC8DA52D8B2135D74087D6CD
                              Malicious:false
                              Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.4.0.<./.P.i.d.>.......
                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2B68.tmp.xml
                              Process:C:\Windows\SysWOW64\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4769
                              Entropy (8bit):4.4498752265871095
                              Encrypted:false
                              SSDEEP:48:cvIwSD8zs8JgtWI9o2WSC8B48fm8M4JfRHFW+q8vERu5NPcA5d:uITf6LXSNPJWKj5FcA5d
                              MD5:4584DB24797DAF41A139FFC3C4B0E471
                              SHA1:28629372A53BC3097C589A81CA54FA8F72D99433
                              SHA-256:BFE5D5687045AB35AE2E586FA67588550029836430626B36FE6AF608D016C17F
                              SHA-512:11802793AB6B8BE0BCD5B862AB26C41EEB91667C44831449C5FC1D67156DC7BA86A6E84EA0A8BD8A7470910247BC5178667A801ACCDBF6FFB0C37243AC4B8AFC
                              Malicious:false
                              Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="951410" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                              C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              Process:C:\Users\user\Desktop\spjYwLgrAT.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2530816
                              Entropy (8bit):6.381531490700525
                              Encrypted:false
                              SSDEEP:49152:5fFRLtC2Y0SUQYZ4oVrbFoWmBOns67BOY:5tRLtHVr9mBz6
                              MD5:CB77AA222F1B8AB878BA0F86A08C361B
                              SHA1:5A697A822E85E62905414C71FC422AF16591681B
                              SHA-256:1EBB22423595F9F85C168E651036B420FD4C3B895AF0D892DF458A5001D2A719
                              SHA-512:D3E02593A783C1D0721F13BF4A05CDDF89DAAF70CC0433D33895DA34F384C3E72C67EF3188887CBDE091766F010EEEB245B4762189C47F1B046F4A3A321B776C
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 4%
                              Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...=.a\..................$...........$.......$...@...........................'...........@......@....................&.......%..5...0&..D................................................... &.....................D.%.@.....%......................text...P.$.......$................. ..`.itext...&....$..(....$............. ..`.data...$Z....$..\....$.............@....bss.....q...0%..........................idata...5....%..6....%.............@....didata.......%......L%.............@....edata........&......V%.............@..@.tls....D.....&..........................rdata..].... &......X%.............@..@.rsrc....D...0&..D...Z%.............@..@..............'.......&.............@..@........................................................
                              C:\Users\user\AppData\Local\Temp\is-OJHIB.tmp\_isetup\_iscrypt.dll
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):2560
                              Entropy (8bit):2.8818118453929262
                              Encrypted:false
                              SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                              MD5:A69559718AB506675E907FE49DEB71E9
                              SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                              SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                              SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                              Malicious:false
                              Antivirus:
                              • Antivirus: Metadefender, Detection: 3%, Browse
                              • Antivirus: ReversingLabs, Detection: 0%
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................
                              C:\Users\user\AppData\Local\Temp\is-OJHIB.tmp\_isetup\_setup64.tmp
                              Process:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              File Type:PE32+ executable (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):6144
                              Entropy (8bit):4.720366600008286
                              Encrypted:false
                              SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                              MD5:E4211D6D009757C078A9FAC7FF4F03D4
                              SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                              SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                              SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                              Malicious:false
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.967538943677971
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.04%
                              • Inno Setup installer (109748/4) 1.08%
                              • InstallShield setup (43055/19) 0.42%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              File name:spjYwLgrAT.exe
                              File size:8462126
                              MD5:862207538f0dfc88d7854b9ee3d396fd
                              SHA1:9595e11755334331cd7e27785b5c32eb8d9d7a75
                              SHA256:ff5d04582ebc24f95416e178c35178b30db559438b66848afe8038e4028c07ab
                              SHA512:f42b30d475f39f618b7aaf2d912b02c7e6383c2bd4af1dcddfb60ac144a0105151979311debbefa6f30af0f266a04bd8973e18e4c8af0f13e12649163c8ba605
                              SSDEEP:98304:AX4KRSzxAGu4focP1VSFCdSb9wz7qZk+R2brkddlSNnXBL2qV6l7NScoyB+4F3fC:+TAzxArOP1VSEWrs/IUNxC/cy+gXSd/3
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                              File Icon

                              Icon Hash:a2a0b496b2caca72

                              Static PE Info

                              General

                              Entrypoint:0x4a7ed0
                              Entrypoint Section:.itext
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                              DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                              Time Stamp:0x5D61BB12 [Sat Aug 24 22:32:50 2019 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:eb5bc6ff6263b364dfbfb78bdb48ed59

                              Entrypoint Preview

                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFA4h
                              push ebx
                              push esi
                              push edi
                              xor eax, eax
                              mov dword ptr [ebp-3Ch], eax
                              mov dword ptr [ebp-40h], eax
                              mov dword ptr [ebp-5Ch], eax
                              mov dword ptr [ebp-30h], eax
                              mov dword ptr [ebp-38h], eax
                              mov dword ptr [ebp-34h], eax
                              mov dword ptr [ebp-2Ch], eax
                              mov dword ptr [ebp-28h], eax
                              mov dword ptr [ebp-14h], eax
                              mov eax, 004A2BC0h
                              call 00007F40B8C8337Dh
                              xor eax, eax
                              push ebp
                              push 004A85C2h
                              push dword ptr fs:[eax]
                              mov dword ptr fs:[eax], esp
                              xor edx, edx
                              push ebp
                              push 004A857Eh
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              mov eax, dword ptr [004B0634h]
                              call 00007F40B8D17477h
                              call 00007F40B8D16FCEh
                              lea edx, dword ptr [ebp-14h]
                              xor eax, eax
                              call 00007F40B8C989A8h
                              mov edx, dword ptr [ebp-14h]
                              mov eax, 004B3708h
                              call 00007F40B8C7DC07h
                              push 00000002h
                              push 00000000h
                              push 00000001h
                              mov ecx, dword ptr [004B3708h]
                              mov dl, 01h
                              mov eax, dword ptr [00423698h]
                              call 00007F40B8C99A0Fh
                              mov dword ptr [004B370Ch], eax
                              xor edx, edx
                              push ebp
                              push 004A852Ah
                              push dword ptr fs:[edx]
                              mov dword ptr fs:[edx], esp
                              call 00007F40B8D174FFh
                              mov dword ptr [004B3714h], eax
                              mov eax, dword ptr [004B3714h]
                              cmp dword ptr [eax+0Ch], 01h
                              jne 00007F40B8D1DDBAh
                              mov eax, dword ptr [004B3714h]
                              mov edx, 00000028h
                              call 00007F40B8C9A304h
                              mov edx, dword ptr [004B3714h]

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0xb60000x9a.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb40000xf1c.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb90000x4600.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0xb80000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0xb42e00x240.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb50000x1a4.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000xa50e00xa5200False0.356017280942data6.36825059868IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .itext0xa70000x16680x1800False0.541178385417data5.9504888151IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                              .data0xa90000x37a40x3800False0.360421316964data5.02787131831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .bss0xad0000x676c0x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .idata0xb40000xf1c0x1000False0.36474609375data4.79161091586IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .didata0xb50000x1a40x200False0.345703125data2.74582255367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .edata0xb60000x9a0x200False0.2578125data1.8810692045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0xb70000x180x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                              .rdata0xb80000x5d0x200False0.189453125data1.36974376487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .rsrc0xb90000x46000x4600False0.322879464286data4.44454298672IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountry
                              RT_ICON0xb94c80x128GLS_BINARY_LSB_FIRSTDutchNetherlands
                              RT_ICON0xb95f00x568GLS_BINARY_LSB_FIRSTDutchNetherlands
                              RT_ICON0xb9b580x2e8dataDutchNetherlands
                              RT_ICON0xb9e400x8a8dataDutchNetherlands
                              RT_STRING0xba6e80x360data
                              RT_STRING0xbaa480x260data
                              RT_STRING0xbaca80x45cdata
                              RT_STRING0xbb1040x40cdata
                              RT_STRING0xbb5100x2d4data
                              RT_STRING0xbb7e40xb8data
                              RT_STRING0xbb89c0x9cdata
                              RT_STRING0xbb9380x374data
                              RT_STRING0xbbcac0x398data
                              RT_STRING0xbc0440x368data
                              RT_STRING0xbc3ac0x2a4data
                              RT_RCDATA0xbc6500x10data
                              RT_RCDATA0xbc6600x2c4data
                              RT_RCDATA0xbc9240x2cdata
                              RT_GROUP_ICON0xbc9500x3edataEnglishUnited States
                              RT_VERSION0xbc9900x584dataEnglishUnited States
                              RT_MANIFEST0xbcf140x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                              Imports

                              DLLImport
                              kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                              comctl32.dllInitCommonControls
                              version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                              user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                              oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                              netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                              advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                              Exports

                              NameOrdinalAddress
                              TMethodImplementationIntercept30x453abc
                              __dbk_fcall_wrapper20x40d3dc
                              dbkFCallWrapperAddr10x4b063c

                              Version Infos

                              DescriptionData
                              LegalCopyright
                              FileVersion6.0.0.6
                              CompanyNameCOMP Software GmbH
                              CommentsThis installation was built with Inno Setup.
                              ProductNameC_Synchredible
                              ProductVersion6.0.0.6
                              FileDescriptionCOMP Software Advanced Disk Recovery
                              OriginalFileName
                              Translation0x0000 0x04b0

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              DutchNetherlands
                              EnglishUnited States

                              Network Behavior

                              Snort IDS Alerts

                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                              04/18/21-09:27:14.684665ICMP384ICMP PING192.168.2.693.184.221.240
                              04/18/21-09:27:14.719692ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                              04/18/21-09:27:14.721903ICMP384ICMP PING192.168.2.693.184.221.240
                              04/18/21-09:27:14.759758ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
                              04/18/21-09:27:14.760218ICMP384ICMP PING192.168.2.693.184.221.240
                              04/18/21-09:27:14.802979ICMP449ICMP Time-To-Live Exceeded in Transit81.95.15.57192.168.2.6
                              04/18/21-09:27:14.803575ICMP384ICMP PING192.168.2.693.184.221.240
                              04/18/21-09:27:14.847207ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.202192.168.2.6
                              04/18/21-09:27:14.850193ICMP384ICMP PING192.168.2.693.184.221.240
                              04/18/21-09:27:14.892154ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.129192.168.2.6
                              04/18/21-09:27:14.892752ICMP384ICMP PING192.168.2.693.184.221.240
                              04/18/21-09:27:14.935429ICMP408ICMP Echo Reply93.184.221.240192.168.2.6

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 18, 2021 09:40:00.085242033 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.136343002 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.136459112 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.136890888 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.187927961 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.191292048 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.191318035 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.191437006 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.200104952 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.251240969 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.251365900 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.251713991 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.302881956 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.302901030 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.302907944 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.302921057 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.480170965 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.480196953 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.480210066 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.480230093 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.480331898 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.480374098 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.480846882 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.536406994 CEST44349742172.67.197.238192.168.2.4
                              Apr 18, 2021 09:40:00.536492109 CEST49742443192.168.2.4172.67.197.238
                              Apr 18, 2021 09:40:00.645654917 CEST49744443192.168.2.4104.21.21.100
                              Apr 18, 2021 09:40:00.688874006 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.689192057 CEST49744443192.168.2.4104.21.21.100
                              Apr 18, 2021 09:40:00.689449072 CEST49744443192.168.2.4104.21.21.100
                              Apr 18, 2021 09:40:00.732623100 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.735938072 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.735985041 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.736139059 CEST49744443192.168.2.4104.21.21.100
                              Apr 18, 2021 09:40:00.742197990 CEST49744443192.168.2.4104.21.21.100
                              Apr 18, 2021 09:40:00.783094883 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.783138037 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.783581972 CEST49744443192.168.2.4104.21.21.100
                              Apr 18, 2021 09:40:00.824398041 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.869858027 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.869880915 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.869889975 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.870019913 CEST49744443192.168.2.4104.21.21.100
                              Apr 18, 2021 09:40:00.870201111 CEST49744443192.168.2.4104.21.21.100
                              Apr 18, 2021 09:40:00.911180019 CEST44349744104.21.21.100192.168.2.4
                              Apr 18, 2021 09:40:00.911247015 CEST49744443192.168.2.4104.21.21.100

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Apr 18, 2021 09:39:40.540049076 CEST6529853192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:40.588745117 CEST53652988.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:40.861674070 CEST5912353192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:40.931364059 CEST53591238.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:41.548782110 CEST5453153192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:41.597541094 CEST53545318.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:42.428459883 CEST4971453192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:42.487469912 CEST53497148.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:42.550987005 CEST5802853192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:42.604167938 CEST53580288.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:43.882247925 CEST5309753192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:43.930830002 CEST53530978.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:44.772994995 CEST4925753192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:44.821633101 CEST53492578.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:46.032123089 CEST6238953192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:46.080777884 CEST53623898.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:47.190356970 CEST4991053192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:47.241780996 CEST53499108.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:48.303530931 CEST5585453192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:48.364480019 CEST53558548.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:50.345402956 CEST6454953192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:50.395261049 CEST53645498.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:51.737751961 CEST6315353192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:51.786401987 CEST53631538.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:52.889427900 CEST5299153192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:52.940881968 CEST53529918.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:54.012820959 CEST5370053192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:54.072315931 CEST53537008.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:55.550719976 CEST5172653192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:55.603308916 CEST53517268.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:56.974612951 CEST5679453192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:57.039498091 CEST53567948.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:58.047580957 CEST5653453192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:58.112855911 CEST53565348.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:59.129729033 CEST5662753192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:59.194829941 CEST53566278.8.8.8192.168.2.4
                              Apr 18, 2021 09:39:59.268601894 CEST5662153192.168.2.48.8.8.8
                              Apr 18, 2021 09:39:59.325508118 CEST53566218.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:00.026508093 CEST6311653192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:00.083539963 CEST53631168.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:00.248936892 CEST6407853192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:00.306107998 CEST53640788.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:00.579651117 CEST6480153192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:00.639839888 CEST53648018.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:01.114701986 CEST6172153192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:01.163393974 CEST53617218.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:02.268745899 CEST5125553192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:02.320416927 CEST53512558.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:09.425473928 CEST6152253192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:09.479304075 CEST53615228.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:12.233067036 CEST5233753192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:12.289897919 CEST53523378.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:14.331140041 CEST5504653192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:14.392266035 CEST53550468.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:32.753474951 CEST4961253192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:32.802148104 CEST53496128.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:35.874604940 CEST4928553192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:35.950737953 CEST53492858.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:36.472783089 CEST5060153192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:36.536195040 CEST53506018.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:37.088452101 CEST6087553192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:37.163410902 CEST53608758.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:37.175621986 CEST5644853192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:37.237200975 CEST53564488.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:37.688756943 CEST5917253192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:37.787172079 CEST53591728.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:38.388284922 CEST6242053192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:38.445239067 CEST53624208.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:39.042700052 CEST6057953192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:39.106345892 CEST53605798.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:39.552494049 CEST5018353192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:39.616597891 CEST53501838.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:40.595869064 CEST6153153192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:40.646553040 CEST53615318.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:41.967108965 CEST4922853192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:42.015894890 CEST53492288.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:43.329108000 CEST5979453192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:43.386058092 CEST53597948.8.8.8192.168.2.4
                              Apr 18, 2021 09:40:47.085547924 CEST5591653192.168.2.48.8.8.8
                              Apr 18, 2021 09:40:47.145658016 CEST53559168.8.8.8192.168.2.4
                              Apr 18, 2021 09:41:24.786010027 CEST5275253192.168.2.48.8.8.8
                              Apr 18, 2021 09:41:24.860296011 CEST53527528.8.8.8192.168.2.4
                              Apr 18, 2021 09:41:26.934590101 CEST6054253192.168.2.48.8.8.8
                              Apr 18, 2021 09:41:27.017766953 CEST53605428.8.8.8192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Apr 18, 2021 09:39:59.129729033 CEST192.168.2.48.8.8.80xaf26Standard query (0)nikolakigreate.xyzA (IP address)IN (0x0001)
                              Apr 18, 2021 09:40:00.026508093 CEST192.168.2.48.8.8.80x9fa2Standard query (0)nikolakigreate.xyzA (IP address)IN (0x0001)
                              Apr 18, 2021 09:40:00.579651117 CEST192.168.2.48.8.8.80x770bStandard query (0)nikolakigreate.xyzA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Apr 18, 2021 09:39:59.194829941 CEST8.8.8.8192.168.2.40xaf26No error (0)nikolakigreate.xyz172.67.197.238A (IP address)IN (0x0001)
                              Apr 18, 2021 09:39:59.194829941 CEST8.8.8.8192.168.2.40xaf26No error (0)nikolakigreate.xyz104.21.21.100A (IP address)IN (0x0001)
                              Apr 18, 2021 09:40:00.083539963 CEST8.8.8.8192.168.2.40x9fa2No error (0)nikolakigreate.xyz172.67.197.238A (IP address)IN (0x0001)
                              Apr 18, 2021 09:40:00.083539963 CEST8.8.8.8192.168.2.40x9fa2No error (0)nikolakigreate.xyz104.21.21.100A (IP address)IN (0x0001)
                              Apr 18, 2021 09:40:00.639839888 CEST8.8.8.8192.168.2.40x770bNo error (0)nikolakigreate.xyz104.21.21.100A (IP address)IN (0x0001)
                              Apr 18, 2021 09:40:00.639839888 CEST8.8.8.8192.168.2.40x770bNo error (0)nikolakigreate.xyz172.67.197.238A (IP address)IN (0x0001)

                              HTTPS Packets

                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                              Apr 18, 2021 09:40:00.191318035 CEST172.67.197.238443192.168.2.449742CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Oct 02 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sat Oct 02 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49200-49196-49192-49188-49172-49162-165-163-161-159-107-106-105-104-57-56-55-54-136-135-134-133-49202-49198-49194-49190-49167-49157-157-61-53-132-49199-49195-49191-49187-49171-49161-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-69-68-67-66-49201-49197-49193-49189-49166-49156-156-60-47-150-65-7-49169-49159-49164-49154-5-4-49170-49160-22-19-16-13-49165-49155-10-255,0-11-10-35-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2fd80fa9c6120cdeea8520510f3c644ac
                              CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                              Apr 18, 2021 09:40:00.735985041 CEST104.21.21.100443192.168.2.449744CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEFri Oct 02 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sat Oct 02 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49200-49196-49192-49188-49172-49162-165-163-161-159-107-106-105-104-57-56-55-54-136-135-134-133-49202-49198-49194-49190-49167-49157-157-61-53-132-49199-49195-49191-49187-49171-49161-164-162-160-158-103-64-63-62-51-50-49-48-154-153-152-151-69-68-67-66-49201-49197-49193-49189-49166-49156-156-60-47-150-65-7-49169-49159-49164-49154-5-4-49170-49160-22-19-16-13-49165-49155-10-255,0-11-10-35-13-15,23-25-28-27-24-26-22-14-13-11-12-9-10,0-1-2fd80fa9c6120cdeea8520510f3c644ac
                              CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                              Code Manipulations

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: spjYwLgrAT.exe PID: 6844 Parent PID: 5928

                              General

                              Start time:09:39:49
                              Start date:18/04/2021
                              Path:C:\Users\user\Desktop\spjYwLgrAT.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\Desktop\spjYwLgrAT.exe'
                              Imagebase:0x400000
                              File size:8462126 bytes
                              MD5 hash:862207538F0DFC88D7854B9EE3D396FD
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low

                              Chronological Activities

                              Analysis Process: spjYwLgrAT.tmp PID: 6932 Parent PID: 6844

                              General

                              Start time:09:39:50
                              Start date:18/04/2021
                              Path:C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\user\AppData\Local\Temp\is-K28GB.tmp\spjYwLgrAT.tmp' /SL5='$1F0260,7711994,721408,C:\Users\user\Desktop\spjYwLgrAT.exe'
                              Imagebase:0x400000
                              File size:2530816 bytes
                              MD5 hash:CB77AA222F1B8AB878BA0F86A08C361B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Antivirus matches:
                              • Detection: 4%, ReversingLabs
                              Reputation:low

                              Chronological Activities

                              Analysis Process: wmfdist.exe PID: 7092 Parent PID: 6932

                              General

                              Start time:09:39:54
                              Start date:18/04/2021
                              Path:C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files (x86)\COMP Software\C_Synchredible\wmfdist.exe' /Q:A /R:N
                              Imagebase:0x1000000
                              File size:4057200 bytes
                              MD5 hash:F59090E9A8070D7FBBDCC8895D2169A3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Chronological Activities

                              Analysis Process: synchredible.exe PID: 7140 Parent PID: 6932

                              General

                              Start time:09:39:57
                              Start date:18/04/2021
                              Path:C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Program Files (x86)\COMP Software\C_Synchredible\synchredible.exe
                              Imagebase:0x400000
                              File size:2314240 bytes
                              MD5 hash:3D53CAC88565DAB574DC062A2854557B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Chronological Activities

                              Analysis Process: WerFault.exe PID: 1496 Parent PID: 7140

                              General

                              Start time:09:40:01
                              Start date:18/04/2021
                              Path:C:\Windows\SysWOW64\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7140 -s 1044
                              Imagebase:0xe0000
                              File size:434592 bytes
                              MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Chronological Activities

                              Disassembly

                              Code Analysis

                              Reset < >

                                Analysis Process: spjYwLgrAT.exe PID: 6844 Parent PID: 5928 spjYwLgrAT.exeCOMMON

                                Executed Functions

                                Function 004A7114, Relevance: 43.9, APIs: 7, Strings: 18, Instructions: 165libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E004A7114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4a7388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4b0664 =  *0x4b0664 - 1;
				if( *0x4b0664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4a738f);
					return E00407A54( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4a73e4);
						}
						E0040E818( &_v8);
						E00407DD4(0x4b0668, _v8);
						if( *0x4b0668 != 0) {
							_t51 =  *0x4b0668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4b0668 + _t51 * 2 - 2)) != 0x5c) {
								E004086C4(0x4b0668, 0x4a73f4);
							}
							E0040871C( &_v12, L"uxtheme.dll",  *0x4b0668);
							E0040E844(_v12, _t111);
							E0040871C( &_v16, L"userenv.dll",  *0x4b0668);
							E0040E844(_v16, _t111);
							E0040871C( &_v20, L"setupapi.dll",  *0x4b0668);
							E0040E844(_v20, _t111);
							E0040871C( &_v24, L"apphelp.dll",  *0x4b0668);
							E0040E844(_v24, _t111);
							E0040871C( &_v28, L"propsys.dll",  *0x4b0668);
							E0040E844(_v28, _t111);
							E0040871C( &_v32, L"dwmapi.dll",  *0x4b0668);
							E0040E844(_v32, _t111);
							E0040871C( &_v36, L"cryptbase.dll",  *0x4b0668);
							E0040E844(_v36, _t111);
							E0040871C( &_v40, L"oleacc.dll",  *0x4b0668);
							E0040E844(_v40, _t111);
							E0040871C( &_v44, L"version.dll",  *0x4b0668);
							E0040E844(_v44, _t111);
							E0040871C( &_v48, L"profapi.dll",  *0x4b0668);
							E0040E844(_v48, _t111);
							E0040871C( &_v52, L"comres.dll",  *0x4b0668);
							E0040E844(_v52, _t111);
							E0040871C( &_v56, L"clbcatq.dll",  *0x4b0668);
							E0040E844(_v56, _t111);
							E0040871C( &_v60, L"ntmarta.dll",  *0x4b0668);
							E0040E844(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}





























                                0x004a7115
                                0x004a7117
                                0x004a711c
                                0x004a711c
                                0x004a711e
                                0x004a7120
                                0x004a7120
                                0x004a7128
                                0x004a7129
                                0x004a712e
                                0x004a7131
                                0x004a7134
                                0x004a713b
                                0x004a736d
                                0x004a736f
                                0x004a7372
                                0x004a7375
                                0x004a7387
                                0x004a7141
                                0x004a714b
                                0x004a714d
                                0x004a7154
                                0x004a715a
                                0x004a7167
                                0x004a716b
                                0x004a7172
                                0x004a7177
                                0x004a7179
                                0x004a7179
                                0x004a716b
                                0x004a717c
                                0x004a7188
                                0x004a718f
                                0x004a7196
                                0x004a7196
                                0x004a719b
                                0x004a71a8
                                0x004a71b4
                                0x004a71ba
                                0x004a71c1
                                0x004a71c6
                                0x004a71c6
                                0x004a71d4
                                0x004a71e0
                                0x004a71e0
                                0x004a71f3
                                0x004a71fb
                                0x004a720e
                                0x004a7216
                                0x004a7229
                                0x004a7231
                                0x004a7244
                                0x004a724c
                                0x004a725f
                                0x004a7267
                                0x004a727a
                                0x004a7282
                                0x004a7295
                                0x004a729d
                                0x004a72b0
                                0x004a72b8
                                0x004a72cb
                                0x004a72d3
                                0x004a72e6
                                0x004a72ee
                                0x004a7301
                                0x004a7309
                                0x004a731c
                                0x004a7324
                                0x004a7337
                                0x004a733f
                                0x004a733f
                                0x004a71b4
                                0x004a734a
                                0x004a7351
                                0x004a7358
                                0x004a7358
                                0x004a7360
                                0x004a7367
                                0x004a736b
                                0x004a736b
                                0x00000000
                                0x004a7367

                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004A7388,?,?,?,?,00000000,00000000), ref: 004A7146
                                • GetVersion.KERNEL32(kernel32.dll,00000000,004A7388,?,?,?,?,00000000,00000000), ref: 004A714D
                                • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004A7162
                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004A7188
                                  • Part of subcall function 0040E844: SetErrorMode.KERNEL32(00008000), ref: 0040E852
                                  • Part of subcall function 0040E844: LoadLibraryW.KERNEL32(00000000,00000000,0040E89C,?,00000000,0040E8BA,?,00008000), ref: 0040E881
                                • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004A734A
                                • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004A7360
                                • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004A7388,?,?,?,?,00000000,00000000), ref: 004A736B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
                                • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                • API String ID: 2248137261-1119018034
                                • Opcode ID: 3cff10d8a37e8f74ee08042b476ec0aeb1e7e16601af9275c0598c71473bbef6
                                • Instruction ID: 02322ebf13ac6853ed14ef268a063699a4793311109b24e8029bbe3fde3c2d54
                                • Opcode Fuzzy Hash: 3cff10d8a37e8f74ee08042b476ec0aeb1e7e16601af9275c0598c71473bbef6
                                • Instruction Fuzzy Hash: 8E516E346441449BDB10FBA6CC82E9E73B5EBD6308B24863BE810772A5DB3CAD55CB5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A1628, Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004A1628(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004A1620(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}













                                0x004a162c
                                0x004a162f
                                0x004a1632
                                0x004a163b
                                0x004a1647
                                0x004a164e
                                0x004a16fa
                                0x004a16fa
                                0x004a1654
                                0x004a16e7
                                0x004a16e7
                                0x004a16ed
                                0x00000000
                                0x00000000
                                0x004a1660
                                0x004a16d3
                                0x004a16de
                                0x004a16e5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004a1668
                                0x004a1668
                                0x004a166d
                                0x004a1673
                                0x004a1692
                                0x004a1699
                                0x004a169b
                                0x004a169b
                                0x004a1699
                                0x004a16a0
                                0x004a16b1
                                0x004a16a8
                                0x004a16ad
                                0x004a16ad
                                0x004a16bb
                                0x004a16ce
                                0x004a16ce
                                0x00000000
                                0x004a16bb
                                0x004a1660
                                0x00000000
                                0x004a16e7

                                APIs
                                • GetSystemInfo.KERNEL32(?), ref: 004A163B
                                • VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004A1647
                                • VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004A1692
                                • VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004A16CE
                                • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004A16DE
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Virtual$ProtectQuery$InfoSystem
                                • String ID:
                                • API String ID: 2441996862-0
                                • Opcode ID: c41229cd2ec1532d9867a82b291047799197d0342f782454b43de5d434eff115
                                • Instruction ID: 60919c76023ff686c2a954c3811b42cabfb3adef72c1aecde8367968bd2a2d77
                                • Opcode Fuzzy Hash: c41229cd2ec1532d9867a82b291047799197d0342f782454b43de5d434eff115
                                • Instruction Fuzzy Hash: 7A217A71504304AFD730EA69C884F6BBBE8AF66354F484C1EF584C3291D339E854CB6A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B3B8, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E0040B3B8(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407AD8(_v8);
				_push(_t61);
				_push(0x40b478);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040856C( &_v20, 4,  &_v16);
				E0040871C(_t44, _v20, _v8);
				_t29 = E0040B268( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040856C( &_v24, 4,  &_v16);
					E0040871C(_t44, _v24, _v8);
					_t40 = E0040B268( *_t44, _t44); // executed
					if(_t40 == 0) {
						E004079F4(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B47F);
				E00407A54( &_v24, 2);
				return E004079F4( &_v8);
			}













                                0x0040b3be
                                0x0040b3c1
                                0x0040b3c4
                                0x0040b3c7
                                0x0040b3c9
                                0x0040b3cf
                                0x0040b3d6
                                0x0040b3d7
                                0x0040b3dc
                                0x0040b3df
                                0x0040b3e4
                                0x0040b3ea
                                0x0040b3f3
                                0x0040b403
                                0x0040b410
                                0x0040b417
                                0x0040b41e
                                0x0040b420
                                0x0040b431
                                0x0040b43e
                                0x0040b445
                                0x0040b44c
                                0x0040b450
                                0x0040b450
                                0x0040b44c
                                0x0040b457
                                0x0040b45a
                                0x0040b45d
                                0x0040b46a
                                0x0040b477

                                APIs
                                • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B478,?,?), ref: 0040B3EA
                                • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B478,?,?), ref: 0040B3F3
                                  • Part of subcall function 0040B268: FindFirstFileW.KERNEL32(00000000,?,00000000,0040B2C6,?,?), ref: 0040B29B
                                  • Part of subcall function 0040B268: FindClose.KERNEL32(00000000,00000000,?,00000000,0040B2C6,?,?), ref: 0040B2AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                • String ID:
                                • API String ID: 3216391948-0
                                • Opcode ID: 7c11227e8b53d5cf57ab3c00df66d88cc61cce9a5cb76bffb90c21d47624e2da
                                • Instruction ID: 9155c5fd2a6d7a32e17c8bb0479b116e8c2ecdb55d1a06f7ce78c4880fdbda1e
                                • Opcode Fuzzy Hash: 7c11227e8b53d5cf57ab3c00df66d88cc61cce9a5cb76bffb90c21d47624e2da
                                • Instruction Fuzzy Hash: B9117570A041499BDB00EFA5C942AAEB3B8EF44304F50407FB544B72D2DB385F04CA6D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B268, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 46%
                                			E0040B268(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407AD8(_v8);
				_push(_t27);
				_push(0x40b2c6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084C8(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040B2CD);
				return E004079F4( &_v8);
			}








                                0x0040b271
                                0x0040b272
                                0x0040b278
                                0x0040b27f
                                0x0040b280
                                0x0040b285
                                0x0040b288
                                0x0040b29b
                                0x0040b2a8
                                0x0040b2ab
                                0x0040b2ab
                                0x0040b2b2
                                0x0040b2b5
                                0x0040b2b8
                                0x0040b2c5

                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,0040B2C6,?,?), ref: 0040B29B
                                • FindClose.KERNEL32(00000000,00000000,?,00000000,0040B2C6,?,?), ref: 0040B2AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID:
                                • API String ID: 2295610775-0
                                • Opcode ID: dcd63df1445c4785f46ad18630efca613813575deacfdb2e7f3fde81f5b7913b
                                • Instruction ID: af97b761f8286923e3e8c7c54c75c770fa091db835a787e0331ac1096eca1aa4
                                • Opcode Fuzzy Hash: dcd63df1445c4785f46ad18630efca613813575deacfdb2e7f3fde81f5b7913b
                                • Instruction Fuzzy Hash: 56F0BE70914248AECB21EB75CC5295EB7ACEB44310BA005BAB804F32D1EB38AF009A5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AE8C, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E0040AE8C(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407AD8(_v8);
				_push(_t112);
				_push(0x40b0b1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A6C0( &_v542, E004084C8(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040B0B8);
					return E004079F4( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40b094);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040AC9C( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040B1A4, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040B1A4, 0, 0, _v12,  &_v20);
								E00408530(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408530(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040B09B);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}




















                                0x0040ae8d
                                0x0040ae8f
                                0x0040ae96
                                0x0040ae98
                                0x0040ae9e
                                0x0040aea5
                                0x0040aea6
                                0x0040aeab
                                0x0040aeae
                                0x0040aeb5
                                0x0040aee1
                                0x0040aeb7
                                0x0040aec5
                                0x0040aec5
                                0x0040aeee
                                0x0040b09b
                                0x0040b09d
                                0x0040b0a0
                                0x0040b0a3
                                0x0040b0b0
                                0x0040aef4
                                0x0040aef6
                                0x0040af0e
                                0x0040af15
                                0x0040afb5
                                0x0040afb7
                                0x0040afb8
                                0x0040afbd
                                0x0040afc0
                                0x0040afce
                                0x0040afef
                                0x0040b03e
                                0x0040b048
                                0x0040b060
                                0x0040b06a
                                0x0040b06a
                                0x0040aff1
                                0x0040aff9
                                0x0040b013
                                0x0040b01d
                                0x0040b01d
                                0x0040b071
                                0x0040b074
                                0x0040b077
                                0x0040b080
                                0x0040b085
                                0x0040b085
                                0x0040b093
                                0x0040af1b
                                0x0040af30
                                0x0040af37
                                0x00000000
                                0x0040af39
                                0x0040af4e
                                0x0040af55
                                0x00000000
                                0x0040af57
                                0x0040af6c
                                0x0040af73
                                0x00000000
                                0x0040af75
                                0x0040af8a
                                0x0040af91
                                0x00000000
                                0x0040af93
                                0x0040afa8
                                0x0040afaf
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040afaf
                                0x0040af91
                                0x0040af73
                                0x0040af55
                                0x0040af37
                                0x0040af15

                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B0B1,?,?), ref: 0040AEC5
                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040B0B1,?,?), ref: 0040AF0E
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040B0B1,?,?), ref: 0040AF30
                                • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040AF4E
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040AF6C
                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AF8A
                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AFA8
                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040B094,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040B0B1), ref: 0040AFE8
                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040B094,?,80000001), ref: 0040B013
                                • RegCloseKey.ADVAPI32(?,0040B09B,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040B094,?,80000001,Software\Embarcadero\Locales), ref: 0040B08E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Open$QueryValue$CloseFileModuleName
                                • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                • API String ID: 2701450724-3496071916
                                • Opcode ID: a7a4f7800a908a23690c429c9108a661baea305ffcb50fe6ed6af284978fef88
                                • Instruction ID: 511bc42bdc18c233ca4c8d7f1893363b3cc50658f2258b81fe6dc99cbd1a726a
                                • Opcode Fuzzy Hash: a7a4f7800a908a23690c429c9108a661baea305ffcb50fe6ed6af284978fef88
                                • Instruction Fuzzy Hash: CE5121B5A50208BEEB10DAA5CC46FAFB7ACDB08704F504077BA14F61C1E7B8AA44865D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 91%
                                			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4ad059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4afb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4ad989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4ad059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4adae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4ad989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4adae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4adaf0 - 0x13ffe0;
							if( *0x4adaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4adaf0 = 0x13ffe0;
								 *0x4adaec = _t82;
								 *0x4adae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4adae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4adae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}





























                                0x0040426c
                                0x0040426c
                                0x00404275
                                0x0040427b
                                0x00404364
                                0x00404367
                                0x00404454
                                0x00404455
                                0x00404458
                                0x00403cf8
                                0x00403cfa
                                0x00403cfc
                                0x00403d01
                                0x00403d04
                                0x00403d09
                                0x00403d0d
                                0x00403d13
                                0x00403d17
                                0x00403d1d
                                0x00403d39
                                0x00403d3d
                                0x00403d40
                                0x00403d40
                                0x00403d42
                                0x00403d4a
                                0x00403d57
                                0x00403d5c
                                0x00403d5e
                                0x00403d60
                                0x00403d63
                                0x00403d63
                                0x00403d65
                                0x00403d69
                                0x00403d6b
                                0x00403d6d
                                0x00403d6f
                                0x00000000
                                0x00403d6f
                                0x00000000
                                0x00403d6b
                                0x00403d1f
                                0x00403d27
                                0x00403d2e
                                0x00403d34
                                0x00403d30
                                0x00403d30
                                0x00403d30
                                0x00403d2e
                                0x00403d73
                                0x00403d75
                                0x00403d7e
                                0x00403d87
                                0x00403d87
                                0x00403d8a
                                0x00403d9a
                                0x0040445e
                                0x00404463
                                0x00404463
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00404281
                                0x00404281
                                0x00404283
                                0x00404285
                                0x004042e8
                                0x004042e8
                                0x004042ed
                                0x004042f1
                                0x00000000
                                0x00000000
                                0x004042f3
                                0x004042f5
                                0x004042fc
                                0x00000000
                                0x004042fe
                                0x00404302
                                0x00404307
                                0x00404308
                                0x00404309
                                0x0040430e
                                0x00404312
                                0x0040431c
                                0x00404321
                                0x00404322
                                0x00000000
                                0x00404322
                                0x00404312
                                0x00000000
                                0x004042fc
                                0x004042e8
                                0x00404287
                                0x00404287
                                0x00404287
                                0x00404287
                                0x0040428b
                                0x0040428e
                                0x004042bc
                                0x004042be
                                0x004042d3
                                0x004042d3
                                0x004042c0
                                0x004042c0
                                0x004042c3
                                0x004042c6
                                0x004042c9
                                0x004042cc
                                0x004042ce
                                0x004042d1
                                0x00000000
                                0x00000000
                                0x004042d1
                                0x004042d6
                                0x004042d8
                                0x004042da
                                0x004042dd
                                0x0040436d
                                0x00404370
                                0x00404372
                                0x00404374
                                0x00404375
                                0x00404377
                                0x00404328
                                0x00404328
                                0x0040432d
                                0x00404335
                                0x00000000
                                0x00000000
                                0x00404337
                                0x00404339
                                0x00404340
                                0x00000000
                                0x00404342
                                0x00404344
                                0x00404349
                                0x0040434e
                                0x00404356
                                0x0040435a
                                0x00000000
                                0x0040435a
                                0x00404356
                                0x00000000
                                0x00404340
                                0x00404328
                                0x00404379
                                0x00404379
                                0x00404381
                                0x00404385
                                0x004043bc
                                0x004043bf
                                0x004043c2
                                0x004043c4
                                0x004043ca
                                0x004043cc
                                0x004043cc
                                0x00404387
                                0x00404387
                                0x00404387
                                0x0040438a
                                0x0040438a
                                0x0040438e
                                0x00404392
                                0x004043d4
                                0x004043d7
                                0x004043d9
                                0x004043db
                                0x004043e1
                                0x004043e5
                                0x004043e5
                                0x004043e1
                                0x00404394
                                0x0040439a
                                0x004043ec
                                0x004043f6
                                0x00404424
                                0x0040442a
                                0x0040442f
                                0x00404436
                                0x00404440
                                0x00404446
                                0x0040444d
                                0x00404451
                                0x004043f8
                                0x004043f8
                                0x004043fb
                                0x004043fd
                                0x00404400
                                0x00404403
                                0x00404405
                                0x00404414
                                0x00404419
                                0x0040441c
                                0x00404420
                                0x00404420
                                0x0040439c
                                0x0040439f
                                0x004043a2
                                0x004043aa
                                0x004043af
                                0x004043b6
                                0x004043ba
                                0x004043ba
                                0x00404290
                                0x00404290
                                0x00404292
                                0x00404298
                                0x0040429b
                                0x004042a4
                                0x004042a7
                                0x004042aa
                                0x004042ad
                                0x004042b0
                                0x004042b3
                                0x004042b6
                                0x004042b6
                                0x004042b8
                                0x004042b9
                                0x0040429d
                                0x0040429d
                                0x0040429d
                                0x0040429f
                                0x004042a1
                                0x004042a2
                                0x004042a2
                                0x0040429b
                                0x0040428e

                                APIs
                                • Sleep.KERNEL32(00000000,?,?,00000000,0040BEB4,0040BF1A,?,00000000,?,?,0040C23D,00000000,?,00000000,0040C73E,00000000), ref: 00404302
                                • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BEB4,0040BF1A,?,00000000,?,?,0040C23D,00000000,?,00000000,0040C73E), ref: 0040431C
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: 6990eeb09af798ff89c122cab0389b867fa95b1857629a1b42165b3db1f08a53
                                • Instruction ID: 42852a627608553f2d1d5efabc9574773b40d1f12e789e067a733302d184c96b
                                • Opcode Fuzzy Hash: 6990eeb09af798ff89c122cab0389b867fa95b1857629a1b42165b3db1f08a53
                                • Instruction Fuzzy Hash: 4071F1B17042008BE715DF29C884B16BFD8AF86715F1882BFE945AB3D2D6B8CD41C789
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A8383, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103COMMON
                                Download Yara Rule
                                C-Code - Quality: 82%
                                			E004A8383(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4b370c; // 0x0
				 *0x4b370c = 0;
				E00405CC8(_t17);
				_t21 = E0040E748(0, L"STATIC", 0,  *0x4b0634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ac450 = _t21;
				_t22 =  *0x4ac450; // 0x1f0260
				 *0x4b3704 = SetWindowLongW(_t22, 0xfffffffc, E004A13AC);
				_t25 =  *0x4ac450; // 0x1f0260
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4b3714; // 0x4bc924
				_t4 = _t26 + 0x20; // 0x75acfa
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4b3714; // 0x4bc924
				_t7 = _t28 + 0x24; // 0xb0200
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A99C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4b3708);
				_push(E004A8660);
				E00422AB8(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087A4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4b3720; // 0x0, executed
				E004A1438(_t36, _t52, 0x4ac44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ac448 != 0xffffffff) {
					_t50 =  *0x4ac448; // 0x0
					E004A131C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004A8534);
				_t39 =  *0x4b370c; // 0x0
				_t40 = E00405CC8(_t39);
				if( *0x4b3720 != 0) {
					_t70 =  *0x4b3720; // 0x0
					_t40 = E004A0EC8(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4b3718 != 0) {
					_t47 =  *0x4b3718; // 0x0
					_t40 = RemoveDirectoryW(E004084C8(_t47)); // executed
				}
				if( *0x4ac450 != 0) {
					_t46 =  *0x4ac450; // 0x1f0260
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4b36fc != 0) {
					_t41 =  *0x4b36fc; // 0x0
					_t60 =  *0x4b3700; // 0x1
					_t69 =  *0x426aa4; // 0x426aa8
					E00408DAC(_t41, _t60, _t69);
					_t43 =  *0x4b36fc; // 0x0
					E0040540C(_t43);
					 *0x4b36fc = 0;
					return 0;
				}
				return _t40;
			}
























                                0x004a8383
                                0x004a8383
                                0x004a8383
                                0x004a8383
                                0x004a8385
                                0x004a8388
                                0x004a83b3
                                0x004a83ba
                                0x004a83c0
                                0x004a83e7
                                0x004a83ec
                                0x004a83f8
                                0x004a8403
                                0x004a840c
                                0x004a8411
                                0x004a8414
                                0x004a8418
                                0x004a841d
                                0x004a8420
                                0x004a8423
                                0x004a8427
                                0x004a842c
                                0x004a842f
                                0x004a8432
                                0x004a8443
                                0x004a8448
                                0x004a844b
                                0x004a8451
                                0x004a8459
                                0x004a845e
                                0x004a8469
                                0x004a8476
                                0x004a847b
                                0x004a8487
                                0x004a8489
                                0x004a848e
                                0x004a848e
                                0x004a8495
                                0x004a8498
                                0x004a849b
                                0x004a84a0
                                0x004a84a5
                                0x004a84b1
                                0x004a84bf
                                0x004a84c7
                                0x004a84c7
                                0x004a84d3
                                0x004a84d5
                                0x004a84e0
                                0x004a84e0
                                0x004a84ec
                                0x004a84ee
                                0x004a84f4
                                0x004a84f4
                                0x004a8500
                                0x004a8502
                                0x004a8507
                                0x004a850d
                                0x004a8513
                                0x004a8518
                                0x004a851d
                                0x004a8524
                                0x00000000
                                0x004a8524
                                0x004a8529

                                APIs
                                  • Part of subcall function 0040E748: CreateWindowExW.USER32 ref: 0040E787
                                • SetWindowLongW.USER32 ref: 004A83FE
                                  • Part of subcall function 00422AB8: GetCommandLineW.KERNEL32(00000000,00422AFA,?,?,00000000,?,004A845E,004A8660,?), ref: 00422ACE
                                  • Part of subcall function 004A1438: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004A1538,00000000,004A1528,00000000,004A150D), ref: 004A14A8
                                  • Part of subcall function 004A1438: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004A1538,00000000,004A1528,00000000), ref: 004A14BC
                                  • Part of subcall function 004A1438: MsgWaitForMultipleObjects.USER32 ref: 004A14D5
                                  • Part of subcall function 004A1438: GetExitCodeProcess.KERNEL32 ref: 004A14E9
                                  • Part of subcall function 004A1438: CloseHandle.KERNEL32(?,?,004AC44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004A14F2
                                • RemoveDirectoryW.KERNEL32(00000000,004A8534), ref: 004A84E0
                                • DestroyWindow.USER32(001F0260,004A8534), ref: 004A84F4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                • String ID: /SL5="$%x,%d,%d,$InnoSetupLdrWindow$STATIC
                                • API String ID: 3586484885-3001827809
                                • Opcode ID: 9705489443493a7a7ae056e2c951ccd42258b30958af4685e6cd8d800c0fa22b
                                • Instruction ID: 726ae3be045d68ff2fe1a84cd0491a2c8ef4867406dbf38a302104f673219482
                                • Opcode Fuzzy Hash: 9705489443493a7a7ae056e2c951ccd42258b30958af4685e6cd8d800c0fa22b
                                • Instruction Fuzzy Hash: AD415CB4A002059FDB14DFAAED95B5A7BF0EB5A305F10863AE5009B3A1DB789901CF5C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A1438, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                Download Yara Rule
                                C-Code - Quality: 61%
                                			E004A1438(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4a150d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4a1528);
				_push(__eax);
				_push(E004A1538);
				_push(__edx);
				E004087A4( &_v8, __eax, 4, __ecx, __edx);
				E00405864( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084C8(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004A1060(0x70, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004A140C();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004A140C();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(E004A1514);
				return E004079F4( &_v8);
			}











                                0x004a1443
                                0x004a1446
                                0x004a1448
                                0x004a144a
                                0x004a144e
                                0x004a144f
                                0x004a1454
                                0x004a1457
                                0x004a145a
                                0x004a145f
                                0x004a1460
                                0x004a1465
                                0x004a146e
                                0x004a147d
                                0x004a1482
                                0x004a14a8
                                0x004a14ad
                                0x004a14af
                                0x004a14b3
                                0x004a14b3
                                0x004a14bc
                                0x004a14c1
                                0x004a14c1
                                0x004a14da
                                0x004a14df
                                0x004a14e9
                                0x004a14f2
                                0x004a14f9
                                0x004a14fc
                                0x004a14ff
                                0x004a150c

                                APIs
                                • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004A1538,00000000,004A1528,00000000,004A150D), ref: 004A14A8
                                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004A1538,00000000,004A1528,00000000), ref: 004A14BC
                                • MsgWaitForMultipleObjects.USER32 ref: 004A14D5
                                • GetExitCodeProcess.KERNEL32 ref: 004A14E9
                                • CloseHandle.KERNEL32(?,?,004AC44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004A14F2
                                  • Part of subcall function 004A1060: GetLastError.KERNEL32(00000000,004A1107,?,?,00000000), ref: 004A1083
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                • String ID: D
                                • API String ID: 3356880605-2746444292
                                • Opcode ID: b287783d3d4b7ea9ccbc588804a6a0c41a1878ba0d5268b11abeab280d90f227
                                • Instruction ID: af712f2ebe82c155caeaa3e4c93f06c57414d553005f83c7d773f2c2ba47c28a
                                • Opcode Fuzzy Hash: b287783d3d4b7ea9ccbc588804a6a0c41a1878ba0d5268b11abeab280d90f227
                                • Instruction Fuzzy Hash: 2811A271A44208BEEB04EBE6CC42F9F7BACDF59714F50057BB604E72D1DA7C99008669
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A7A8C, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON
                                Download Yara Rule
                                C-Code - Quality: 60%
                                			E004A7A8C(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4a7b56);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4b30c8 =  *0x4b30c8 - 1;
				if( *0x4b30c8 < 0) {
					 *0x4b30cc = E0040E4A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4b30d0 = E0040E4A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4b30cc == 0 ||  *0x4b30d0 == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4b30d4 = _t16;
					E00422C38( &_v12);
					E00422554(_v12,  &_v8);
					E004086C4( &_v8, L"shell32.dll");
					E00421124(_v8, _t27, 0x8000); // executed
					E004231E0(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4a7b5d);
				return E00407A54( &_v16, 3);
			}









                                0x004a7a8c
                                0x004a7a8f
                                0x004a7a91
                                0x004a7a93
                                0x004a7a97
                                0x004a7a98
                                0x004a7a9d
                                0x004a7aa0
                                0x004a7aa3
                                0x004a7aaa
                                0x004a7ac5
                                0x004a7adf
                                0x004a7aeb
                                0x004a7af6
                                0x004a7afa
                                0x004a7afa
                                0x004a7afa
                                0x004a7afc
                                0x004a7b04
                                0x004a7b0f
                                0x004a7b1c
                                0x004a7b29
                                0x004a7b36
                                0x004a7b36
                                0x004a7b3d
                                0x004a7b40
                                0x004a7b43
                                0x004a7b55

                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004A7B56,?,00000000,00000000,00000000), ref: 004A7ABA
                                  • Part of subcall function 0040E4A8: GetProcAddress.KERNEL32(?,0B), ref: 0040E4D2
                                • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004A7B56,?,00000000,00000000,00000000), ref: 004A7AD4
                                  • Part of subcall function 0040E4A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E50B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                • API String ID: 1646373207-2130885113
                                • Opcode ID: ed8c097f407e69bb4cdc143531fa10b1b098a9c1c0dc16e414ba7af48b3c037d
                                • Instruction ID: 1cd02c6304a148968d17cc266ffa8bff7a2986612852c8552d3aa269b49b30c0
                                • Opcode Fuzzy Hash: ed8c097f407e69bb4cdc143531fa10b1b098a9c1c0dc16e414ba7af48b3c037d
                                • Instruction Fuzzy Hash: C9119470608204BFD724FB67DC12B5D77A4EB6A708FA0497BE400672D1DA7C6B059A3D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4ad059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4afb80; // 0x4afb7c
								 *_t147 = 0x4afb7c;
								 *0x4afb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4afb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4adae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4ad989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4adae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4adaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4adaf4;
							if((0xfffffffe << _t132 &  *0x4adaf4) == 0) {
								_t133 =  *0x4adaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4adaec; // 0x2280aa0
									_t109 = _t110 - _t125;
									 *0x4adaec = _t109;
									 *0x4adaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4adae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4adb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4adaf8 + _t142 * 4;
								 *_t80 =  *(0x4adaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4adaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4adae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4ad990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4a9080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4ad989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4ad059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4adae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4ad989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4adae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4adaf4;
							__eflags =  *(__ebx + 1) &  *0x4adaf4;
							if(( *(__ebx + 1) &  *0x4adaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4adaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4adae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4adaec; // 0x2280aa0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4adaf0 =  *0x4adaf0 - __edi;
									 *0x4adaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4adaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4adaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4adb78 + ( *(0x4adaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4adaf8 + __eax * 4;
									 *_t38 =  *(0x4adaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4adaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4adae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x2280ac0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}






























                                0x00403ee8
                                0x00403ef4
                                0x00403efa
                                0x00404148
                                0x0040414d
                                0x00404260
                                0x00404261
                                0x00404263
                                0x00403c94
                                0x00403c98
                                0x00403c9a
                                0x00403ca4
                                0x00403cb4
                                0x00403cb9
                                0x00403cbd
                                0x00403cbf
                                0x00403cc1
                                0x00403cc7
                                0x00403cca
                                0x00403ccf
                                0x00403cd4
                                0x00403cda
                                0x00403ce0
                                0x00403ce3
                                0x00403ce5
                                0x00403cec
                                0x00403cec
                                0x00403cf5
                                0x00404269
                                0x00404269
                                0x0040426b
                                0x0040426b
                                0x00404153
                                0x00404153
                                0x0040415f
                                0x00404162
                                0x00404164
                                0x0040410c
                                0x00404111
                                0x00404119
                                0x00000000
                                0x00000000
                                0x0040411b
                                0x0040411d
                                0x00404124
                                0x00000000
                                0x00404126
                                0x00404128
                                0x00404132
                                0x0040413a
                                0x0040413e
                                0x00000000
                                0x0040413e
                                0x0040413a
                                0x00000000
                                0x00404124
                                0x0040410c
                                0x00404166
                                0x00404166
                                0x00404166
                                0x0040416e
                                0x00404171
                                0x0040417b
                                0x0040417b
                                0x00404182
                                0x00404195
                                0x00404199
                                0x0040419f
                                0x004041b8
                                0x004041be
                                0x004041be
                                0x004041c0
                                0x004041de
                                0x004041c2
                                0x004041c2
                                0x004041c7
                                0x004041c9
                                0x004041ce
                                0x004041d7
                                0x004041d7
                                0x004041e3
                                0x004041eb
                                0x004041a1
                                0x004041a1
                                0x004041ab
                                0x004041b3
                                0x00000000
                                0x004041b3
                                0x00404184
                                0x00404187
                                0x0040418a
                                0x004041ec
                                0x004041ec
                                0x004041ed
                                0x004041ee
                                0x004041f5
                                0x004041f8
                                0x004041fb
                                0x004041fe
                                0x00404200
                                0x00404202
                                0x00404209
                                0x0040420b
                                0x0040420b
                                0x0040420b
                                0x00404212
                                0x00404214
                                0x00404214
                                0x00404212
                                0x00404220
                                0x00404225
                                0x00404225
                                0x00404227
                                0x00404248
                                0x00404248
                                0x00404248
                                0x00404229
                                0x00404229
                                0x0040422f
                                0x00404232
                                0x00404236
                                0x0040423c
                                0x0040423e
                                0x0040423e
                                0x0040423c
                                0x0040424d
                                0x00404250
                                0x00404253
                                0x0040425f
                                0x0040425f
                                0x00404182
                                0x00403f00
                                0x00403f00
                                0x00403f02
                                0x00403f02
                                0x00403f09
                                0x00403f10
                                0x00403f68
                                0x00403f68
                                0x00403f6d
                                0x00403f71
                                0x00000000
                                0x00000000
                                0x00403f73
                                0x00403f73
                                0x00403f76
                                0x00403f7b
                                0x00403f7f
                                0x00403f81
                                0x00403f81
                                0x00403f84
                                0x00403f89
                                0x00403f8d
                                0x00403f8f
                                0x00403f92
                                0x00403f94
                                0x00403f9b
                                0x00000000
                                0x00403f9d
                                0x00403f9f
                                0x00403fa4
                                0x00403fa9
                                0x00403fad
                                0x00403fb5
                                0x00000000
                                0x00403fb5
                                0x00403fad
                                0x00403f9b
                                0x00403f8d
                                0x00000000
                                0x00403f7f
                                0x00403f68
                                0x00403f12
                                0x00403f12
                                0x00403f15
                                0x00403f18
                                0x00403f1d
                                0x00403f1f
                                0x00403f38
                                0x00403f3b
                                0x00403f3f
                                0x00403f41
                                0x00403f44
                                0x00403fbc
                                0x00403fbd
                                0x00403fbe
                                0x00403fc5
                                0x00403fc7
                                0x00403fc7
                                0x00403fcc
                                0x00403fd4
                                0x00000000
                                0x00000000
                                0x00403fd6
                                0x00403fd8
                                0x00403fdf
                                0x00000000
                                0x00403fe1
                                0x00403fe3
                                0x00403fe8
                                0x00403fed
                                0x00403ff5
                                0x00403ff9
                                0x00000000
                                0x00403ff9
                                0x00403ff5
                                0x00000000
                                0x00403fdf
                                0x00403fc7
                                0x00404000
                                0x00404004
                                0x00404004
                                0x0040400a
                                0x0040407c
                                0x00404080
                                0x00404086
                                0x00404088
                                0x004040b0
                                0x004040b4
                                0x004040b6
                                0x004040bb
                                0x004040bd
                                0x004040bf
                                0x00000000
                                0x004040c1
                                0x004040c1
                                0x004040c6
                                0x004040c8
                                0x004040c9
                                0x004040ca
                                0x004040cb
                                0x004040cb
                                0x0040408a
                                0x0040408a
                                0x00404090
                                0x00404094
                                0x0040409a
                                0x0040409c
                                0x0040409e
                                0x0040409e
                                0x004040a0
                                0x004040a2
                                0x004040a8
                                0x00000000
                                0x004040a8
                                0x0040400c
                                0x0040400c
                                0x0040400f
                                0x00404016
                                0x0040401d
                                0x00404020
                                0x00404023
                                0x0040402a
                                0x0040402d
                                0x00404030
                                0x00404033
                                0x00404035
                                0x00404037
                                0x00404039
                                0x0040403e
                                0x00404040
                                0x00404040
                                0x00404040
                                0x00404047
                                0x00404049
                                0x00404049
                                0x00404047
                                0x00404050
                                0x00404055
                                0x00404058
                                0x0040405e
                                0x004040cc
                                0x004040cc
                                0x004040cc
                                0x00404060
                                0x00404060
                                0x00404062
                                0x00404066
                                0x00404068
                                0x0040406b
                                0x0040406e
                                0x00404071
                                0x00404075
                                0x00404075
                                0x004040d1
                                0x004040d1
                                0x004040d1
                                0x004040d4
                                0x004040d7
                                0x004040d9
                                0x004040de
                                0x004040e0
                                0x004040e3
                                0x004040ea
                                0x004040ed
                                0x004040ed
                                0x004040f0
                                0x004040f4
                                0x004040f7
                                0x004040fa
                                0x004040fc
                                0x004040fc
                                0x004040fe
                                0x00404101
                                0x00404104
                                0x00404107
                                0x00404108
                                0x00404109
                                0x0040410a
                                0x0040410a
                                0x00403f46
                                0x00403f46
                                0x00403f46
                                0x00403f46
                                0x00403f4a
                                0x00403f4d
                                0x00403f50
                                0x00403f53
                                0x00403f54
                                0x00403f54
                                0x00403f21
                                0x00403f21
                                0x00403f25
                                0x00403f25
                                0x00403f28
                                0x00403f2b
                                0x00403f2e
                                0x00403f58
                                0x00403f5b
                                0x00403f5e
                                0x00403f61
                                0x00403f64
                                0x00403f65
                                0x00403f30
                                0x00403f30
                                0x00403f33
                                0x00403f34
                                0x00403f34
                                0x00403f2e
                                0x00403f1f

                                APIs
                                • Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000,0040C761), ref: 00403F9F
                                • Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000,0040C761), ref: 00403FB5
                                • Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000,0040C761), ref: 00403FE3
                                • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000,0040C761), ref: 00403FF9
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: de0d06ab3528a7223025f1b9446eacc1668a16eaa8b8f8de44a1672ae8a3e8ae
                                • Instruction ID: 40858f6e4be6ca8b0a26f9524243d71a381fde2c256961902b301cd5bde9a830
                                • Opcode Fuzzy Hash: de0d06ab3528a7223025f1b9446eacc1668a16eaa8b8f8de44a1672ae8a3e8ae
                                • Instruction Fuzzy Hash: F6C146B2A052118BCB19CF68E884356BFE4ABC6311F1882BFE516AB7D1C774D941C79C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A80CC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E004A80CC(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004A1388(_t88);
				if( *0x4ac440 == 0) {
					if(( *0x4b36f5 & 0x00000001) == 0 &&  *0x4ac441 == 0) {
						_t61 =  *0x4ac674; // 0x4b2d04
						_t4 = _t61 + 0x2a8; // 0x0
						_t63 = E004084C8( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4b35cc; // 0x0
						E00426DFC(0xae, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084C8( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ac44c = 2;
							E0041F358();
						}
					}
					E004056B0();
					E004A0D00(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407DD4(0x4b3718,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4b3708; // 0x0
					E00422848(_t26, _t88, _t120 - 0x34);
					E004225BC( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4b3718; // 0x0
					E00422554(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040871C(0x4b371c, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4b371c; // 0x0
					E00407DD4(0x4b3720, _t107);
					_t37 =  *0x4b3714; // 0x4bc924
					_t15 = _t37 + 0x14; // 0x76a023
					_t38 =  *0x4b370c; // 0x0
					E00423BDC(_t38,  *_t15);
					_push(_t120);
					_push(0x4a838d);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4b3764 = 0;
					_t42 = E00423BF4(1, 0, 1, 0); // executed
					 *0x4b3710 = _t42;
					_push(_t120);
					_push(0x4a837c);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4b3714; // 0x4bc924
					_t16 = _t44 + 0x18; // 0x269e00
					 *0x4b3764 = E004053F0( *_t16);
					_t47 =  *0x4b3714; // 0x4bc924
					_t17 = _t47 + 0x18; // 0x269e00
					_t86 =  *0x4b3764; // 0x7fc40010
					E00405864(_t86,  *_t17);
					_push(_t120);
					_push(0x4a82cb);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424bcc; // 0x424c24
					_t93 =  *0x4b370c; // 0x0
					_t53 = E0042463C(_t93, 1, _t51); // executed
					 *0x4b3768 = _t53;
					_push(_t120);
					_push(0x4a82ba);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4b3714; // 0x4bc924
					_t18 = _t55 + 0x18; // 0x269e00
					_t56 =  *0x4b3768; // 0x2290bd0
					E00424918(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004A82C1);
					_t59 =  *0x4b3768; // 0x2290bd0
					return E00405CC8(_t59);
				} else {
					_t69 =  *0x4ac674; // 0x4b2d04
					_t1 = _t69 + 0x184; // 0x0
					E004A1750( *_t1, __ebx, __edi, __esi);
					 *0x4ac44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004A8534);
					_t74 =  *0x4b370c; // 0x0
					_t75 = E00405CC8(_t74);
					if( *0x4b3720 != 0) {
						_t117 =  *0x4b3720; // 0x0
						_t75 = E004A0EC8(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4b3718 != 0) {
						_t82 =  *0x4b3718; // 0x0
						_t75 = RemoveDirectoryW(E004084C8(_t82)); // executed
					}
					if( *0x4ac450 != 0) {
						_t81 =  *0x4ac450; // 0x1f0260
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4b36fc != 0) {
						_t76 =  *0x4b36fc; // 0x0
						_t99 =  *0x4b3700; // 0x1
						_t116 =  *0x426aa4; // 0x426aa8
						E00408DAC(_t76, _t99, _t116);
						_t78 =  *0x4b36fc; // 0x0
						E0040540C(_t78);
						 *0x4b36fc = 0;
						return 0;
					}
					return _t75;
				}
			}




































                                0x004a80cc
                                0x004a80cc
                                0x004a80cc
                                0x004a80ce
                                0x004a80d0
                                0x004a80d1
                                0x004a80f1
                                0x004a80fd
                                0x004a8122
                                0x004a812f
                                0x004a8134
                                0x004a813a
                                0x004a8140
                                0x004a8143
                                0x004a814b
                                0x004a8163
                                0x004a8165
                                0x004a816f
                                0x004a816f
                                0x004a8163
                                0x004a8174
                                0x004a817c
                                0x004a8189
                                0x004a8191
                                0x004a8196
                                0x004a81a6
                                0x004a81ae
                                0x004a81b2
                                0x004a81b7
                                0x004a81c4
                                0x004a81c5
                                0x004a81cf
                                0x004a81d5
                                0x004a81da
                                0x004a81df
                                0x004a81e2
                                0x004a81e7
                                0x004a81ee
                                0x004a81ef
                                0x004a81f4
                                0x004a81f7
                                0x004a81fc
                                0x004a8214
                                0x004a8219
                                0x004a8220
                                0x004a8221
                                0x004a8226
                                0x004a8229
                                0x004a822c
                                0x004a8231
                                0x004a8239
                                0x004a823e
                                0x004a8243
                                0x004a8246
                                0x004a8250
                                0x004a8257
                                0x004a8258
                                0x004a825d
                                0x004a8260
                                0x004a8263
                                0x004a8269
                                0x004a8276
                                0x004a827b
                                0x004a8282
                                0x004a8283
                                0x004a8288
                                0x004a828b
                                0x004a828e
                                0x004a8293
                                0x004a8298
                                0x004a829d
                                0x004a82a4
                                0x004a82a7
                                0x004a82aa
                                0x004a82af
                                0x004a82b9
                                0x004a80ff
                                0x004a80ff
                                0x004a8104
                                0x004a810a
                                0x004a8111
                                0x004a8495
                                0x004a8498
                                0x004a849b
                                0x004a84a0
                                0x004a84a5
                                0x004a84b1
                                0x004a84bf
                                0x004a84c7
                                0x004a84c7
                                0x004a84d3
                                0x004a84d5
                                0x004a84e0
                                0x004a84e0
                                0x004a84ec
                                0x004a84ee
                                0x004a84f4
                                0x004a84f4
                                0x004a8500
                                0x004a8502
                                0x004a8507
                                0x004a850d
                                0x004a8513
                                0x004a8518
                                0x004a851d
                                0x004a8524
                                0x00000000
                                0x004a8524
                                0x004a8529
                                0x004a8529

                                APIs
                                • MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004A815B
                                  • Part of subcall function 004A1750: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004A17BA
                                • RemoveDirectoryW.KERNEL32(00000000,004A8534), ref: 004A84E0
                                • DestroyWindow.USER32(001F0260,004A8534), ref: 004A84F4
                                  • Part of subcall function 004A0EC8: Sleep.KERNEL32(?,?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0EE7
                                  • Part of subcall function 004A0EC8: GetLastError.KERNEL32(?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0F0A
                                  • Part of subcall function 004A0EC8: GetLastError.KERNEL32(?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0F14
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
                                • String ID: $LB$.tmp
                                • API String ID: 3858953238-2116547132
                                • Opcode ID: c3df1991af78a34c2965fe03942ffed53ba26fbb61714fe6a9abf260fb208277
                                • Instruction ID: a1a03a499fae612d09130263bc43a5da7f8b3d1655acbcdcebb0530643affef6
                                • Opcode Fuzzy Hash: c3df1991af78a34c2965fe03942ffed53ba26fbb61714fe6a9abf260fb208277
                                • Instruction Fuzzy Hash: 09617DF1300600AFD710EF6AED92A567BA5E75A305F50867AF800973A1CE38AD41CB2C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407724, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E00407724() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4a9004 != 0) {
					E00407604();
					E0040768C(_t46);
					 *0x4a9004 = 0;
				}
				if( *0x4afbcc != 0 && GetCurrentThreadId() ==  *0x4afbf4) {
					E0040735C(0x4afbc8);
					E00407660(0x4afbc8);
				}
				if( *0x004AFBC0 != 0 ||  *0x4ad054 == 0) {
					L8:
					if( *((char*)(0x4afbc0)) == 2 &&  *0x4a9000 == 0) {
						 *0x004AFBA4 = 0;
					}
					if( *((char*)(0x4afbc0)) != 0) {
						L14:
						E00407384();
						if( *((char*)(0x4afbc0)) <= 1 ||  *0x4a9000 != 0) {
							_t15 =  *0x004AFBA8;
							if( *0x004AFBA8 != 0) {
								E0040B780(_t15);
								_t31 =  *((intOrPtr*)(0x4afba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E0040735C(0x4afb98);
						if( *((char*)(0x4afbc0)) == 1) {
							 *0x004AFBBC();
						}
						if( *((char*)(0x4afbc0)) != 0) {
							E00407660(0x4afb98);
						}
						if( *0x4afb98 == 0) {
							if( *0x4ad038 != 0) {
								 *0x4ad038();
							}
							ExitProcess( *0x4a9000); // executed
						}
						memcpy(0x4afb98,  *0x4afb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4a9000 = 0x4a9000;
						0x4afb98 = 0x4afb98;
						goto L8;
					} else {
						_t20 = E00405494();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CC8(_t44);
							_t23 = E00405494();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4ad054; // 0x0
						 *0x4ad054 = 0;
						 *_t33();
					} while ( *0x4ad054 != 0);
					L8:
					while(1) {
					}
				}
			}










                                0x00407738
                                0x0040773a
                                0x0040773f
                                0x00407746
                                0x00407746
                                0x00407752
                                0x00407766
                                0x00407770
                                0x00407770
                                0x00407779
                                0x0040779d
                                0x004077a1
                                0x004077aa
                                0x004077aa
                                0x004077b1
                                0x004077d0
                                0x004077d0
                                0x004077d9
                                0x004077e0
                                0x004077e5
                                0x004077e7
                                0x004077ec
                                0x004077ef
                                0x004077ef
                                0x004077f2
                                0x004077f5
                                0x004077fc
                                0x004077fc
                                0x004077f5
                                0x004077e5
                                0x00407803
                                0x0040780c
                                0x0040780e
                                0x0040780e
                                0x00407815
                                0x00407819
                                0x00407819
                                0x00407821
                                0x0040782a
                                0x0040782c
                                0x0040782c
                                0x00407835
                                0x00407835
                                0x00407847
                                0x00407847
                                0x00407849
                                0x0040784a
                                0x00000000
                                0x004077b3
                                0x004077b3
                                0x004077b8
                                0x004077bc
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004077be
                                0x004077be
                                0x004077c0
                                0x004077c5
                                0x004077ca
                                0x004077cc
                                0x00000000
                                0x004077be
                                0x00407784
                                0x00407784
                                0x00407784
                                0x0040778d
                                0x00407792
                                0x00407794
                                0x00000000
                                0x0040779d
                                0x00000000
                                0x0040779d

                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 00407754
                                • FreeLibrary.KERNEL32(00400000,?,?,?,0040785E,004054DF,00405526,?,?,0040553F,?,?,?,?,00453546,00000000), ref: 004077FC
                                • ExitProcess.KERNEL32(00000000,?,?,?,0040785E,004054DF,00405526,?,?,0040553F,?,?,?,?,00453546,00000000), ref: 00407835
                                  • Part of subcall function 0040768C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?,0040553F), ref: 004076C5
                                  • Part of subcall function 0040768C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?), ref: 004076CB
                                  • Part of subcall function 0040768C: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?), ref: 004076E6
                                  • Part of subcall function 0040768C: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?), ref: 004076EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                • String ID: MZP
                                • API String ID: 3490077880-2889622443
                                • Opcode ID: 27687baf6def8bf591ad0f3cbfb324307bfd436381f9ba0853c27a150f62d65a
                                • Instruction ID: 4d6c15ac86d8b360ffdfc55aea4b1fc84de7d629047560fa0690051ca5318a6c
                                • Opcode Fuzzy Hash: 27687baf6def8bf591ad0f3cbfb324307bfd436381f9ba0853c27a150f62d65a
                                • Instruction Fuzzy Hash: DA319220E086415AE731AB79C48875B7AE46B06358F14883BD441A37D2D77CF884CB6F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040771C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E0040771C() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4a9004 != 0) {
					E00407604();
					E0040768C(_t50);
					 *0x4a9004 = 0;
				}
				if( *0x4afbcc != 0 && GetCurrentThreadId() ==  *0x4afbf4) {
					E0040735C(0x4afbc8);
					E00407660(0x4afbc8);
				}
				if( *0x004AFBC0 != 0 ||  *0x4ad054 == 0) {
					L9:
					if( *((char*)(0x4afbc0)) == 2 &&  *0x4a9000 == 0) {
						 *0x004AFBA4 = 0;
					}
					if( *((char*)(0x4afbc0)) != 0) {
						L15:
						E00407384();
						if( *((char*)(0x4afbc0)) <= 1 ||  *0x4a9000 != 0) {
							_t18 =  *0x004AFBA8;
							if( *0x004AFBA8 != 0) {
								E0040B780(_t18);
								_t34 =  *((intOrPtr*)(0x4afba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E0040735C(0x4afb98);
						if( *((char*)(0x4afbc0)) == 1) {
							 *0x004AFBBC();
						}
						if( *((char*)(0x4afbc0)) != 0) {
							E00407660(0x4afb98);
						}
						if( *0x4afb98 == 0) {
							if( *0x4ad038 != 0) {
								 *0x4ad038();
							}
							ExitProcess( *0x4a9000); // executed
						}
						memcpy(0x4afb98,  *0x4afb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4a9000 = 0x4a9000;
						0x4afb98 = 0x4afb98;
						goto L9;
					} else {
						_t23 = E00405494();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CC8(_t48);
							_t26 = E00405494();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4ad054; // 0x0
						 *0x4ad054 = 0;
						 *_t36();
					} while ( *0x4ad054 != 0);
					L9:
					while(1) {
					}
				}
			}











                                0x0040771e
                                0x00407738
                                0x0040773a
                                0x0040773f
                                0x00407746
                                0x00407746
                                0x00407752
                                0x00407766
                                0x00407770
                                0x00407770
                                0x00407779
                                0x0040779d
                                0x004077a1
                                0x004077aa
                                0x004077aa
                                0x004077b1
                                0x004077d0
                                0x004077d0
                                0x004077d9
                                0x004077e0
                                0x004077e5
                                0x004077e7
                                0x004077ec
                                0x004077ef
                                0x004077ef
                                0x004077f2
                                0x004077f5
                                0x004077fc
                                0x004077fc
                                0x004077f5
                                0x004077e5
                                0x00407803
                                0x0040780c
                                0x0040780e
                                0x0040780e
                                0x00407815
                                0x00407819
                                0x00407819
                                0x00407821
                                0x0040782a
                                0x0040782c
                                0x0040782c
                                0x00407835
                                0x00407835
                                0x00407847
                                0x00407847
                                0x00407849
                                0x0040784a
                                0x00000000
                                0x004077b3
                                0x004077b3
                                0x004077b8
                                0x004077bc
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004077be
                                0x004077be
                                0x004077c0
                                0x004077c5
                                0x004077ca
                                0x004077cc
                                0x00000000
                                0x004077be
                                0x00407784
                                0x00407784
                                0x00407784
                                0x0040778d
                                0x00407792
                                0x00407794
                                0x00000000
                                0x0040779d
                                0x00000000
                                0x0040779d

                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 00407754
                                • FreeLibrary.KERNEL32(00400000,?,?,?,0040785E,004054DF,00405526,?,?,0040553F,?,?,?,?,00453546,00000000), ref: 004077FC
                                • ExitProcess.KERNEL32(00000000,?,?,?,0040785E,004054DF,00405526,?,?,0040553F,?,?,?,?,00453546,00000000), ref: 00407835
                                  • Part of subcall function 0040768C: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?,0040553F), ref: 004076C5
                                  • Part of subcall function 0040768C: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?), ref: 004076CB
                                  • Part of subcall function 0040768C: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?), ref: 004076E6
                                  • Part of subcall function 0040768C: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?), ref: 004076EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                • String ID: MZP
                                • API String ID: 3490077880-2889622443
                                • Opcode ID: c0169702aa9a0112fec964110138e5601fa374416d594b0021619e1349d772d7
                                • Instruction ID: 94527550a85b6d0efb8c992dbc1059f00de0a519c92a8f1d7b957efcc6585d4e
                                • Opcode Fuzzy Hash: c0169702aa9a0112fec964110138e5601fa374416d594b0021619e1349d772d7
                                • Instruction Fuzzy Hash: 8E315C20E087419AE731AB79848875B3BE06B16358F14883BE441A77D2D77CF884CB6F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A0D00, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON
                                Download Yara Rule
                                C-Code - Quality: 73%
                                			E004A0D00(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4a0df5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422C64( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004A0BE4(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084C8(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426DFC(0x39,  &_v32, _v8);
						_v28 = _v32;
						E00419F38( &_v36, _t54, 0);
						_v24 = _v36;
						E004231E0(_t54,  &_v40);
						_v20 = _v40;
						E00426DCC(0x6e, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F384(_v16, 1);
						E004070F0();
					}
				}
				E00407DD4(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004A0DFC);
				E00407A54( &_v40, 3);
				return E00407A54( &_v16, 3);
			}


















                                0x004a0d00
                                0x004a0d00
                                0x004a0d01
                                0x004a0d03
                                0x004a0d08
                                0x004a0d08
                                0x004a0d0a
                                0x004a0d0c
                                0x004a0d0c
                                0x004a0d0f
                                0x004a0d10
                                0x004a0d12
                                0x004a0d14
                                0x004a0d16
                                0x004a0d17
                                0x004a0d1c
                                0x004a0d1f
                                0x004a0d22
                                0x004a0d29
                                0x004a0d31
                                0x004a0d38
                                0x004a0d48
                                0x004a0d4f
                                0x00000000
                                0x00000000
                                0x004a0d56
                                0x004a0d58
                                0x004a0d5e
                                0x004a0d6c
                                0x004a0d74
                                0x004a0d80
                                0x004a0d88
                                0x004a0d90
                                0x004a0d98
                                0x004a0da5
                                0x004a0daa
                                0x004a0db4
                                0x004a0db9
                                0x004a0db9
                                0x004a0d5e
                                0x004a0dc8
                                0x004a0dcd
                                0x004a0dcf
                                0x004a0dd2
                                0x004a0dd5
                                0x004a0de2
                                0x004a0df4

                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004A0DF5,?,?,?,00000003,00000000,00000000,?,004A8181), ref: 004A0D48
                                • GetLastError.KERNEL32(00000000,00000000,?,00000000,004A0DF5,?,?,?,00000003,00000000,00000000,?,004A8181), ref: 004A0D51
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateDirectoryErrorLast
                                • String ID: $OA$.tmp
                                • API String ID: 1375471231-3378223631
                                • Opcode ID: c516df454c84e863fb55d8b662e48942052b52aa9f9abc459fd96a9f16e7d671
                                • Instruction ID: 208fa6887b5c0916c11087d92b0f683a5db5f473fd1affd0b97b8fe8ecdf5134
                                • Opcode Fuzzy Hash: c516df454c84e863fb55d8b662e48942052b52aa9f9abc459fd96a9f16e7d671
                                • Instruction Fuzzy Hash: 63217675A002099BDB00EBE5C951AEEB3B9EB58304F50457BF901B7381DA786E058B69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A7000, Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E004A7000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4a70d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4ad98c =  *0x4ad98c - 1;
				if( *0x4ad98c < 0) {
					E00405B54();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A5C4();
					 *0x4a900c = 2;
					 *0x4ad01c = 0x4036b0;
					 *0x4ad020 = 0x4036b8;
					 *0x4ad05a = 2;
					 *0x4ad060 = E0040CDE0();
					 *0x4ad008 = E004098F4;
					E00405BAC(E00405B90());
					 *0x4ad068 = 0xd7b0;
					 *0x4ad344 = 0xd7b0;
					 *0x4ad620 = 0xd7b0;
					 *0x4ad050 = GetCommandLineW();
					 *0x4ad04c = E00403810();
					 *0x4ad97c = GetACP();
					 *0x4ad980 = 0x4b0;
					 *0x4ad044 = GetCurrentThreadId();
					E0040CDF4();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4a70de);
				return 0;
			}





                                0x004a7005
                                0x004a7006
                                0x004a700b
                                0x004a700e
                                0x004a7011
                                0x004a7018
                                0x004a701e
                                0x004a7023
                                0x004a702d
                                0x004a7032
                                0x004a7037
                                0x004a703e
                                0x004a7048
                                0x004a7052
                                0x004a705e
                                0x004a7063
                                0x004a7072
                                0x004a7077
                                0x004a7080
                                0x004a7089
                                0x004a7097
                                0x004a70a1
                                0x004a70ab
                                0x004a70b0
                                0x004a70bf
                                0x004a70c4
                                0x004a70c4
                                0x004a70cb
                                0x004a70ce
                                0x004a70d1
                                0x004a70d6

                                APIs
                                • SetThreadLocale.KERNEL32(00000400,00000000,004A70D7), ref: 004A702D
                                  • Part of subcall function 0040A5C4: InitializeCriticalSection.KERNEL32(004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5C9
                                  • Part of subcall function 0040A5C4: GetVersion.KERNEL32(004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5D7
                                  • Part of subcall function 0040A5C4: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5FE
                                  • Part of subcall function 0040A5C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A604
                                  • Part of subcall function 0040A5C4: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A618
                                  • Part of subcall function 0040A5C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A61E
                                  • Part of subcall function 0040A5C4: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A632
                                  • Part of subcall function 0040A5C4: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A638
                                  • Part of subcall function 0040CDE0: GetSystemInfo.KERNEL32 ref: 0040CDE4
                                • GetCommandLineW.KERNEL32(00000400,00000000,004A70D7), ref: 004A7092
                                  • Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821
                                • GetACP.KERNEL32(00000400,00000000,004A70D7), ref: 004A70A6
                                • GetCurrentThreadId.KERNEL32 ref: 004A70BA
                                  • Part of subcall function 0040CDF4: GetVersion.KERNEL32(004A70C9,00000400,00000000,004A70D7), ref: 0040CDF4
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
                                • String ID:
                                • API String ID: 2740004594-0
                                • Opcode ID: 751076c4bcae2fa5cb3ef74472dc0559afb380b7e743fee50856c719e0d04cff
                                • Instruction ID: 2d6e9566c0f1ba9e301420735f22e2aaacda25799cb94ec5fa4b9a8b87f6e037
                                • Opcode Fuzzy Hash: 751076c4bcae2fa5cb3ef74472dc0559afb380b7e743fee50856c719e0d04cff
                                • Instruction Fuzzy Hash: EC1100B0808740A9E711BF72AC0660A3FA8FB4770DF41883EE10567AA2D7BD5545DF6E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E748, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040E748(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405720();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405710(_t13);
				return _t24;
			}








                                0x0040e74f
                                0x0040e754
                                0x0040e756
                                0x0040e787
                                0x0040e790
                                0x0040e79c

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateWindow
                                • String ID: InnoSetupLdrWindow$STATIC
                                • API String ID: 716092398-2209255943
                                • Opcode ID: 308ffab18e31b1134490d17498aac611e849f0f3c6d244726fd98e92013085e1
                                • Instruction ID: f84a80031f046bc7831efab5cf97239724a0ea78ac17ff57204b8c6211417fe6
                                • Opcode Fuzzy Hash: 308ffab18e31b1134490d17498aac611e849f0f3c6d244726fd98e92013085e1
                                • Instruction Fuzzy Hash: 59F097B6600118BF8B40DE9DDC85DDB77ECEB4C264B054529FA0CD3201D634ED108BB4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A0EC8, Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004A0EC8(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427040(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}










                                0x004a0ec8
                                0x004a0ecf
                                0x004a0ed2
                                0x004a0ed6
                                0x004a0ed9
                                0x004a0f27
                                0x004a0f27
                                0x004a0f27
                                0x004a0edb
                                0x004a0edc
                                0x004a0ede
                                0x004a0ede
                                0x004a0ee1
                                0x004a0eee
                                0x004a0ef1
                                0x004a0ef7
                                0x004a0ef7
                                0x004a0ee3
                                0x004a0ee7
                                0x004a0ee7
                                0x004a0f01
                                0x004a0f08
                                0x00000000
                                0x00000000
                                0x004a0f0a
                                0x004a0f12
                                0x00000000
                                0x00000000
                                0x004a0f14
                                0x004a0f1c
                                0x00000000
                                0x00000000
                                0x004a0f1e
                                0x004a0f1f
                                0x004a0f20
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004a0f20
                                0x00000000

                                APIs
                                • Sleep.KERNEL32(?,?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0EE7
                                • Sleep.KERNEL32(?,?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0EF7
                                • GetLastError.KERNEL32(?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0F0A
                                • GetLastError.KERNEL32(?,?,?,0000000D,?,004A84CC,000000FA,00000032,004A8534), ref: 004A0F14
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLastSleep
                                • String ID:
                                • API String ID: 1458359878-0
                                • Opcode ID: 08ceac58f1a598c28f3150d760af8bae7f2592b373fbd5a93858732f14be0fce
                                • Instruction ID: adb0e5fdaca97d13269606711df51f6cdb903a640927d0cc505b6659a44c5edb
                                • Opcode Fuzzy Hash: 08ceac58f1a598c28f3150d760af8bae7f2592b373fbd5a93858732f14be0fce
                                • Instruction Fuzzy Hash: 53F0E032B002287B5B34E55F9D4596F629CDA77364B10052BF444E7303D57DCC4152ED
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00420060, Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                Download Yara Rule
                                C-Code - Quality: 63%
                                			E00420060(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420160);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E1C( &_v8, __eax);
				E00407F84( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084C8(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x420167);
					return E004079F4( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420143);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084C8(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x420174,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42014a);
					return E0040540C(_v20);
				}
			}



















                                0x00420061
                                0x00420063
                                0x0042006b
                                0x0042006e
                                0x00420070
                                0x00420076
                                0x00420077
                                0x0042007c
                                0x0042007f
                                0x00420082
                                0x0042008b
                                0x00420093
                                0x004200a5
                                0x004200aa
                                0x004200ae
                                0x0042014c
                                0x0042014f
                                0x00420152
                                0x0042015f
                                0x004200b4
                                0x004200bb
                                0x004200c0
                                0x004200c1
                                0x004200c6
                                0x004200c9
                                0x004200de
                                0x004200e5
                                0x0042010d
                                0x00420116
                                0x00420127
                                0x00420129
                                0x00420129
                                0x0042012f
                                0x00420132
                                0x00420135
                                0x00420142
                                0x00420142

                                APIs
                                • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420160), ref: 004200A5
                                • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420143,?,00000000,?,00000000,00420160), ref: 004200DE
                                • VerQueryValueW.VERSION(?,00420174,?,?,00000000,?,00000000,?,00000000,00420143,?,00000000,?,00000000,00420160), ref: 004200F8
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileInfoVersion$QuerySizeValue
                                • String ID:
                                • API String ID: 2179348866-0
                                • Opcode ID: d183af1ef0636e6162bc8df42a0a4f5a0591cd6bdf26b12374301618c02b16f2
                                • Instruction ID: 7a7f4719427165232ba07bab02eb7f8b2be03f671c4adb6f55d937d41512f1e4
                                • Opcode Fuzzy Hash: d183af1ef0636e6162bc8df42a0a4f5a0591cd6bdf26b12374301618c02b16f2
                                • Instruction Fuzzy Hash: 69312171A042199FDB01DFA9D9419BFB7F8EB48300B9144BAF404E3292DB79DD10D765
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B484, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                Download Yara Rule
                                C-Code - Quality: 72%
                                			E0040B484(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407AD8(_v8);
				E00407AD8(_v12);
				_push(_t84);
				_push(0x40b59b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E004079F4(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B5A2);
					return E00407A54( &_v28, 6);
				}
				E00407E1C( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040B1A8(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040AB58(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040B2D4(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4afc0c;
							if( *0x4afc0c == 0) {
								L00403738();
								E0040AB58(_t46, _t60,  &_v28, _t79, _t81);
								E0040B2D4(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B3B8(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040B2D4(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E0040888C(_v12, _t60, 1,  &_v20);
				goto L7;
			}

















                                0x0040b484
                                0x0040b484
                                0x0040b487
                                0x0040b489
                                0x0040b48b
                                0x0040b48d
                                0x0040b48f
                                0x0040b491
                                0x0040b493
                                0x0040b494
                                0x0040b495
                                0x0040b497
                                0x0040b49a
                                0x0040b4a0
                                0x0040b4a8
                                0x0040b4af
                                0x0040b4b0
                                0x0040b4b5
                                0x0040b4b8
                                0x0040b4bd
                                0x0040b4c6
                                0x0040b580
                                0x0040b582
                                0x0040b585
                                0x0040b588
                                0x0040b59a
                                0x0040b59a
                                0x0040b4d2
                                0x0040b4d7
                                0x0040b4dc
                                0x0040b4e1
                                0x0040b4e1
                                0x0040b4e3
                                0x0040b4e8
                                0x0040b50f
                                0x0040b515
                                0x0040b51e
                                0x0040b52f
                                0x0040b537
                                0x0040b544
                                0x0040b549
                                0x0040b54c
                                0x0040b54e
                                0x0040b555
                                0x0040b557
                                0x0040b55f
                                0x0040b56c
                                0x0040b56c
                                0x0040b555
                                0x0040b571
                                0x0040b574
                                0x0040b57b
                                0x0040b57b
                                0x0040b520
                                0x0040b528
                                0x0040b528
                                0x00000000
                                0x0040b51e
                                0x0040b4ea
                                0x0040b50a
                                0x0040b50b
                                0x0040b50d
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040b50d
                                0x0040b4f9
                                0x0040b503
                                0x00000000

                                APIs
                                • GetUserDefaultUILanguage.KERNEL32(00000000,0040B59B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B622,00000000,?,00000105), ref: 0040B52F
                                • GetSystemDefaultUILanguage.KERNEL32(00000000,0040B59B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B622,00000000,?,00000105), ref: 0040B557
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DefaultLanguage$SystemUser
                                • String ID:
                                • API String ID: 384301227-0
                                • Opcode ID: a5df62239bc9b8b5aa42d2ad25163fdcfd826da8443722874e4a27fbb09cfcac
                                • Instruction ID: 18846fc7009ae5a4e71a55a4188c0930fdf68c345da51b172561767d210bf349
                                • Opcode Fuzzy Hash: a5df62239bc9b8b5aa42d2ad25163fdcfd826da8443722874e4a27fbb09cfcac
                                • Instruction Fuzzy Hash: A5310170A10249ABDB10EF95C881AAEB7B5EF44308F5044BBE800B33D1D778AE458B9D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040B5A8, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E0040B5A8(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b662);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408530( &_v536, _t49);
				_push(_v536);
				E0040856C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B484(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084C8(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B669);
				E00407A54( &_v540, 2);
				return E004079F4( &_v8);
			}











                                0x0040b5b5
                                0x0040b5bb
                                0x0040b5c1
                                0x0040b5c4
                                0x0040b5c8
                                0x0040b5c9
                                0x0040b5ce
                                0x0040b5d1
                                0x0040b5e4
                                0x0040b5f1
                                0x0040b5fc
                                0x0040b60e
                                0x0040b61c
                                0x0040b61d
                                0x0040b626
                                0x0040b635
                                0x0040b63a
                                0x0040b63e
                                0x0040b641
                                0x0040b644
                                0x0040b654
                                0x0040b661

                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B662,?,?,00000000), ref: 0040B5E4
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B662,?,?,00000000), ref: 0040B635
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileLibraryLoadModuleName
                                • String ID:
                                • API String ID: 1159719554-0
                                • Opcode ID: 71a3d84090ee24f64dbd202d4203489a3ae5a06853d229489dca3004faea58dc
                                • Instruction ID: b80f15a0147bad070475b0dcf22c8b753a80f6822e4b0def75fc5cb61c98f3c2
                                • Opcode Fuzzy Hash: 71a3d84090ee24f64dbd202d4203489a3ae5a06853d229489dca3004faea58dc
                                • Instruction Fuzzy Hash: AC118270A4421CABDB14EB60CD86BDE77B8DB04704F5144BAF408B32D1DB785F848A99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00427040, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 60%
                                			E00427040(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00426FF4(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x42709d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084C8(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004270A4);
					return E00427030( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}











                                0x00427041
                                0x00427043
                                0x00427058
                                0x00427063
                                0x00427064
                                0x00427069
                                0x0042706c
                                0x00427077
                                0x0042707c
                                0x00427084
                                0x00427089
                                0x0042708c
                                0x0042708f
                                0x0042709c
                                0x0042705a
                                0x0042705c
                                0x004270b5
                                0x004270b5

                                APIs
                                • DeleteFileW.KERNEL32(00000000,00000000,0042709D,?,0000000D,00000000), ref: 00427077
                                • GetLastError.KERNEL32(00000000,00000000,0042709D,?,0000000D,00000000), ref: 0042707F
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DeleteErrorFileLast
                                • String ID:
                                • API String ID: 2018770650-0
                                • Opcode ID: a0fbf55be5ffcd09f305ae54ec4c1657f6674b1495f27545fe34e85a0120edfe
                                • Instruction ID: 9cbfc24df38639fe3e45efe1b64bd3214acbd9b2112ca2de374008e0d0b065ce
                                • Opcode Fuzzy Hash: a0fbf55be5ffcd09f305ae54ec4c1657f6674b1495f27545fe34e85a0120edfe
                                • Instruction Fuzzy Hash: 54F0C831B08318ABDB00DB7AAC4189DB7E8DB49714B9149BBF814E3241EA785D144698
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00421124, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 37%
                                			E00421124(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x421196);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421178);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084C8(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42117f);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}












                                0x00421125
                                0x00421127
                                0x0042112b
                                0x0042112e
                                0x00421133
                                0x00421138
                                0x00421139
                                0x0042113e
                                0x00421141
                                0x00421144
                                0x00421149
                                0x0042114a
                                0x0042114f
                                0x00421152
                                0x0042115d
                                0x00421162
                                0x00421167
                                0x0042116a
                                0x0042116d
                                0x00421172
                                0x00421174
                                0x00421177

                                APIs
                                • SetErrorMode.KERNEL32 ref: 0042112E
                                • LoadLibraryW.KERNEL32(00000000,00000000,00421178,?,00000000,00421196), ref: 0042115D
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLibraryLoadMode
                                • String ID:
                                • API String ID: 2987862817-0
                                • Opcode ID: 58c8085b5dd36ac0ba48c9e98c217b3e8311cd8d6350e3969bf77500e8c19a68
                                • Instruction ID: 6692b858657e05fdd79fffc9be95ae21615ec1a40954b736760fd61b652abef3
                                • Opcode Fuzzy Hash: 58c8085b5dd36ac0ba48c9e98c217b3e8311cd8d6350e3969bf77500e8c19a68
                                • Instruction Fuzzy Hash: 05F08270A14744BEDB125F769C5283BBAACE71DB047924CB6F910A26D1E63D4820C568
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004ADADC;
				while(_t28 != 0x4adad8) {
					_t2 = _t28 + 4; // 0x4adad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4a9080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4adad8 = 0x4adad8;
				 *0x004ADADC = 0x4adad8;
				_t26 = 0x400;
				_t23 = 0x4adb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4adb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4adaf4 = 0;
				E00405864(0x4adaf8, 0x80);
				_t18 = 0;
				 *0x4adaf0 = 0;
				_t31 =  *0x004AFB80;
				while(_t31 != 0x4afb7c) {
					_t10 = _t31 + 4; // 0x4afb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4afb7c = 0x4afb7c;
				 *0x004AFB80 = 0x4afb7c;
				return _t18;
			}











                                0x004052e2
                                0x004052f9
                                0x004052e7
                                0x004052f2
                                0x004052f7
                                0x004052f7
                                0x004052fd
                                0x00405302
                                0x00405307
                                0x00405309
                                0x0040530e
                                0x00405311
                                0x0040531a
                                0x0040531d
                                0x00405320
                                0x00405320
                                0x00405323
                                0x00405325
                                0x00405328
                                0x0040532d
                                0x00405332
                                0x00405332
                                0x00405334
                                0x00405336
                                0x00405336
                                0x00405339
                                0x0040533c
                                0x0040533c
                                0x00405341
                                0x00405352
                                0x00405357
                                0x00405359
                                0x0040535e
                                0x00405375
                                0x00405363
                                0x0040536e
                                0x00405373
                                0x00405373
                                0x00405379
                                0x0040537b
                                0x00405382

                                APIs
                                • VirtualFree.KERNEL32(004ADAD8,00000000,00008000,?,?,?,?,004053D4,0040CEB2,00000000,0040CED0), ref: 004052F2
                                • VirtualFree.KERNEL32(004AFB7C,00000000,00008000,004ADAD8,00000000,00008000,?,?,?,?,004053D4,0040CEB2,00000000,0040CED0), ref: 0040536E
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FreeVirtual
                                • String ID:
                                • API String ID: 1263568516-0
                                • Opcode ID: aca56245cc52c82a7b3f341d1c8cf7e92a798c0e1fefa8615c437f19d7d6098e
                                • Instruction ID: f25e8dfbfec68b3d20904660ccd9f243b5161469b6c6478f3192385b195fbe5f
                                • Opcode Fuzzy Hash: aca56245cc52c82a7b3f341d1c8cf7e92a798c0e1fefa8615c437f19d7d6098e
                                • Instruction Fuzzy Hash: BE1160B1A056008BC7689F199840B17BBE4EB89754F15C0BFE54AEB791D778AC01CF9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004231E0, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004231E0(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407B7C(_t10, _t7, _t17, _t20);
			}








                                0x004231e7
                                0x004231ff
                                0x00423207
                                0x0042320b
                                0x00423214
                                0x00423206
                                0x00423206
                                0x00423206
                                0x00000000
                                0x00423216
                                0x00423216
                                0x0042321a
                                0x00000000
                                0x00000000
                                0x0042321a
                                0x00000000
                                0x00423214
                                0x0042322d

                                APIs
                                • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423B12,00000000,00423B63,?,00423D1C), ref: 004231FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FormatMessage
                                • String ID:
                                • API String ID: 1306739567-0
                                • Opcode ID: 8a8ded29896a6a3d6e4ee71bfed8fc8627356091e34a13b4e2479e8e8f3ea2c7
                                • Instruction ID: 3693045bc5da979ae713bd01a88bcb338427aee45f74c8d87c3cec6a1377aca4
                                • Opcode Fuzzy Hash: 8a8ded29896a6a3d6e4ee71bfed8fc8627356091e34a13b4e2479e8e8f3ea2c7
                                • Instruction Fuzzy Hash: 6CE0D86079833162E32416495C03B77241AD7D0B02FE4443AB6509E3D6D6BDA959917E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0042290C, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                Download Yara Rule
                                C-Code - Quality: 31%
                                			E0042290C(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422952);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004228A0(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084C8(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422959);
				return E004079F4( &_v8);
			}






                                0x0042290f
                                0x00422916
                                0x00422917
                                0x0042291c
                                0x0042291f
                                0x00422927
                                0x00422935
                                0x0042293e
                                0x00422941
                                0x00422944
                                0x00422951

                                APIs
                                • GetFileAttributesW.KERNEL32(00000000,00000000,00422952,?,?,00000000,?,00422965,00422CD6,00000000,00422D1B,?,?,00000000,00000000), ref: 00422935
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 9695cc5852d01956a8356376f89e56037d2dc4f0e8c31fee9d54d063763669a7
                                • Instruction ID: adf724cbc0e9ec99664fb7122883241a88969a7a5422e81553629d77d99d79d0
                                • Opcode Fuzzy Hash: 9695cc5852d01956a8356376f89e56037d2dc4f0e8c31fee9d54d063763669a7
                                • Instruction Fuzzy Hash: B1E09271704304BFE711EA72DD52A1AB7ACE788704FE1487AF500E3681EABCAE149558
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A31C, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040A31C(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B5A8(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}












                                0x0040a324
                                0x0040a326
                                0x0040a32a
                                0x0040a33a
                                0x0040a343
                                0x0040a348
                                0x0040a34a
                                0x0040a34f
                                0x0040a354
                                0x0040a354
                                0x0040a34f
                                0x0040a362

                                APIs
                                • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040A33A
                                  • Part of subcall function 0040B5A8: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B662,?,?,00000000), ref: 0040B5E4
                                  • Part of subcall function 0040B5A8: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B662,?,?,00000000), ref: 0040B635
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileModuleName$LibraryLoad
                                • String ID:
                                • API String ID: 4113206344-0
                                • Opcode ID: 7766ab1267648783c04a200b04eef592fad2a77fbeaae978ffe5e046441881e1
                                • Instruction ID: 6edb2253a7495ed0a954c92edacff3916eacbd1be06b1290003ff9fd73c136a7
                                • Opcode Fuzzy Hash: 7766ab1267648783c04a200b04eef592fad2a77fbeaae978ffe5e046441881e1
                                • Instruction Fuzzy Hash: 87E0ED71A013109FCB10DE6CC8C5A5B77D8AB08758F0449A6AD68EF386D375DD2487D5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00423C9C, Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00423C9C(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084C8(__edx),  *(0x4ab2e0 + (_a8 & 0x000000ff) * 4),  *(0x4ab2ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4ab2fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}




                                0x00423cd9
                                0x00423ce1

                                APIs
                                • CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423CD9
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: cd066e086ef1ed4415b0417d4103bee30a162689a27a68c38112519e4c91ff9d
                                • Instruction ID: 1c9d4f23c8aa800b19e68a1bac3b745927229ba282ea9ea95d81522d104b03bb
                                • Opcode Fuzzy Hash: cd066e086ef1ed4415b0417d4103bee30a162689a27a68c38112519e4c91ff9d
                                • Instruction Fuzzy Hash: 77E012622442282AD240969E7C51F667F9CD75A755F404063F984D72C2C5659A1086E8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00423DCC, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00423DCC(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423BA0( *_t7);
				}
				return _t4;
			}





                                0x00423dcd
                                0x00423dd3
                                0x00423dda
                                0x00000000
                                0x00423dde
                                0x00423de4

                                APIs
                                • SetEndOfFile.KERNEL32(?,7FC40010,004A833A,00000000), ref: 00423DD3
                                  • Part of subcall function 00423BA0: GetLastError.KERNEL32(004236F0,00423C43,?,?,00000000,?,004A7F5A,00000001,00000000,00000002,00000000,004A857E,?,00000000,004A85C2), ref: 00423BA3
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorFileLast
                                • String ID:
                                • API String ID: 734332943-0
                                • Opcode ID: 0765ad1251f4f9bf448c2ca066bd2935a303bcba73d1fbfb61790bf244085abd
                                • Instruction ID: cfa778f694ab93f521f9cbfb4fa9891c4931fcabf1aeac7c02125d20c1f19662
                                • Opcode Fuzzy Hash: 0765ad1251f4f9bf448c2ca066bd2935a303bcba73d1fbfb61790bf244085abd
                                • Instruction Fuzzy Hash: EAC04C61710110478B40AEBAE9C1A1666E85A582057804866B504DB206E66DD9148618
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040CDE0, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040CDE0() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}





                                0x0040cde4
                                0x0040cdf0

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: InfoSystem
                                • String ID:
                                • API String ID: 31276548-0
                                • Opcode ID: 64025997c8bef7f1ab34438094cc35a0f72d67f734e29c1609a2ef977955ad2c
                                • Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
                                • Opcode Fuzzy Hash: 64025997c8bef7f1ab34438094cc35a0f72d67f734e29c1609a2ef977955ad2c
                                • Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4adaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4adadc; // 0x4adad8
					_t14 = _t4;
					 *_t14 = 0x4adad8;
					 *0x4adadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4adaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4adaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}









                                0x00403bce
                                0x00403bd0
                                0x00403be3
                                0x00403bea
                                0x00403c3c
                                0x00403c45
                                0x00403bec
                                0x00403bec
                                0x00403bf2
                                0x00403bf4
                                0x00403bfa
                                0x00403bff
                                0x00403c02
                                0x00403c06
                                0x00403c11
                                0x00403c1e
                                0x00403c26
                                0x00403c28
                                0x00403c35
                                0x00403c39
                                0x00403c39

                                APIs
                                • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BF5B,00000000,0040C469,00000000,0040C72B,00000000), ref: 00403BE3
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 3bdf8bd4fda1bd36d4237db231ebe1dbc8cc1a3380dd60ea691b8e259bfce746
                                • Instruction ID: 39403439fc8b110e22d936a7dc32f3b39bb41696391bc635e89da5ad8fc0de99
                                • Opcode Fuzzy Hash: 3bdf8bd4fda1bd36d4237db231ebe1dbc8cc1a3380dd60ea691b8e259bfce746
                                • Instruction Fuzzy Hash: 74F08CF2F082504FD7149F789D407417EE8E70A315B10817EE94AEBB95D7B488018B88
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                Download Yara Rule
                                C-Code - Quality: 96%
                                			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4afb78 = 0;
				return _t30;
			}
















                                0x00403cfa
                                0x00403cfc
                                0x00403d01
                                0x00403d04
                                0x00403d09
                                0x00403d0d
                                0x00403d13
                                0x00403d17
                                0x00403d1d
                                0x00403d39
                                0x00403d3d
                                0x00403d40
                                0x00403d42
                                0x00403d4a
                                0x00403d5e
                                0x00000000
                                0x00000000
                                0x00403d65
                                0x00403d6b
                                0x00403d6d
                                0x00403d6f
                                0x00000000
                                0x00403d6f
                                0x00000000
                                0x00403d6b
                                0x00403d60
                                0x00403d1f
                                0x00403d27
                                0x00403d2e
                                0x00403d34
                                0x00403d30
                                0x00403d30
                                0x00403d30
                                0x00403d2e
                                0x00403d73
                                0x00403d75
                                0x00403d7e
                                0x00403d87
                                0x00403d87
                                0x00403d8a
                                0x00403d9a

                                APIs
                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
                                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Virtual$Free$Query
                                • String ID:
                                • API String ID: 778034434-0
                                • Opcode ID: b0456c6339b53605163a229e0112fb3a82e8289d127bf0df54443eeb5f5b923e
                                • Instruction ID: ad0733c8d53d3b26cd92df12ea1f8837c747f7844e5edc0d0b0e07a6a81a6a36
                                • Opcode Fuzzy Hash: b0456c6339b53605163a229e0112fb3a82e8289d127bf0df54443eeb5f5b923e
                                • Instruction Fuzzy Hash: 36F06D35304A005FD311DF1AC844B17BBE9EFC5711F15C57AE888973A1D635DD018796
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 0040AC9C, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E0040AC9C(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040AC78(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040AC78(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A6C0( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040AC78(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A6C0(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A6C0( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A6C0(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A6C0(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}






















                                0x0040aca8
                                0x0040acab
                                0x0040acb1
                                0x0040acbe
                                0x0040acc2
                                0x0040ad01
                                0x0040ad08
                                0x0040ad48
                                0x00000000
                                0x0040ad0a
                                0x0040ad12
                                0x0040ad23
                                0x0040ad29
                                0x0040ad2f
                                0x0040ad37
                                0x0040ad3d
                                0x0040ad4b
                                0x0040ad4d
                                0x0040ad50
                                0x0040ad52
                                0x0040ad54
                                0x0040ad54
                                0x0040ad57
                                0x0040ad5f
                                0x0040ad70
                                0x0040ae37
                                0x0040ad82
                                0x0040ad86
                                0x0040ad88
                                0x0040ad8a
                                0x0040ad8c
                                0x0040ad8c
                                0x0040ad97
                                0x0040ada7
                                0x0040adab
                                0x0040adad
                                0x0040adaf
                                0x0040adb1
                                0x0040adb1
                                0x0040adb7
                                0x0040adcf
                                0x0040add6
                                0x0040addc
                                0x0040adf8
                                0x0040adfa
                                0x0040ae21
                                0x0040ae33
                                0x0040ae35
                                0x00000000
                                0x0040ae35
                                0x0040adf8
                                0x0040add6
                                0x00000000
                                0x0040ad97
                                0x0040ae4d
                                0x0040ae4d
                                0x0040ad5f
                                0x0040ad3d
                                0x0040ad29
                                0x0040ad12
                                0x0040acc4
                                0x0040accf
                                0x0040acd3
                                0x00000000
                                0x0040acd5
                                0x0040acd5
                                0x0040ace0
                                0x0040ace4
                                0x0040ace9
                                0x00000000
                                0x0040aceb
                                0x0040acf7
                                0x0040acf7
                                0x0040ace9
                                0x0040acd3
                                0x0040ae52
                                0x0040ae5b

                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,004163D0,?,?), ref: 0040ACB9
                                • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040ACCA
                                • FindFirstFileW.KERNEL32(?,?,kernel32.dll,004163D0,?,?), ref: 0040ADCA
                                • FindClose.KERNEL32(?,?,?,kernel32.dll,004163D0,?,?), ref: 0040ADDC
                                • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004163D0,?,?), ref: 0040ADE8
                                • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004163D0,?,?), ref: 0040AE2D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                • String ID: GetLongPathNameW$\$kernel32.dll
                                • API String ID: 1930782624-3908791685
                                • Opcode ID: c23059803d50ffbb69bc2ce4a2bd9c62d9d22e9847f338aa71202613e6372609
                                • Instruction ID: 41d01645e24d257238dd5067bd4c9414aa615acd03712fd1fd4c25b28ebdd489
                                • Opcode Fuzzy Hash: c23059803d50ffbb69bc2ce4a2bd9c62d9d22e9847f338aa71202613e6372609
                                • Instruction Fuzzy Hash: 7941A331A007189BCB10EFA4CC85ADEB3B5AF44310F1885B69544F73D1E7799E518B8A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A0E24, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                Download Yara Rule
                                C-Code - Quality: 91%
                                			E004A0E24() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0042004C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}







                                0x004a0e2f
                                0x004a0e8c
                                0x004a0e90
                                0x004a0e98
                                0x00000000
                                0x004a0e9a
                                0x004a0e41
                                0x004a0e53
                                0x004a0e58
                                0x004a0e60
                                0x004a0e7a
                                0x004a0e86
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004a0e88
                                0x00000000

                                APIs
                                • GetCurrentProcess.KERNEL32(00000028), ref: 004A0E34
                                • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004A0E3A
                                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004A0E53
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004A0E7A
                                • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004A0E7F
                                • ExitWindowsEx.USER32(00000002,00000000), ref: 004A0E90
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                • String ID: SeShutdownPrivilege
                                • API String ID: 107509674-3733053543
                                • Opcode ID: 66994f6325a5aa7f0f34861264a69156d9354f728801aaf36171f4ce2db74d32
                                • Instruction ID: e9fa522186d87a49c6aa97a26aa58b7d7ecc2ea6c32ff96cc74a6995c7ce9d0c
                                • Opcode Fuzzy Hash: 66994f6325a5aa7f0f34861264a69156d9354f728801aaf36171f4ce2db74d32
                                • Instruction Fuzzy Hash: EEF06D3068430179F620A6B28C07F2B61C89B56B48F900C2AFA85E61C2D7BDD418926F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A16FC, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004A16FC() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004A1540();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004A1540();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004A1540();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004A1540();
				}
				return _t12;
			}






                                0x004a170b
                                0x004a170f
                                0x004a1711
                                0x004a1711
                                0x004a1721
                                0x004a1723
                                0x004a1723
                                0x004a1730
                                0x004a1734
                                0x004a1736
                                0x004a1736
                                0x004a1741
                                0x004a1745
                                0x004a1747
                                0x004a1747
                                0x004a174f

                                APIs
                                • FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004A7F72,00000000,004A852A,?,00000001,00000000,00000002,00000000,004A857E,?,00000000,004A85C2), ref: 004A1706
                                • SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004A7F72,00000000,004A852A,?,00000001,00000000,00000002,00000000,004A857E), ref: 004A1719
                                • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004A7F72,00000000,004A852A,?,00000001,00000000,00000002,00000000), ref: 004A172B
                                • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004A7F72,00000000,004A852A,?,00000001,00000000,00000002), ref: 004A173C
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID:
                                • API String ID: 3473537107-0
                                • Opcode ID: db97dcaccf30bcc2ff1e20111cb9a4ba98662f41b5ef7e16e3dff7197ef8348a
                                • Instruction ID: 219864270c1a009fa62e91fa71397a70ad0a8363b8227f6ca92817df5c994406
                                • Opcode Fuzzy Hash: db97dcaccf30bcc2ff1e20111cb9a4ba98662f41b5ef7e16e3dff7197ef8348a
                                • Instruction Fuzzy Hash: 5AE07E98B4532625F66536FB18C7B6A00894B7678DF50183BF6016A2E2EDADCC14022E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A840, Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                Download Yara Rule
                                C-Code - Quality: 71%
                                			E0040A840(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a9a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E004079F4(_v8);
				_t85 = _t80 -  *0x4a9a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4a9c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4a9a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4a9a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A760( *((intOrPtr*)(0x4a9a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040856C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a9c0);
					E0040856C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A9D0);
					E0040856C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087A4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A9AC);
				return E00407A54( &_v364, 3);
			}

















                                0x0040a840
                                0x0040a84b
                                0x0040a84e
                                0x0040a854
                                0x0040a85a
                                0x0040a860
                                0x0040a863
                                0x0040a867
                                0x0040a868
                                0x0040a86d
                                0x0040a870
                                0x0040a876
                                0x0040a87b
                                0x0040a882
                                0x0040a884
                                0x0040a88b
                                0x0040a88d
                                0x0040a894
                                0x0040a89a
                                0x0040a89c
                                0x0040a8a1
                                0x0040a8ab
                                0x0040a8b2
                                0x0040a8ba
                                0x0040a8cc
                                0x0040a8bc
                                0x0040a8bd
                                0x00000000
                                0x0040a8bd
                                0x0040a8ad
                                0x0040a8af
                                0x00000000
                                0x0040a8af
                                0x00000000
                                0x0040a8d3
                                0x0040a8d3
                                0x0040a89c
                                0x0040a89a
                                0x0040a88b
                                0x0040a8d8
                                0x0040a8de
                                0x0040a902
                                0x0040a906
                                0x0040a917
                                0x0040a92d
                                0x0040a932
                                0x0040a938
                                0x0040a94e
                                0x0040a953
                                0x0040a959
                                0x0040a96f
                                0x0040a974
                                0x0040a982
                                0x0040a982
                                0x0040a989
                                0x0040a98c
                                0x0040a98f
                                0x0040a9a4

                                APIs
                                • IsValidLocale.KERNEL32(?,00000002,00000000,0040A9A5,?,004163D0,?,00000000), ref: 0040A8EA
                                • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A9A5,?,004163D0,?,00000000), ref: 0040A906
                                • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A9A5,?,004163D0,?,00000000), ref: 0040A917
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Locale$Info$Valid
                                • String ID:
                                • API String ID: 1826331170-0
                                • Opcode ID: 64b235b34ad3b405be668a38bbcf0c4c9e16d70e7dca781f39a661cc6ac02bf3
                                • Instruction ID: a21452d7453331bea184a1c788462f810345500a03990f2c05a1053d145e59cd
                                • Opcode Fuzzy Hash: 64b235b34ad3b405be668a38bbcf0c4c9e16d70e7dca781f39a661cc6ac02bf3
                                • Instruction Fuzzy Hash: 53319EB1A00708AAEB20EB55CC81BEF7BB9EB45701F1044BBA104B72D0D7395E91DF1A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A8660, Relevance: 1.6, Instructions: 1554COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 60827183b21fcff9544719bb1294584fe0cffbe84d5a2fc6bc9a9a30a0dba228
                                • Instruction ID: 380fa9052ca8fcb9cdb998c29be2926f46fc3ad45563d38506fe8563f038a371
                                • Opcode Fuzzy Hash: 60827183b21fcff9544719bb1294584fe0cffbe84d5a2fc6bc9a9a30a0dba228
                                • Instruction Fuzzy Hash: FB028B2058E7D29FC7178B7848685957FB0AE5722531F86EBC4C1CF8A3C25D8C4AC76A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041A5FC, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0041A5FC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004098FC(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004098FC(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

















                                0x0041a603
                                0x0041a608
                                0x0041a60a
                                0x0041a60a
                                0x0041a61d
                                0x0041a62c
                                0x0041a62f
                                0x0041a63c
                                0x0041a63f
                                0x0041a644
                                0x0041a647
                                0x0041a649
                                0x0041a656
                                0x0041a659
                                0x0041a65e
                                0x0041a661
                                0x0041a663
                                0x0041a66c

                                APIs
                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A61D
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DiskFreeSpace
                                • String ID:
                                • API String ID: 1705453755-0
                                • Opcode ID: 1f81ffd3f8b7f43dd4d40be7e4fa3e48113c3a6555be2f83e13846e6c896b012
                                • Instruction ID: 1ffc0297bdb4ea11008dc3bcb63dba6813c0f317fc4836b7b6f34cb81ab2f15a
                                • Opcode Fuzzy Hash: 1f81ffd3f8b7f43dd4d40be7e4fa3e48113c3a6555be2f83e13846e6c896b012
                                • Instruction Fuzzy Hash: 4B110CB5E00209AFDB00DF99C8819AFB7F9EFC8304B14C56AA508E7255E6319E018BA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041E154, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0041E154(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407DD4(_t10, _t18);
				}
				return E00407B7C(_t10, _t5 - 1,  &_v516, _t19);
			}








                                0x0041e15f
                                0x0041e161
                                0x0041e172
                                0x0041e177
                                0x0041e179
                                0x00000000
                                0x0041e191
                                0x00000000

                                APIs
                                • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E172
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 5bf5163d29b24a355a04a9cb1ab5e8acb4fbe7aec7c46bd2ed380321052a2c0f
                                • Instruction ID: 7cf265298f8ae4c2c4586e2e1eef3c96f0d827603146793af8923f5675885b80
                                • Opcode Fuzzy Hash: 5bf5163d29b24a355a04a9cb1ab5e8acb4fbe7aec7c46bd2ed380321052a2c0f
                                • Instruction Fuzzy Hash: 73E09235B0421427E314A55A8C86EFA725C9B48340F40457FBE05D7382ED74AD4082E9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041E1A0, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E0041E1A0(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}






                                0x0041e1a3
                                0x0041e1a4
                                0x0041e1ba
                                0x0041e1c2
                                0x0041e1bc
                                0x0041e1bc
                                0x0041e1bc
                                0x0041e1c8

                                APIs
                                • GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E2A2,?,00000001,00000000,0041E4B1), ref: 0041E1B3
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: fee922ee2062e4f954838e83016fa542326be0982122cf920531508cb41c5899
                                • Instruction ID: c7815ca7096205c7b25e67d21c63a0a54a6ca7704bde0e99258243124e7cf7fc
                                • Opcode Fuzzy Hash: fee922ee2062e4f954838e83016fa542326be0982122cf920531508cb41c5899
                                • Instruction Fuzzy Hash: 8AD05EBA30922036E214915B6D45DBB56DCCBC97A2F144C3BBE48C7241D224CC46D275
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A0F2C, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004A0F2C(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}





                                0x004a0f42
                                0x004a0f49
                                0x00000000
                                0x004a0f50
                                0x00000000

                                APIs
                                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004A102C), ref: 004A0F42
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 65f82c9d48de1e78857e15d8fc37dd5ff9a46ec7df48bdaef6ef40c5ef857af7
                                • Instruction ID: e6a3b15d53b72dad0b8c3db8dd51dd9127849da1c7777778698bf6275fda33ff
                                • Opcode Fuzzy Hash: 65f82c9d48de1e78857e15d8fc37dd5ff9a46ec7df48bdaef6ef40c5ef857af7
                                • Instruction Fuzzy Hash: 52D05EB1508208BEF60481AA9D82E7A72DC9709328F600A16FA18D62C1E6A6FE005268
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C4F8, Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0041C4F8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}




                                0x0041c4fc
                                0x0041c508

                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: LocalTime
                                • String ID:
                                • API String ID: 481472006-0
                                • Opcode ID: 432e8ebe5e08171c98f20f808d41c161dd1ffcd0287293d7c08b14c61d049f45
                                • Instruction ID: 30d254df6966928add27f6c53b79b67b7018594c25d8f6651389e5cc9869a0f0
                                • Opcode Fuzzy Hash: 432e8ebe5e08171c98f20f808d41c161dd1ffcd0287293d7c08b14c61d049f45
                                • Instruction Fuzzy Hash: 90A0120040582001D140331A0C0313930405800624FC40F55BCF8502D5E92D013440D7
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004254D0, Relevance: .5, Instructions: 545COMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E004254D0(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00425228((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00425228(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004253D8(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004252B0((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004251C8( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E004252F4(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E004252F4(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E00425228(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00425228(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00425228(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004253D8(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E00425228((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00425338(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00425364(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00425188( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}
























































                                0x004254dc
                                0x004254df
                                0x004254e2
                                0x004254ed
                                0x004254f0
                                0x00425501
                                0x00425512
                                0x0042551a
                                0x00425523
                                0x00425529
                                0x0042552f
                                0x00425538
                                0x00425541
                                0x0042554a
                                0x00425553
                                0x0042555c
                                0x00425565
                                0x0042556e
                                0x00425577
                                0x0042557d
                                0x00425586
                                0x0042558c
                                0x00425595
                                0x004255a3
                                0x004255a9
                                0x004255af
                                0x00000000
                                0x004255b1
                                0x004255b8
                                0x004255bc
                                0x004255c1
                                0x004255c4
                                0x004255d1
                                0x004255d1
                                0x004255d4
                                0x004255d8
                                0x00425679
                                0x00425682
                                0x004256b7
                                0x004256b7
                                0x004256bb
                                0x00000000
                                0x00000000
                                0x004256c0
                                0x004256c3
                                0x00425689
                                0x0042568b
                                0x0042568e
                                0x00425690
                                0x00425690
                                0x00425690
                                0x0042569d
                                0x0042569e
                                0x004256a4
                                0x004256a6
                                0x004256a9
                                0x004256ac
                                0x004256ad
                                0x004256b0
                                0x004256b2
                                0x004256b2
                                0x004256b2
                                0x004256b4
                                0x004256b4
                                0x004256b4
                                0x00000000
                                0x004256b4
                                0x00000000
                                0x004256c3
                                0x004256c5
                                0x004256c7
                                0x004256df
                                0x004256c9
                                0x004256d3
                                0x004256d3
                                0x004256e4
                                0x004256e6
                                0x004256e9
                                0x004256ec
                                0x004256ec
                                0x004256f5
                                0x004256fb
                                0x004256fe
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00425704
                                0x00425704
                                0x0042570d
                                0x00425710
                                0x00425714
                                0x00000000
                                0x00000000
                                0x0042571e
                                0x00425722
                                0x00425745
                                0x0042574a
                                0x0042574c
                                0x00425825
                                0x0042582a
                                0x0042582b
                                0x0042596b
                                0x00425971
                                0x00425974
                                0x00425977
                                0x0042597a
                                0x00425983
                                0x0042597c
                                0x0042597c
                                0x0042597c
                                0x00425988
                                0x004259a0
                                0x004259a3
                                0x004259a9
                                0x004259ad
                                0x004259b4
                                0x004259af
                                0x004259af
                                0x004259af
                                0x004259d0
                                0x004259d3
                                0x004259d7
                                0x00425a50
                                0x004259d9
                                0x004259df
                                0x004259e2
                                0x004259ee
                                0x004259f0
                                0x004259f4
                                0x00425a2a
                                0x00425a4c
                                0x004259f6
                                0x00425a1a
                                0x00425a1a
                                0x004259f4
                                0x00425a53
                                0x00425a53
                                0x00425a54
                                0x00425a5f
                                0x00425a5f
                                0x00425a63
                                0x00425a66
                                0x00425a78
                                0x00425a7b
                                0x00425a88
                                0x00425a7d
                                0x00425a80
                                0x00425a80
                                0x00425a8b
                                0x00425a8d
                                0x00425a8f
                                0x00425a92
                                0x00425a94
                                0x00425a94
                                0x00425a94
                                0x00425a9d
                                0x00425aa6
                                0x00425aa9
                                0x00425aaa
                                0x00425aad
                                0x00425aaf
                                0x00425aaf
                                0x00425aaf
                                0x00425ab1
                                0x00425aba
                                0x00425abc
                                0x00425abf
                                0x00425ac2
                                0x00425ac6
                                0x00000000
                                0x00000000
                                0x00425acb
                                0x00425ace
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00425ace
                                0x00425ad0
                                0x00425ad3
                                0x00425ad6
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00425ad6
                                0x00000000
                                0x00425a56
                                0x00425a56
                                0x00000000
                                0x00425a56
                                0x00425a54
                                0x00425843
                                0x00425848
                                0x0042584a
                                0x004258fa
                                0x004258fc
                                0x0042591a
                                0x0042591c
                                0x00425923
                                0x00425929
                                0x0042591e
                                0x0042591e
                                0x0042591e
                                0x0042592f
                                0x004258fe
                                0x004258fe
                                0x004258fe
                                0x00425932
                                0x00425935
                                0x00425937
                                0x0042594d
                                0x00425950
                                0x00425953
                                0x0042595c
                                0x00425955
                                0x00425955
                                0x00425955
                                0x00425961
                                0x00000000
                                0x00425961
                                0x00425871
                                0x00425873
                                0x00000000
                                0x00000000
                                0x00425879
                                0x0042587d
                                0x00425889
                                0x0042588c
                                0x00425895
                                0x0042588e
                                0x0042588e
                                0x0042588e
                                0x0042589a
                                0x0042589e
                                0x004258a0
                                0x004258a3
                                0x004258a5
                                0x004258a5
                                0x004258a5
                                0x004258ae
                                0x004258b7
                                0x004258ba
                                0x004258bb
                                0x004258be
                                0x004258c0
                                0x004258c0
                                0x004258c0
                                0x004258c8
                                0x004258ca
                                0x004258d0
                                0x004258d3
                                0x004258d9
                                0x004258d9
                                0x00000000
                                0x004258d3
                                0x00000000
                                0x0042587f
                                0x0042577c
                                0x00425781
                                0x00425784
                                0x004257c5
                                0x00425786
                                0x0042578a
                                0x00425790
                                0x00425793
                                0x00425798
                                0x00425798
                                0x00425798
                                0x00425798
                                0x004257a4
                                0x004257b5
                                0x004257b5
                                0x004257ce
                                0x004257d0
                                0x004257d3
                                0x004257d9
                                0x004257dc
                                0x004257de
                                0x004257de
                                0x004257de
                                0x004257de
                                0x004257e7
                                0x004257ea
                                0x004257eb
                                0x004257ee
                                0x004257f0
                                0x004257f0
                                0x004257f0
                                0x004257f2
                                0x004257f5
                                0x004257fe
                                0x00425801
                                0x0042580b
                                0x00425803
                                0x00425803
                                0x00425803
                                0x004257f7
                                0x004257f7
                                0x004257f7
                                0x00000000
                                0x004257f5
                                0x00000000
                                0x00425724
                                0x00000000
                                0x00425716
                                0x00425adc
                                0x00425ae2
                                0x00425aeb
                                0x00425af1
                                0x00425afd
                                0x00425b06
                                0x00425b0c
                                0x00425b15
                                0x00425b1e
                                0x00425b27
                                0x00425b2d
                                0x00425b36
                                0x00425b3f
                                0x00425b4b
                                0x00425b54
                                0x00425b5d
                                0x00425b5f
                                0x00000000
                                0x00425b5f
                                0x004255f5
                                0x004255f8
                                0x00425600
                                0x00425606
                                0x00425609
                                0x00425622
                                0x00425629
                                0x0042562c
                                0x0042562f
                                0x00425632
                                0x00425634
                                0x00425639
                                0x0042563c
                                0x00425644
                                0x00425646
                                0x00425651
                                0x00425656
                                0x0042565a
                                0x00000000
                                0x0042565c
                                0x00425664
                                0x00425668
                                0x00425674
                                0x00425676
                                0x00000000
                                0x0042566a
                                0x00000000
                                0x0042566a
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0042560b
                                0x0042560b
                                0x0042560e
                                0x00425613
                                0x00425616
                                0x0042561d
                                0x0042561d
                                0x00000000

                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                • Instruction ID: 714bfb58b2794d167d20b22a4996e34f8aecc2b55e378ed3f9398e5555f8a7d3
                                • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                • Instruction Fuzzy Hash: 0D320374E00629DFCB04CF98D981AADBBB2BF88314F64816AD805AB341D774AE42CF54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00431F50, Relevance: .4, Instructions: 408COMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00431F50(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M004322BD))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M00432051))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}













                                0x00431f50
                                0x00431f59
                                0x00431f5c
                                0x00431f5f
                                0x00431f62
                                0x00431f65
                                0x00431f73
                                0x00431f77
                                0x00431f7b
                                0x00431f80
                                0x00431f87
                                0x00432191
                                0x004322b1
                                0x004322b4
                                0x004322f8
                                0x00432302
                                0x00432304
                                0x0043230e
                                0x00432310
                                0x0043231a
                                0x0043231c
                                0x00432323
                                0x00432325
                                0x0043232f
                                0x00432331
                                0x0043233b
                                0x0043233d
                                0x00432347
                                0x00432349
                                0x00432350
                                0x00432352
                                0x0043235c
                                0x0043235e
                                0x00432368
                                0x0043236a
                                0x00432374
                                0x00432376
                                0x0043237c
                                0x0043237e
                                0x00432380
                                0x0043238e
                                0x00432392
                                0x004323a0
                                0x004323a4
                                0x004323b2
                                0x004323b6
                                0x004323c4
                                0x004323c8
                                0x004323d6
                                0x004323da
                                0x004323e8
                                0x004323ec
                                0x004323fa
                                0x00000000
                                0x004323fc
                                0x004322b6
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00432197
                                0x00432197
                                0x004321c1
                                0x004321ee
                                0x0043221b
                                0x0043221f
                                0x0043222d
                                0x00432231
                                0x00432235
                                0x00432243
                                0x00432247
                                0x0043224b
                                0x00432259
                                0x0043225d
                                0x00432261
                                0x0043226f
                                0x00432273
                                0x00432277
                                0x00432285
                                0x00432289
                                0x0043228d
                                0x0043229b
                                0x0043229f
                                0x004322a1
                                0x004322a4
                                0x004322a8
                                0x00000000
                                0x00432197
                                0x00431f90
                                0x00432041
                                0x00432044
                                0x00000000
                                0x00000000
                                0x0043204a
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0043208f
                                0x00432091
                                0x00432097
                                0x00000000
                                0x00000000
                                0x004320a1
                                0x004320a3
                                0x004320a9
                                0x00000000
                                0x00000000
                                0x004320b3
                                0x004320b5
                                0x004320bb
                                0x00000000
                                0x00000000
                                0x004320c5
                                0x004320c7
                                0x00000000
                                0x00000000
                                0x004320ce
                                0x004320d3
                                0x004320d5
                                0x004320de
                                0x00000000
                                0x00000000
                                0x004320e5
                                0x004320ea
                                0x004320ec
                                0x004320f5
                                0x00000000
                                0x00000000
                                0x004320fc
                                0x00432101
                                0x00432103
                                0x0043210c
                                0x00000000
                                0x00000000
                                0x00432113
                                0x00432118
                                0x0043211d
                                0x00000000
                                0x00000000
                                0x00432124
                                0x00432129
                                0x0043212e
                                0x00432130
                                0x00432139
                                0x00000000
                                0x00000000
                                0x00432140
                                0x00432145
                                0x0043214a
                                0x0043214c
                                0x00432155
                                0x00000000
                                0x00000000
                                0x0043215c
                                0x00432161
                                0x00432166
                                0x00432168
                                0x00432171
                                0x00000000
                                0x00000000
                                0x00432178
                                0x0043217d
                                0x00432182
                                0x00432187
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00431f96
                                0x00431f96
                                0x00431f9b
                                0x00431fa3
                                0x00431fab
                                0x00431faf
                                0x00431fbd
                                0x00431fc1
                                0x00431fc5
                                0x00431fd3
                                0x00431fd7
                                0x00431fdb
                                0x00431fe9
                                0x00431fed
                                0x00431ff1
                                0x00431fff
                                0x00432003
                                0x00432007
                                0x00432015
                                0x00432019
                                0x0043201d
                                0x0043202b
                                0x0043202f
                                0x00432031
                                0x00432034
                                0x00432038
                                0x00000000

                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3a53240d1ff2e6a54c485aafc29675fea109497b1cbdbcdb71818d823280feeb
                                • Instruction ID: 4f2c7345300522f8efab797650d0f57aff86ffded578c1633b2e6f11b4f1150f
                                • Opcode Fuzzy Hash: 3a53240d1ff2e6a54c485aafc29675fea109497b1cbdbcdb71818d823280feeb
                                • Instruction Fuzzy Hash: AF02BE32900235DFDB92CF6DC540109B7B6FF8A72472A82D6D854AB229D270AE52DFD1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040ECB4, Relevance: .2, Instructions: 210COMMONCrypto
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E0040ECB4(signed int __eax, void* __ebx, void* __ecx, void* __edx, signed int __edi, void* __esi) {
				signed char _t146;
				signed char _t147;
				signed char _t148;
				signed char _t149;
				signed char _t150;
				signed char _t151;
				signed char _t152;
				signed char _t153;
				signed char _t154;
				signed char _t155;
				signed char _t156;
				signed char _t157;
				signed char _t158;
				signed char _t159;
				signed char _t160;
				signed char _t161;
				signed char _t162;
				signed char _t163;
				signed char _t164;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				signed char _t169;
				signed char _t170;
				signed char _t171;
				signed char _t172;
				signed char _t173;
				signed char _t174;
				signed char _t175;
				signed char _t176;
				signed char _t177;
				signed char _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				void* _t184;
				void* _t188;
				void* _t196;
				void* _t204;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				void* _t216;
				void* _t220;
				void* _t228;
				void* _t236;
				void* _t246;

				_t146 = __eax ^ 0x00000006;
				_t184 = __ebx - 1;
				 *((intOrPtr*)(__edi + 0x340000ff)) =  *((intOrPtr*)(__edi + 0x340000ff)) + _t184;
				_push(es);
				 *((intOrPtr*)(_t146 + 0x340000ff)) =  *((intOrPtr*)(_t146 + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__ecx + 0x340000ff)) =  *((intOrPtr*)(__ecx + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__edx + 0x340000ff)) =  *((intOrPtr*)(__edx + 0x340000ff)) + _t146;
				_push(es);
				_t188 = _t184 - 0xfffffffffffffffe;
				 *((intOrPtr*)(_t188 + 0x340000ff)) =  *((intOrPtr*)(_t188 + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__edi + 0x6340000 + __edi * 8)) =  *((intOrPtr*)(__edi + 0x6340000 + __edi * 8)) + _t146;
				 *((intOrPtr*)(_t246 + 0x340000ff)) =  *((intOrPtr*)(_t246 + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__esi + 0x340000ff)) =  *((intOrPtr*)(__esi + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(__edi + 0x340000ff)) =  *((intOrPtr*)(__edi + 0x340000ff)) + _t146;
				_push(es);
				 *((intOrPtr*)(_t146 + 0x340000ff)) =  *((intOrPtr*)(_t146 + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__ecx + 0x340000ff)) =  *((intOrPtr*)(__ecx + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__edx + 0x340000ff)) =  *((intOrPtr*)(__edx + 0x340000ff)) + __ecx;
				_push(es);
				_t196 = _t188 - 0xfffffffffffffffa;
				 *((intOrPtr*)(_t196 + 0x340000ff)) =  *((intOrPtr*)(_t196 + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__edi + 0x6340000 + __edi * 8)) =  *((intOrPtr*)(__edi + 0x6340000 + __edi * 8)) + __ecx;
				 *((intOrPtr*)(_t246 + 0x340000ff)) =  *((intOrPtr*)(_t246 + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__esi + 0x340000ff)) =  *((intOrPtr*)(__esi + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(__edi + 0x340000ff)) =  *((intOrPtr*)(__edi + 0x340000ff)) + __ecx;
				_push(es);
				 *((intOrPtr*)(_t146 - 1)) =  *((intOrPtr*)(_t146 - 1)) + __edx;
				 *_t146 =  *_t146 + _t146;
				_t147 = _t146 ^ 0x00000006;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + __edx;
				 *_t147 =  *_t147 + _t147;
				_t148 = _t147 ^ 0x00000006;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + __edx;
				 *_t148 =  *_t148 + _t148;
				_t149 = _t148 ^ 0x00000006;
				_t204 = _t196 - 0xfffffffffffffffa;
				 *((intOrPtr*)(_t204 - 1)) =  *((intOrPtr*)(_t204 - 1)) + __edx;
				 *_t149 =  *_t149 + _t149;
				_t150 = _t149 ^ 0x00000006;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + __edx;
				 *((intOrPtr*)(__esi + _t150)) =  *((intOrPtr*)(__esi + _t150)) + __edx;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + __edx;
				 *_t150 =  *_t150 + _t150;
				_t151 = _t150 ^ 0x00000006;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + __edx;
				 *_t151 =  *_t151 + _t151;
				_t152 = _t151 ^ 0x00000006;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + __edx;
				 *_t152 =  *_t152 + _t152;
				_t153 = _t152 ^ 0x00000006;
				_t209 = _t204 - 0xfffffffffffffffd;
				 *((intOrPtr*)(_t153 - 1)) =  *((intOrPtr*)(_t153 - 1)) + _t209;
				 *_t153 =  *_t153 + _t153;
				_t154 = _t153 ^ 0x00000006;
				_t210 = _t209 - 1;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + _t210;
				 *_t154 =  *_t154 + _t154;
				_t155 = _t154 ^ 0x00000006;
				_t211 = _t210 - 1;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + _t211;
				 *_t155 =  *_t155 + _t155;
				_t156 = _t155 ^ 0x00000006;
				_t212 = _t211 - 1;
				 *((intOrPtr*)(_t212 - 1)) =  *((intOrPtr*)(_t212 - 1)) + _t212;
				 *_t156 =  *_t156 + _t156;
				_t157 = _t156 ^ 0x00000006;
				_t213 = _t212 - 1;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + _t213;
				 *((intOrPtr*)(__esi + _t157)) =  *((intOrPtr*)(__esi + _t157)) + __edx;
				_t214 = _t213 - 1;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + _t214;
				 *_t157 =  *_t157 + _t157;
				_t158 = _t157 ^ 0x00000006;
				_t215 = _t214 - 1;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + _t215;
				 *_t158 =  *_t158 + _t158;
				_t159 = _t158 ^ 0x00000006;
				_t216 = _t215 - 1;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + _t216;
				 *_t159 =  *_t159 + _t159;
				_t160 = _t159 ^ 0x00000006;
				 *((intOrPtr*)(_t160 - 1)) =  *((intOrPtr*)(_t160 - 1)) + _t160;
				 *_t160 =  *_t160 + _t160;
				_t161 = _t160 ^ 0x00000006;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + _t161;
				 *_t161 =  *_t161 + _t161;
				_t162 = _t161 ^ 0x00000006;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + _t162;
				 *_t162 =  *_t162 + _t162;
				_t163 = _t162 ^ 0x00000006;
				_t220 = _t216 - 0xfffffffffffffffe;
				 *((intOrPtr*)(_t220 - 1)) =  *((intOrPtr*)(_t220 - 1)) + _t163;
				 *_t163 =  *_t163 + _t163;
				_t164 = _t163 ^ 0x00000006;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + _t164;
				 *((intOrPtr*)(__esi + _t164)) =  *((intOrPtr*)(__esi + _t164)) + __edx;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + _t164;
				 *_t164 =  *_t164 + _t164;
				_t165 = _t164 ^ 0x00000006;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + _t165;
				 *_t165 =  *_t165 + _t165;
				_t166 = _t165 ^ 0x00000006;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + _t166;
				 *_t166 =  *_t166 + _t166;
				_t167 = _t166 ^ 0x00000006;
				 *((intOrPtr*)(_t167 - 1)) =  *((intOrPtr*)(_t167 - 1)) + __ecx;
				 *_t167 =  *_t167 + _t167;
				_t168 = _t167 ^ 0x00000006;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + __ecx;
				 *_t168 =  *_t168 + _t168;
				_t169 = _t168 ^ 0x00000006;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + __ecx;
				 *_t169 =  *_t169 + _t169;
				_t170 = _t169 ^ 0x00000006;
				_t228 = _t220 - 0xfffffffffffffffa;
				 *((intOrPtr*)(_t228 - 1)) =  *((intOrPtr*)(_t228 - 1)) + __ecx;
				 *_t170 =  *_t170 + _t170;
				_t171 = _t170 ^ 0x00000006;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + __ecx;
				 *((intOrPtr*)(__esi + _t171)) =  *((intOrPtr*)(__esi + _t171)) + __edx;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + __ecx;
				 *_t171 =  *_t171 + _t171;
				_t172 = _t171 ^ 0x00000006;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + __ecx;
				 *_t172 =  *_t172 + _t172;
				_t173 = _t172 ^ 0x00000006;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + __ecx;
				 *_t173 =  *_t173 + _t173;
				_t174 = _t173 ^ 0x00000006;
				 *((intOrPtr*)(_t174 - 1)) =  *((intOrPtr*)(_t174 - 1)) + __edx;
				 *_t174 =  *_t174 + _t174;
				_t175 = _t174 ^ 0x00000006;
				 *((intOrPtr*)(__ecx - 1)) =  *((intOrPtr*)(__ecx - 1)) + __edx;
				 *_t175 =  *_t175 + _t175;
				_t176 = _t175 ^ 0x00000006;
				 *((intOrPtr*)(__edx - 1)) =  *((intOrPtr*)(__edx - 1)) + __edx;
				 *_t176 =  *_t176 + _t176;
				_t177 = _t176 ^ 0x00000006;
				_t236 = _t228 - 0xfffffffffffffffa;
				 *((intOrPtr*)(_t236 - 1)) =  *((intOrPtr*)(_t236 - 1)) + __edx;
				 *_t177 =  *_t177 + _t177;
				_t178 = _t177 ^ 0x00000006;
				 *((intOrPtr*)(__edi + __edi * 8)) =  *((intOrPtr*)(__edi + __edi * 8)) + __edx;
				 *((intOrPtr*)(__esi + _t178)) =  *((intOrPtr*)(__esi + _t178)) + __edx;
				 *((intOrPtr*)(_t246 - 1)) =  *((intOrPtr*)(_t246 - 1)) + __edx;
				 *_t178 =  *_t178 + _t178;
				_t179 = _t178 ^ 0x00000006;
				 *((intOrPtr*)(__esi - 1)) =  *((intOrPtr*)(__esi - 1)) + __edx;
				 *_t179 =  *_t179 + _t179;
				_t180 = _t179 ^ 0x00000006;
				 *((intOrPtr*)(__edi - 1)) =  *((intOrPtr*)(__edi - 1)) + __edx;
				 *_t180 =  *_t180 + _t180;
				_t181 = _t180 ^ 0x00000006;
				 *((intOrPtr*)(_t181 - 1)) =  *((intOrPtr*)(_t181 - 1)) + _t236 - 0xfffffffffffffffd;
				 *_t181 =  *_t181 + _t181;
				return 0x40ee8a;
			}























































                                0x0040ecb4
                                0x0040ecb6
                                0x0040ecb7
                                0x0040ecbd
                                0x0040ecbf
                                0x0040ecc5
                                0x0040ecc7
                                0x0040eccd
                                0x0040eccf
                                0x0040ecd5
                                0x0040ecd6
                                0x0040ecd7
                                0x0040ecdd
                                0x0040ecdf
                                0x0040ece7
                                0x0040eced
                                0x0040ecef
                                0x0040ecf5
                                0x0040ecf7
                                0x0040ecfd
                                0x0040ecff
                                0x0040ed05
                                0x0040ed07
                                0x0040ed0d
                                0x0040ed0f
                                0x0040ed15
                                0x0040ed16
                                0x0040ed17
                                0x0040ed1d
                                0x0040ed1f
                                0x0040ed27
                                0x0040ed2d
                                0x0040ed2f
                                0x0040ed35
                                0x0040ed37
                                0x0040ed3d
                                0x0040ed3f
                                0x0040ed42
                                0x0040ed44
                                0x0040ed47
                                0x0040ed4a
                                0x0040ed4c
                                0x0040ed4f
                                0x0040ed52
                                0x0040ed54
                                0x0040ed56
                                0x0040ed57
                                0x0040ed5a
                                0x0040ed5c
                                0x0040ed5f
                                0x0040ed63
                                0x0040ed67
                                0x0040ed6a
                                0x0040ed6c
                                0x0040ed6f
                                0x0040ed72
                                0x0040ed74
                                0x0040ed77
                                0x0040ed7a
                                0x0040ed7c
                                0x0040ed7e
                                0x0040ed7f
                                0x0040ed82
                                0x0040ed84
                                0x0040ed86
                                0x0040ed87
                                0x0040ed8a
                                0x0040ed8c
                                0x0040ed8e
                                0x0040ed8f
                                0x0040ed92
                                0x0040ed94
                                0x0040ed96
                                0x0040ed97
                                0x0040ed9a
                                0x0040ed9c
                                0x0040ed9e
                                0x0040ed9f
                                0x0040eda3
                                0x0040eda6
                                0x0040eda7
                                0x0040edaa
                                0x0040edac
                                0x0040edae
                                0x0040edaf
                                0x0040edb2
                                0x0040edb4
                                0x0040edb6
                                0x0040edb7
                                0x0040edba
                                0x0040edbc
                                0x0040edbf
                                0x0040edc2
                                0x0040edc4
                                0x0040edc7
                                0x0040edca
                                0x0040edcc
                                0x0040edcf
                                0x0040edd2
                                0x0040edd4
                                0x0040edd6
                                0x0040edd7
                                0x0040edda
                                0x0040eddc
                                0x0040eddf
                                0x0040ede3
                                0x0040ede7
                                0x0040edea
                                0x0040edec
                                0x0040edef
                                0x0040edf2
                                0x0040edf4
                                0x0040edf7
                                0x0040edfa
                                0x0040edfc
                                0x0040edff
                                0x0040ee02
                                0x0040ee04
                                0x0040ee07
                                0x0040ee0a
                                0x0040ee0c
                                0x0040ee0f
                                0x0040ee12
                                0x0040ee14
                                0x0040ee16
                                0x0040ee17
                                0x0040ee1a
                                0x0040ee1c
                                0x0040ee1f
                                0x0040ee23
                                0x0040ee27
                                0x0040ee2a
                                0x0040ee2c
                                0x0040ee2f
                                0x0040ee32
                                0x0040ee34
                                0x0040ee37
                                0x0040ee3a
                                0x0040ee3c
                                0x0040ee3f
                                0x0040ee42
                                0x0040ee44
                                0x0040ee47
                                0x0040ee4a
                                0x0040ee4c
                                0x0040ee4f
                                0x0040ee52
                                0x0040ee54
                                0x0040ee56
                                0x0040ee57
                                0x0040ee5a
                                0x0040ee5c
                                0x0040ee5f
                                0x0040ee63
                                0x0040ee67
                                0x0040ee6a
                                0x0040ee6c
                                0x0040ee6f
                                0x0040ee72
                                0x0040ee74
                                0x0040ee77
                                0x0040ee7a
                                0x0040ee7c
                                0x0040ee7f
                                0x0040ee82
                                0x0040ee89

                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 622fbd8048fd543cdc2cb0be557f41394da94c826b34e88aea9dfaf07a3619e9
                                • Instruction ID: 2cea75af83b0793a95f332b946a4bc9c29eeecd7935183ae600d0464b4d82da5
                                • Opcode Fuzzy Hash: 622fbd8048fd543cdc2cb0be557f41394da94c826b34e88aea9dfaf07a3619e9
                                • Instruction Fuzzy Hash: 3371B7015EEBCA6FCB97833008A85D6AF61AE5316578B53EBCC818E497914D241EF372
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405AC0, Relevance: .0, Instructions: 14COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                • Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
                                • Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                • Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00427760, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00427760() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4b30d8 = E00427734("VariantChangeTypeEx", E00427150, _t91);
				 *0x4b30dc = E00427734("VarNeg", E00427198, _t91);
				 *0x4b30e0 = E00427734("VarNot", E00427198, _t91);
				 *0x4b30e4 = E00427734("VarAdd", E004271A4, _t91);
				 *0x4b30e8 = E00427734("VarSub", E004271A4, _t91);
				 *0x4b30ec = E00427734("VarMul", E004271A4, _t91);
				 *0x4b30f0 = E00427734("VarDiv", E004271A4, _t91);
				 *0x4b30f4 = E00427734("VarIdiv", E004271A4, _t91);
				 *0x4b30f8 = E00427734("VarMod", E004271A4, _t91);
				 *0x4b30fc = E00427734("VarAnd", E004271A4, _t91);
				 *0x4b3100 = E00427734("VarOr", E004271A4, _t91);
				 *0x4b3104 = E00427734("VarXor", E004271A4, _t91);
				 *0x4b3108 = E00427734("VarCmp", E004271B0, _t91);
				 *0x4b310c = E00427734("VarI4FromStr", E004271BC, _t91);
				 *0x4b3110 = E00427734("VarR4FromStr", E00427228, _t91);
				 *0x4b3114 = E00427734("VarR8FromStr", E00427298, _t91);
				 *0x4b3118 = E00427734("VarDateFromStr", E00427308, _t91);
				 *0x4b311c = E00427734("VarCyFromStr", E00427378, _t91);
				 *0x4b3120 = E00427734("VarBoolFromStr", E004273E8, _t91);
				 *0x4b3124 = E00427734("VarBstrFromCy", E00427468, _t91);
				 *0x4b3128 = E00427734("VarBstrFromDate", E00427510, _t91);
				_t46 = E00427734("VarBstrFromBool", E004276A0, _t91);
				 *0x4b312c = _t46;
				return _t46;
			}






                                0x0042776e
                                0x00427782
                                0x00427798
                                0x004277ae
                                0x004277c4
                                0x004277da
                                0x004277f0
                                0x00427806
                                0x0042781c
                                0x00427832
                                0x00427848
                                0x0042785e
                                0x00427874
                                0x0042788a
                                0x004278a0
                                0x004278b6
                                0x004278cc
                                0x004278e2
                                0x004278f8
                                0x0042790e
                                0x00427924
                                0x0042793a
                                0x0042794a
                                0x00427950
                                0x00427957

                                APIs
                                • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 00427769
                                  • Part of subcall function 00427734: GetProcAddress.KERNEL32(00000000), ref: 0042774D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                • API String ID: 1646373207-1918263038
                                • Opcode ID: 367d5db2d61379bc23dedadddc55954ef186c40d0fd8bef8cbe36d64a9f89c0a
                                • Instruction ID: 735cca15fa0fba54a2ae32ca3908c422882b3f31f6c5027c977213eb670bdc79
                                • Opcode Fuzzy Hash: 367d5db2d61379bc23dedadddc55954ef186c40d0fd8bef8cbe36d64a9f89c0a
                                • Instruction Fuzzy Hash: 004109A070D2349BA308AB6FB84253AB798DB857143E4C17FB8048A745DF38B981C66D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041E8EC, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 194threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 82%
                                			E0041E8EC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41eb81);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ac590; // 0x4ad8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040552C(0x1a);
				}
				E0040665C(E004068E0( *0x4b07e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41eb64);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4b07dc = 0;
				_push(0);
				E00409F74();
				_t142 = _t141 + 4;
				E0041E154(_t93, 0x41eb9c, 0x100b,  &_v12);
				_t127 = E0041A2E4(0x41eb9c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4b07dc = 1;
						_push(1);
						E00409F74();
						_t142 = _t142 + 4;
						E00407DD4( *0x4b07e0, L"B.C.");
						 *((intOrPtr*)( *0x4b07e0 + 4)) = 0;
						_t71 =  *0x4b07e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C2E4(1, 1, 1, __eflags, _t161);
						_v20 = E00405770();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4b07e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E7C4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4b07e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4b07e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E85C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E7C4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4b07e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4b07e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E85C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4b07e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409F74();
				_t53 =  *0x4b07e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416f2c; // 0x416f30
						E00409010( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4b07e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e720; // 0x41e724
				E0040A098(0x4b07e0, _t116);
				_t56 =  *0x4b07e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4b07dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41eb6b);
				return E0040683C( *0x4b07e4, _t105, _t127);
			}


































                                0x0041e8ec
                                0x0041e8ec
                                0x0041e8ec
                                0x0041e8ed
                                0x0041e8ef
                                0x0041e8f4
                                0x0041e8f7
                                0x0041e8fa
                                0x0041e8fd
                                0x0041e901
                                0x0041e902
                                0x0041e907
                                0x0041e90a
                                0x0041e90d
                                0x0041e912
                                0x0041e915
                                0x0041e919
                                0x0041e919
                                0x0041e92b
                                0x0041e932
                                0x0041e933
                                0x0041e938
                                0x0041e93b
                                0x0041e940
                                0x0041e946
                                0x0041e957
                                0x0041e95c
                                0x0041e96f
                                0x0041e981
                                0x0041e98b
                                0x0041e9e8
                                0x0041e9eb
                                0x0041e9f6
                                0x0041e9fc
                                0x0041ea0d
                                0x0041ea12
                                0x0041ea1f
                                0x0041ea2b
                                0x0041ea2e
                                0x0041ea33
                                0x0041ea3a
                                0x0041ea4d
                                0x0041ea57
                                0x0041ea5a
                                0x0041ea5d
                                0x0041ea65
                                0x0041ea68
                                0x0041ea77
                                0x0041ea7c
                                0x0041ea81
                                0x0041ea83
                                0x0041ea85
                                0x0041ea85
                                0x0041ea88
                                0x0041ea88
                                0x0041ea8c
                                0x0041ea8d
                                0x0041ea8f
                                0x0041ea91
                                0x0041ea96
                                0x0041ea9f
                                0x0041eaa7
                                0x0041eaa8
                                0x0041eaa8
                                0x0041eaa8
                                0x0041ea96
                                0x0041eab9
                                0x0041eab9
                                0x0041e98d
                                0x0041e99b
                                0x0041e9a0
                                0x0041e9a7
                                0x0041e9ac
                                0x0041e9ac
                                0x0041e9b0
                                0x0041e9b3
                                0x0041e9b5
                                0x0041e9b6
                                0x0041e9b8
                                0x0041e9c1
                                0x0041e9c9
                                0x0041e9ca
                                0x0041e9ca
                                0x0041e9b8
                                0x0041e9db
                                0x0041e9db
                                0x0041eac3
                                0x0041eac7
                                0x0041eacc
                                0x0041eacc
                                0x0041eace
                                0x0041eae2
                                0x0041eaea
                                0x0041eaf1
                                0x0041eaf6
                                0x0041eaf6
                                0x0041eafa
                                0x0041eafd
                                0x0041eaff
                                0x0041eb00
                                0x0041eb02
                                0x0041eb02
                                0x0041eb1a
                                0x0041eb20
                                0x0041eb25
                                0x0041eb26
                                0x0041eb26
                                0x0041eb02
                                0x0041eb2e
                                0x0041eb34
                                0x0041eb39
                                0x0041eb40
                                0x0041eb45
                                0x0041eb45
                                0x0041eb47
                                0x0041eb4e
                                0x0041eb50
                                0x0041eb51
                                0x0041eb54
                                0x0041eb63

                                APIs
                                • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E990
                                • EnumCalendarInfoW.KERNEL32(0041E7C4,00000000,00000000,00000004), ref: 0041E99B
                                • GetThreadLocale.KERNEL32(00000000,00000003,0041E7C4,00000000,00000000,00000004), ref: 0041E9D0
                                • EnumCalendarInfoW.KERNEL32(0041E85C,00000000,00000000,00000003,0041E7C4,00000000,00000000,00000004), ref: 0041E9DB
                                • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041EA6C
                                • EnumCalendarInfoW.KERNEL32(0041E7C4,00000000,00000000,00000004), ref: 0041EA77
                                • GetThreadLocale.KERNEL32(00000000,00000003,0041E7C4,00000000,00000000,00000004), ref: 0041EAAE
                                • EnumCalendarInfoW.KERNEL32(0041E85C,00000000,00000000,00000003,0041E7C4,00000000,00000000,00000004), ref: 0041EAB9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CalendarEnumInfoLocaleThread
                                • String ID: $A$0oA$B.C.$hpA
                                • API String ID: 683597275-4049206235
                                • Opcode ID: 5ab1392dc1329e63ab168d7193b163f67f10670c4386dd22bbacd6bc56bdc858
                                • Instruction ID: 31764f9b4395ddee8a33e7efece694c8c2e23c621918c970f88beb3215b81749
                                • Opcode Fuzzy Hash: 5ab1392dc1329e63ab168d7193b163f67f10670c4386dd22bbacd6bc56bdc858
                                • Instruction Fuzzy Hash: 1B61B6746012019FD710DF6ACC81A9AB765FB44354F10867AF911973E5DA38ED81CF9C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040A5C4, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0040A5C4() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4afc10);
				 *0x4afc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4afc0c = _t2 - 6 >= 0;
				if( *0x4afc0c != 0) {
					 *0x4afc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4afc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4afc08 = _t8;
					return _t8;
				}
				return _t2;
			}





                                0x0040a5c9
                                0x0040a5ce
                                0x0040a5dc
                                0x0040a5e4
                                0x0040a5f2
                                0x0040a609
                                0x0040a623
                                0x0040a638
                                0x0040a63d
                                0x00000000
                                0x0040a63d
                                0x0040a642

                                APIs
                                • InitializeCriticalSection.KERNEL32(004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5C9
                                • GetVersion.KERNEL32(004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5D7
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A5FE
                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A604
                                • GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A618
                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A61E
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004AFC10,004A7037,00000400,00000000,004A70D7), ref: 0040A632
                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A638
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
                                • String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
                                • API String ID: 74573329-1403180336
                                • Opcode ID: 93963328a1992207510c5a143f88d452738f2b7cd2c03137b8683a113ef3510e
                                • Instruction ID: 77c12324a04305e01794a5ee660b83a9054d5f7758015fb80e29bcc474d3137b
                                • Opcode Fuzzy Hash: 93963328a1992207510c5a143f88d452738f2b7cd2c03137b8683a113ef3510e
                                • Instruction Fuzzy Hash: 9AF012A09813453CE6207FF79C0BB181D286A1271AF684C7BB880B62D3CEBE4654971E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041E1CC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 71%
                                			E0041E1CC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e4b1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x417064; // 0x417068
				E0040A098(_t151 + 0xbc, _t172);
				E0041E8EC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E5C0(_t214, _t151, _t151, _t211, _t214);
				E0041E67C(_t214, _t151, _t151, _t211, _t214);
				E0041E154(_t214, 0, 0x14,  &_v20);
				E00407DD4(_t151, _v20);
				E0041E154(_t214, 0x41e4cc, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A2E4(0x41e4cc, 0, _t219);
				E0041E154(_t214, 0x41e4cc, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A2E4(0x41e4cc, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E1A0(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E1A0(_t214, 0x2e, 0xe);
				E0041E154(_t214, 0x41e4cc, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A2E4(0x41e4cc, 0, _t219);
				_t212 = E0041E1A0(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EC38(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407DD4(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EC38(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407DD4(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E1A0(_t214, 0x3a, 0x1e);
				E0041E154(_t214, 0x41e520, 0x28,  &_v44);
				E00407DD4(_t151 + 0x14, _v44);
				E0041E154(_t214, 0x41e534, 0x29,  &_v48);
				E00407DD4(_t151 + 0x18, _v48);
				E004079F4( &_v12);
				E004079F4( &_v16);
				E0041E154(_t214, 0x41e4cc, 0x25,  &_v52);
				_t121 = E0041A2E4(0x41e4cc, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E1C( &_v8, 0x41e558);
				} else {
					E00407E1C( &_v8, 0x41e548);
				}
				E0041E154(_t214, 0x41e4cc, 0x23,  &_v56);
				_t128 = E0041A2E4(0x41e4cc, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E154(_t214, 0x41e4cc, 0x1005,  &_v60);
					if(E0041A2E4(0x41e4cc, 0, _t221) != 0) {
						E00407E1C( &_v12, L"AMPM ");
					} else {
						E00407E1C( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087A4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087A4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E1A0(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e4b8);
				return E00407A54( &_v60, 0xe);
			}





























                                0x0041e1cc
                                0x0041e1cc
                                0x0041e1cd
                                0x0041e1cf
                                0x0041e1d4
                                0x0041e1d4
                                0x0041e1d6
                                0x0041e1d8
                                0x0041e1d8
                                0x0041e1dd
                                0x0041e1de
                                0x0041e1e0
                                0x0041e1e4
                                0x0041e1e5
                                0x0041e1ea
                                0x0041e1ed
                                0x0041e1f3
                                0x0041e1f8
                                0x0041e1fa
                                0x0041e201
                                0x0041e201
                                0x0041e209
                                0x0041e20f
                                0x0041e218
                                0x0041e221
                                0x0041e22a
                                0x0041e23c
                                0x0041e246
                                0x0041e25b
                                0x0041e26a
                                0x0041e27d
                                0x0041e28c
                                0x0041e2a2
                                0x0041e2b9
                                0x0041e2d0
                                0x0041e2df
                                0x0041e2f2
                                0x0041e2f4
                                0x0041e2f8
                                0x0041e309
                                0x0041e314
                                0x0041e31d
                                0x0041e32e
                                0x0041e339
                                0x0041e34e
                                0x0041e362
                                0x0041e36d
                                0x0041e382
                                0x0041e38d
                                0x0041e395
                                0x0041e39d
                                0x0041e3b2
                                0x0041e3bc
                                0x0041e3c1
                                0x0041e3c3
                                0x0041e3dc
                                0x0041e3c5
                                0x0041e3cd
                                0x0041e3cd
                                0x0041e3f1
                                0x0041e3fb
                                0x0041e400
                                0x0041e402
                                0x0041e414
                                0x0041e425
                                0x0041e43e
                                0x0041e427
                                0x0041e42f
                                0x0041e42f
                                0x0041e425
                                0x0041e443
                                0x0041e446
                                0x0041e449
                                0x0041e44e
                                0x0041e459
                                0x0041e45e
                                0x0041e461
                                0x0041e464
                                0x0041e469
                                0x0041e474
                                0x0041e489
                                0x0041e48d
                                0x0041e498
                                0x0041e49b
                                0x0041e49e
                                0x0041e4b0

                                APIs
                                • IsValidLocale.KERNEL32(?,00000001,00000000,0041E4B1,?,?,?,?,00000000,00000000), ref: 0041E1F3
                                • GetThreadLocale.KERNEL32(?,00000001,00000000,0041E4B1,?,?,?,?,00000000,00000000), ref: 0041E1FC
                                  • Part of subcall function 0041E1A0: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E2A2,?,00000001,00000000,0041E4B1), ref: 0041E1B3
                                  • Part of subcall function 0041E154: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E172
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Locale$Info$ThreadValid
                                • String ID: AMPM$2$:mm$:mm:ss$AMPM $hpA$m/d/yy$mmmm d, yyyy
                                • API String ID: 233154393-3514583240
                                • Opcode ID: cd2e1eec404eaaf93342958035b3c9dc4f4edd91dbf45419f82dac3ab0a37c82
                                • Instruction ID: 439dc5afb6c92fd399cedb1891f988b7bb4968893a10f06eaf7ea53368b32677
                                • Opcode Fuzzy Hash: cd2e1eec404eaaf93342958035b3c9dc4f4edd91dbf45419f82dac3ab0a37c82
                                • Instruction Fuzzy Hash: D57123387001496BDB05EBA7C881ADE76A6EF88304F50847BF904AB346D63DDD86875E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AB58, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                Download Yara Rule
                                C-Code - Quality: 71%
                                			E0040AB58(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40ac5c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4afc10);
				if(_t28 !=  *0x4afc28) {
					LeaveCriticalSection(0x4afc10);
					E004079F4(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4afc0c == 0) {
							_t18 = E0040A840(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086C4(_t44, E0040AC74);
								}
								L00403738();
								E0040A840(_t18, _t28,  &_v8, _t42, _t44);
								E004086C4(_t44, _v8);
							}
						} else {
							E0040AA3C(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4afc10);
					 *0x4afc28 = _t28;
					E0040A6C0(0x4afc2a, E004084C8( *_t44), 0xaa);
					LeaveCriticalSection(0x4afc10);
				} else {
					E0040856C(_t44, 0x55, 0x4afc2a);
					LeaveCriticalSection(0x4afc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040AC63);
				return E004079F4( &_v8);
			}









                                0x0040ab58
                                0x0040ab5b
                                0x0040ab5d
                                0x0040ab5e
                                0x0040ab5f
                                0x0040ab61
                                0x0040ab65
                                0x0040ab66
                                0x0040ab6b
                                0x0040ab6e
                                0x0040ab76
                                0x0040ab82
                                0x0040aba9
                                0x0040abb0
                                0x0040abc2
                                0x0040abcb
                                0x0040abdc
                                0x0040abe1
                                0x0040abe9
                                0x0040abee
                                0x0040abf7
                                0x0040abf7
                                0x0040abfc
                                0x0040ac04
                                0x0040ac0e
                                0x0040ac0e
                                0x0040abcd
                                0x0040abd1
                                0x0040abd1
                                0x0040abcb
                                0x0040ac18
                                0x0040ac1d
                                0x0040ac37
                                0x0040ac41
                                0x0040ab84
                                0x0040ab90
                                0x0040ab9a
                                0x0040ab9a
                                0x0040ac48
                                0x0040ac4b
                                0x0040ac4e
                                0x0040ac5b

                                APIs
                                • EnterCriticalSection.KERNEL32(004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B,?,?,00000000,00000000,00000000), ref: 0040AB76
                                • LeaveCriticalSection.KERNEL32(004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B,?,?,00000000,00000000), ref: 0040AB9A
                                • LeaveCriticalSection.KERNEL32(004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B,?,?,00000000,00000000), ref: 0040ABA9
                                • IsValidLocale.KERNEL32(00000000,00000002,004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B), ref: 0040ABBB
                                • EnterCriticalSection.KERNEL32(004AFC10,00000000,00000002,004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B), ref: 0040AC18
                                • LeaveCriticalSection.KERNEL32(004AFC10,004AFC10,00000000,00000002,004AFC10,004AFC10,00000000,0040AC5C,?,?,?,00000000,?,0040B53C,00000000,0040B59B), ref: 0040AC41
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$Leave$Enter$LocaleValid
                                • String ID: en-US,en,
                                • API String ID: 975949045-3579323720
                                • Opcode ID: df8d0f686803062bdab142a1b2de24a95a5c3d65ff11807a0e019821b71cc122
                                • Instruction ID: 583594d50a991121d5869f76381f812cea75c141c18cde3dbdefc2834495f508
                                • Opcode Fuzzy Hash: df8d0f686803062bdab142a1b2de24a95a5c3d65ff11807a0e019821b71cc122
                                • Instruction Fuzzy Hash: 6721016074434477E620BBA78C03B2A2598AB46718FA1883BB540B73D2DE7C8D65836F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00422F10, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 61%
                                			E00422F10(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x42300a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E4A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0042004C() != 2) {
						if(E00422EE8(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422EDC();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422EE8(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422EDC();
							RegCloseKey(_v12);
						}
					}
					E0040871C( &_v20, _v8, 0x423120);
					E00405900(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E00423011);
				E004079F4( &_v20);
				return E004079F4( &_v8);
			}










                                0x00422f16
                                0x00422f19
                                0x00422f1c
                                0x00422f21
                                0x00422f22
                                0x00422f27
                                0x00422f2a
                                0x00422f3d
                                0x00422f44
                                0x00422f57
                                0x00422fac
                                0x00422fb9
                                0x00422fc2
                                0x00422fc2
                                0x00422f59
                                0x00422f74
                                0x00422f81
                                0x00422f8a
                                0x00422f8a
                                0x00422f74
                                0x00422fd2
                                0x00422fdd
                                0x00422fe8
                                0x00422fe8
                                0x00422f46
                                0x00422f46
                                0x00422f48
                                0x00422fee
                                0x00422ff1
                                0x00422ff4
                                0x00422ffc
                                0x00423009

                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,0042300A), ref: 00422F37
                                  • Part of subcall function 0040E4A8: GetProcAddress.KERNEL32(?,0B), ref: 0040E4D2
                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042300A), ref: 00422F8A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressCloseHandleModuleProc
                                • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                • API String ID: 4190037839-2401316094
                                • Opcode ID: dff07c34f93b3e6c39e557406e904af098fa4b2a4b5bb26404aaa7a5872d83d8
                                • Instruction ID: c5d1680bc85d9fc9140fa9d9073cf59edbb396945b13f7385cf79b6cc5318819
                                • Opcode Fuzzy Hash: dff07c34f93b3e6c39e557406e904af098fa4b2a4b5bb26404aaa7a5872d83d8
                                • Instruction Fuzzy Hash: 73217630B00228BBDB50EAA5DE42B9E77B8DB44304F91487BA500E3285DBBC9F01D72D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040D554, Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                Download Yara Rule
                                C-Code - Quality: 67%
                                			E0040D554(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4a9c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4a9c40;
				_v52 = E0040DA04( *0x004A9C44);
				_v48 = E0040DA14( *0x004A9C48);
				_v44 = E0040DA24( *0x004A9C4C);
				_v40 = E0040DA34( *0x004A9C50);
				_v36 = E0040DA34( *0x004A9C54);
				_v32 = E0040DA34( *0x004A9C58);
				_v28 =  *0x004A9C5C;
				memcpy( &_v92, 0x4a9c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4a9c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4a9c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040DA44( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4b0640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4b0640 != 0) {
							_t191 =  *0x4b0640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4b0644 != 0) {
									_t191 =  *0x4b0644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4a9c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4b0640 != 0) {
						_t142 =  *0x4b0640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CEDC(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4a9c3c; // 0x0
									 *_v20 = _t126;
									 *0x4a9c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4b0644 != 0) {
							_t142 =  *0x4b0644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4a9c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4b0640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4b0640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4b0640(5,  &_v92);
						}
						return _t191;
					}
				}
			}







































                                0x0040d568
                                0x0040d56e
                                0x0040d570
                                0x0040d573
                                0x0040d580
                                0x0040d58d
                                0x0040d59a
                                0x0040d5a7
                                0x0040d5b4
                                0x0040d5c1
                                0x0040d5ca
                                0x0040d5d8
                                0x0040d5da
                                0x0040d5db
                                0x0040d5e1
                                0x0040d5e7
                                0x0040d5ee
                                0x0040d5f0
                                0x0040d5f6
                                0x0040d5fc
                                0x0040d60c
                                0x00000000
                                0x0040d611
                                0x0040d61e
                                0x0040d623
                                0x0040d625
                                0x0040d627
                                0x0040d627
                                0x0040d62d
                                0x0040d630
                                0x0040d638
                                0x0040d642
                                0x0040d645
                                0x0040d64a
                                0x0040d665
                                0x0040d64c
                                0x0040d658
                                0x0040d658
                                0x0040d668
                                0x0040d671
                                0x0040d68a
                                0x0040d68c
                                0x0040d74e
                                0x0040d74e
                                0x0040d758
                                0x0040d766
                                0x0040d766
                                0x0040d76a
                                0x0040d7b7
                                0x0040d7b9
                                0x0040d7c0
                                0x0040d7ca
                                0x0040d7d8
                                0x0040d7d8
                                0x0040d7dc
                                0x0040d7de
                                0x0040d7e3
                                0x0040d7e9
                                0x0040d7f9
                                0x0040d7fe
                                0x0040d7fe
                                0x0040d7dc
                                0x00000000
                                0x0040d76c
                                0x0040d770
                                0x0040d7ab
                                0x0040d7b5
                                0x00000000
                                0x0040d778
                                0x0040d77b
                                0x0040d783
                                0x00000000
                                0x0040d79c
                                0x0040d7a2
                                0x0040d7a7
                                0x00000000
                                0x00000000
                                0x0040d801
                                0x0040d804
                                0x00000000
                                0x0040d804
                                0x0040d783
                                0x0040d770
                                0x0040d76a
                                0x0040d699
                                0x0040d6a7
                                0x0040d6a7
                                0x0040d6ab
                                0x0040d6b6
                                0x0040d6b6
                                0x0040d6ba
                                0x0040d707
                                0x0040d713
                                0x0040d749
                                0x0040d715
                                0x0040d719
                                0x0040d71f
                                0x0040d724
                                0x0040d729
                                0x0040d730
                                0x0040d736
                                0x0040d73b
                                0x0040d740
                                0x0040d740
                                0x0040d729
                                0x0040d719
                                0x00000000
                                0x0040d6bc
                                0x0040d6c1
                                0x0040d6cb
                                0x0040d6d9
                                0x0040d6d9
                                0x0040d6dd
                                0x00000000
                                0x0040d6df
                                0x0040d6df
                                0x0040d6e4
                                0x0040d6ea
                                0x0040d6fa
                                0x00000000
                                0x0040d6ff
                                0x0040d6dd
                                0x0040d673
                                0x0040d67f
                                0x0040d683
                                0x00000000
                                0x0040d685
                                0x0040d806
                                0x0040d80d
                                0x0040d811
                                0x0040d814
                                0x0040d817
                                0x0040d820
                                0x0040d820
                                0x00000000
                                0x0040d826
                                0x0040d683

                                APIs
                                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D60C
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: bb38534db3716b5c0e8cc02abb66565b7a6061d3ab8a69af711d2669e69f4069
                                • Instruction ID: c0290ffb1106a5c61d4348b5596b834e5d82be19a22c5125b9ccd60b821c4e33
                                • Opcode Fuzzy Hash: bb38534db3716b5c0e8cc02abb66565b7a6061d3ab8a69af711d2669e69f4069
                                • Instruction Fuzzy Hash: 42A13F75E006099FDB14DFE8D885BAEB7B5BB88310F14813AE905B73C0D778A949CB58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041F8C0, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 131COMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E0041F8C0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41fac6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ac798; // 0x40ea20
					E0040CD2C(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ac670; // 0x40ea28
						E0040CD2C(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ac4d0; // 0x40ea30
							E0040CD2C(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ac5c8; // 0x40ea38
							E0040CD2C(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040856C( &_v600, 0x105,  &_v558);
						E0041A538(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ac6e0; // 0x40eb00
						E0040CD2C(_t103,  &_v604, _t140, 3);
						E0041F3C0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ac67c; // 0x40e9c8
					E0040CD2C(_t82,  &_v632, _t140, 2);
					E0041F3C0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41facd);
				E004079F4( &_v632);
				E00407A54( &_v604, 3);
				return E004079F4( &_v8);
			}






































                                0x0041f8c0
                                0x0041f8c1
                                0x0041f8cd
                                0x0041f8d3
                                0x0041f8d9
                                0x0041f8df
                                0x0041f8e5
                                0x0041f8ea
                                0x0041f8eb
                                0x0041f8f0
                                0x0041f8f3
                                0x0041f8ff
                                0x0041f8ff
                                0x0041f902
                                0x0041f910
                                0x0041f915
                                0x0041f904
                                0x0041f904
                                0x0041f91f
                                0x0041f924
                                0x0041f906
                                0x0041f909
                                0x0041f92e
                                0x0041f933
                                0x0041f90b
                                0x0041f93d
                                0x0041f942
                                0x0041f942
                                0x0041f909
                                0x0041f904
                                0x0041f94d
                                0x0041f960
                                0x0041f965
                                0x0041f96e
                                0x0041f98c
                                0x0041f991
                                0x0041f993
                                0x00000000
                                0x0041f999
                                0x0041f9a2
                                0x0041f9a8
                                0x0041f9c0
                                0x0041f9d1
                                0x0041f9dc
                                0x0041f9e2
                                0x0041f9ec
                                0x0041f9f2
                                0x0041f9f9
                                0x0041f9ff
                                0x0041fa0c
                                0x0041fa15
                                0x0041fa1a
                                0x0041fa2c
                                0x0041fa31
                                0x0041fa35
                                0x0041fa35
                                0x0041fa3e
                                0x0041fa44
                                0x0041fa4e
                                0x0041fa54
                                0x0041fa5b
                                0x0041fa61
                                0x0041fa6e
                                0x0041fa77
                                0x0041fa7c
                                0x0041fa8e
                                0x0041fa93
                                0x0041fa97
                                0x0041fa9a
                                0x0041fa9d
                                0x0041faa8
                                0x0041fab8
                                0x0041fac5

                                APIs
                                • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041FAC6), ref: 0041F960
                                • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041FAC6), ref: 0041F98C
                                  • Part of subcall function 0040CD2C: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CD71
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileLoadModuleNameQueryStringVirtual
                                • String ID: @$$eA$(@$0@$8@
                                • API String ID: 902310565-693499950
                                • Opcode ID: 909a871e4bf45c261000e82e1144db8d76ddbd50e492e22675885f2003007506
                                • Instruction ID: 8907c0fdb59343008c76ceb90c3378100399d4465cadcd87230c2457523b253d
                                • Opcode Fuzzy Hash: 909a871e4bf45c261000e82e1144db8d76ddbd50e492e22675885f2003007506
                                • Instruction Fuzzy Hash: 33510574A04659DFDB50EF68CD88BCDBBF4AB48304F0041E6A808A7351D778AE89CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 72%
                                			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4ad058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EC4(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4a9078; // 0x403920
					_t12 = E00407EC4(_t11);
					_t13 =  *0x4a9078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EC4(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}










                                0x004047b0
                                0x004047b3
                                0x004047b5
                                0x004047be
                                0x00404821
                                0x00404826
                                0x00404827
                                0x00404828
                                0x0040482a
                                0x004047c0
                                0x004047c9
                                0x004047d8
                                0x004047e4
                                0x004047e9
                                0x004047ef
                                0x004047fd
                                0x0040480b
                                0x0040481a
                                0x0040481a
                                0x00404832

                                APIs
                                • GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
                                • WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
                                • GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
                                • WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
                                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
                                • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileHandleWrite
                                • String ID: 9@
                                • API String ID: 3320372497-3209974744
                                • Opcode ID: 4e270b9709a1e126671c3d07b356aced4a42befb1328ca478adcdb9b8427dfa1
                                • Instruction ID: 039b6809bffddf7eb8364f6b1d7a8ef426dfe463875095ecbcfdc7d20cb8dc15
                                • Opcode Fuzzy Hash: 4e270b9709a1e126671c3d07b356aced4a42befb1328ca478adcdb9b8427dfa1
                                • Instruction Fuzzy Hash: F601FED25091503DE100F7668C85F971E8C8B0973EF10457F7618F31C1C5394D44827E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041F214, Relevance: 12.1, APIs: 8, Instructions: 97filewindowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 62%
                                			E0041F214(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f339);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041F01C(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ac6c0; // 0x4ad058
				if( *_t17 == 0) {
					_t19 =  *0x4ac4f8; // 0x40ea00
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E0040A364( *0x4b0634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ac524; // 0x4ad340
					E00405544(E00405800(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409F74();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f354, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f340);
				_t57 =  *0x41f1e4; // 0x41f1e8
				return E0040A098( &_v8, _t57);
			}
















                                0x0041f21d
                                0x0041f21e
                                0x0041f221
                                0x0041f226
                                0x0041f227
                                0x0041f22c
                                0x0041f22f
                                0x0041f242
                                0x0041f244
                                0x0041f24c
                                0x0041f2ea
                                0x0041f2ef
                                0x0041f2fe
                                0x0041f318
                                0x0041f252
                                0x0041f252
                                0x0041f25c
                                0x0041f27a
                                0x0041f27c
                                0x0041f28b
                                0x0041f2a8
                                0x0041f2c0
                                0x0041f2da
                                0x0041f2da
                                0x0041f31f
                                0x0041f322
                                0x0041f325
                                0x0041f32d
                                0x0041f338

                                APIs
                                  • Part of subcall function 0041F01C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F1C8), ref: 0041F04F
                                  • Part of subcall function 0041F01C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041F073
                                  • Part of subcall function 0041F01C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041F08E
                                  • Part of subcall function 0041F01C: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F129
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F339), ref: 0041F275
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F2A8
                                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F2BA
                                • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F2C0
                                • GetStdHandle.KERNEL32(000000F4,0041F354,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F2D4
                                • WriteFile.KERNEL32(00000000,000000F4,0041F354,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F2DA
                                • LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F2FE
                                • MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F318
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                • String ID:
                                • API String ID: 135118572-0
                                • Opcode ID: 8a5af0c3b883b9a601036e3df8e4cadaa873ce4eee9917cf014c469391d79651
                                • Instruction ID: b395f61791e0df98aef8ec842badcc0ffa5cccf14742596207c1dbdfc5c66452
                                • Opcode Fuzzy Hash: 8a5af0c3b883b9a601036e3df8e4cadaa873ce4eee9917cf014c469391d79651
                                • Instruction Fuzzy Hash: 58319371640208BEE714EB95DC83FEA73ACEB05704F904476BA04F71D1DA746E548B6D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4ad059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4adae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4adae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4ad989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4adae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4adae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4ad059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4adae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4ad989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4adae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4adae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}












































                                0x00404464
                                0x00404464
                                0x00404464
                                0x0040446c
                                0x0040446e
                                0x004044fc
                                0x004044ff
                                0x0040476c
                                0x0040476d
                                0x0040476e
                                0x00404771
                                0x00403d9c
                                0x00403d9d
                                0x00403d9e
                                0x00403d9f
                                0x00403da0
                                0x00403da3
                                0x00403da5
                                0x00403dac
                                0x00403db5
                                0x00403dba
                                0x00403ea1
                                0x00403ea3
                                0x00403eb6
                                0x00403eb8
                                0x00403eba
                                0x00403ebc
                                0x00403ec2
                                0x00403ec6
                                0x00403ec6
                                0x00403ec9
                                0x00403ec9
                                0x00403ed2
                                0x00403ed9
                                0x00403ed9
                                0x00403ea5
                                0x00403ea5
                                0x00403eaa
                                0x00403eaa
                                0x00403dc0
                                0x00403dc9
                                0x00403dcf
                                0x00403dcb
                                0x00403dcb
                                0x00403dcb
                                0x00403ddb
                                0x00403dea
                                0x00403df7
                                0x00403e67
                                0x00403e6e
                                0x00403e70
                                0x00403e72
                                0x00403e74
                                0x00403e7a
                                0x00403e7e
                                0x00403e7e
                                0x00403e81
                                0x00403e81
                                0x00403e91
                                0x00403e98
                                0x00403e98
                                0x00403df9
                                0x00403df9
                                0x00403e05
                                0x00403e0b
                                0x00000000
                                0x00403e0d
                                0x00403e1e
                                0x00403e22
                                0x00403e24
                                0x00403e24
                                0x00403e3a
                                0x00000000
                                0x00403e52
                                0x00403e54
                                0x00403e57
                                0x00403e60
                                0x00403e63
                                0x00403e63
                                0x00403e3a
                                0x00403e0b
                                0x00403df7
                                0x00403ee7
                                0x00404777
                                0x00404777
                                0x00404779
                                0x00404779
                                0x00404505
                                0x00404507
                                0x0040450a
                                0x0040450b
                                0x0040450e
                                0x00404511
                                0x00404514
                                0x00404516
                                0x00404517
                                0x0040462c
                                0x0040462f
                                0x00404631
                                0x00404724
                                0x0040472f
                                0x00404736
                                0x00404738
                                0x0040473b
                                0x00404740
                                0x00404741
                                0x00404743
                                0x00000000
                                0x00404745
                                0x00404745
                                0x0040474b
                                0x0040474d
                                0x0040474d
                                0x00404750
                                0x00404758
                                0x0040475f
                                0x0040476a
                                0x0040476a
                                0x00404637
                                0x00404637
                                0x0040463a
                                0x0040463d
                                0x0040463f
                                0x00000000
                                0x00404645
                                0x00404645
                                0x0040464c
                                0x004046a9
                                0x004046a9
                                0x004046ae
                                0x004046b4
                                0x004046b9
                                0x004046ba
                                0x004046ba
                                0x004046c6
                                0x004046d7
                                0x004046dd
                                0x004046dd
                                0x004046df
                                0x004046ec
                                0x004046f3
                                0x004046f7
                                0x004046f9
                                0x004046ff
                                0x00404701
                                0x00404703
                                0x00404703
                                0x004046e1
                                0x004046e1
                                0x004046e5
                                0x004046e5
                                0x00404708
                                0x00404708
                                0x0040470a
                                0x0040470d
                                0x00404714
                                0x00404716
                                0x0040471a
                                0x0040464e
                                0x0040464e
                                0x00404653
                                0x0040465b
                                0x00000000
                                0x00000000
                                0x0040465d
                                0x0040465f
                                0x00404666
                                0x00000000
                                0x00404668
                                0x0040466c
                                0x00404671
                                0x00404672
                                0x00404678
                                0x00404680
                                0x00404686
                                0x0040468b
                                0x0040468c
                                0x00000000
                                0x0040468c
                                0x00404680
                                0x00000000
                                0x00404666
                                0x00404695
                                0x00404698
                                0x0040469b
                                0x0040469d
                                0x0040471d
                                0x0040471d
                                0x00000000
                                0x0040469f
                                0x0040469f
                                0x004046a2
                                0x004046a5
                                0x004046a7
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004046a7
                                0x0040469d
                                0x0040464c
                                0x0040463f
                                0x0040451d
                                0x00404520
                                0x00404522
                                0x0040452c
                                0x00404532
                                0x00404549
                                0x00404549
                                0x00404555
                                0x0040455b
                                0x0040455d
                                0x00404564
                                0x00404566
                                0x0040456b
                                0x00404573
                                0x00000000
                                0x00000000
                                0x00404575
                                0x00404577
                                0x0040457e
                                0x00000000
                                0x00404580
                                0x00404583
                                0x00404588
                                0x0040458e
                                0x00404596
                                0x0040459b
                                0x004045a0
                                0x00000000
                                0x004045a0
                                0x00404596
                                0x00000000
                                0x0040457e
                                0x004045a9
                                0x004045a9
                                0x004045a9
                                0x004045ae
                                0x004045b1
                                0x004045b3
                                0x004045b6
                                0x004045b9
                                0x004045c4
                                0x004045c6
                                0x004045c9
                                0x004045cb
                                0x004045cd
                                0x004045d3
                                0x004045d5
                                0x004045d5
                                0x004045bb
                                0x004045be
                                0x004045be
                                0x004045da
                                0x004045e0
                                0x004045e4
                                0x004045ea
                                0x004045f1
                                0x004045f1
                                0x004045f6
                                0x00404603
                                0x00404534
                                0x00404534
                                0x0040453a
                                0x00404604
                                0x00404608
                                0x0040460d
                                0x0040460f
                                0x00404611
                                0x00404619
                                0x00404620
                                0x00404625
                                0x00404625
                                0x0040462b
                                0x00404540
                                0x00404540
                                0x00404545
                                0x00404547
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00404547
                                0x0040453a
                                0x00404524
                                0x00404524
                                0x00404528
                                0x00404528
                                0x00404522
                                0x00404517
                                0x00404474
                                0x00404474
                                0x00404476
                                0x0040447a
                                0x0040447d
                                0x0040447f
                                0x004044b8
                                0x004044bc
                                0x004044bd
                                0x004044bf
                                0x004044c1
                                0x004044c3
                                0x004044c6
                                0x004044c8
                                0x004044ca
                                0x004044cf
                                0x004044d1
                                0x004044d3
                                0x004044d9
                                0x004044db
                                0x004044db
                                0x004044e2
                                0x004044e2
                                0x004044e5
                                0x004044e7
                                0x004044f0
                                0x004044f5
                                0x004044f5
                                0x004044f7
                                0x004044f8
                                0x004044f9
                                0x004044fa
                                0x00404481
                                0x00404481
                                0x00404488
                                0x0040448a
                                0x00404490
                                0x00404492
                                0x00404494
                                0x00404499
                                0x0040449b
                                0x0040449d
                                0x0040449f
                                0x004044a1
                                0x004044ac
                                0x004044b1
                                0x004044b1
                                0x004044b3
                                0x004044b4
                                0x004044b5
                                0x0040448c
                                0x0040448c
                                0x0040448d
                                0x0040448e
                                0x0040448e
                                0x0040448a
                                0x0040447f

                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5439aca8df4603b27f37f25116b021730c29e514c4b4e173baf39aeb11cdd27a
                                • Instruction ID: 0a757bcfe66f4df8a837bb95f72d8b736428374affe9d1eaec42a64222243fb9
                                • Opcode Fuzzy Hash: 5439aca8df4603b27f37f25116b021730c29e514c4b4e173baf39aeb11cdd27a
                                • Instruction Fuzzy Hash: 83C115A27106000BD714AE7DDD8476ABA8A9BC5716F18827FF244EB3D6DA7CCD418348
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040665C, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E0040665C(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B04(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E00406860(_t71);
								_t57 =  *0x4ad8f8; // 0x4ab284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E0040633C( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}











                                0x00406663
                                0x00406665
                                0x00406667
                                0x0040666a
                                0x0040666a
                                0x00406671
                                0x00406678
                                0x00000000
                                0x00000000
                                0x00406686
                                0x0040668d
                                0x00406725
                                0x00406725
                                0x00406725
                                0x00406729
                                0x00000000
                                0x00000000
                                0x00406734
                                0x0040673a
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040673c
                                0x0040673c
                                0x00406741
                                0x00406747
                                0x0040674e
                                0x00406758
                                0x0040675d
                                0x00406764
                                0x0040676b
                                0x00406779
                                0x00406787
                                0x0040677b
                                0x00406783
                                0x00406783
                                0x00406779
                                0x0040678d
                                0x004067af
                                0x004067b8
                                0x004067bc
                                0x004067c0
                                0x00000000
                                0x0040678f
                                0x0040678f
                                0x00406794
                                0x00000000
                                0x00000000
                                0x004067a0
                                0x004067a6
                                0x00000000
                                0x00000000
                                0x004067a8
                                0x00000000
                                0x004067a8
                                0x0040678f
                                0x004067c5
                                0x004067c5
                                0x004067d4
                                0x004067db
                                0x004067de
                                0x004067de
                                0x00000000
                                0x004067d4
                                0x00000000
                                0x00406725
                                0x00406698
                                0x0040669e
                                0x004066a4
                                0x00406700
                                0x00406703
                                0x00000000
                                0x00000000
                                0x0040670a
                                0x00406712
                                0x00406718
                                0x00406723
                                0x00000000
                                0x00406723
                                0x0040671a
                                0x00000000
                                0x0040671a
                                0x00000000
                                0x004066a6
                                0x004066a9
                                0x00000000
                                0x004066b8
                                0x004066b8
                                0x004066b8
                                0x00000000
                                0x004066c1
                                0x004066c4
                                0x00000000
                                0x00000000
                                0x004066c9
                                0x004066f2
                                0x004066f6
                                0x004066fb
                                0x004066fe
                                0x00000000
                                0x00000000
                                0x00000000
                                0x004066fe
                                0x004066d2
                                0x004066d8
                                0x00000000
                                0x00000000
                                0x004066df
                                0x004066e2
                                0x004066e9
                                0x00000000
                                0x004066e9
                                0x004067e5
                                0x004067f0

                                APIs
                                  • Part of subcall function 00406B04: GetCurrentThreadId.KERNEL32 ref: 00406B07
                                • GetTickCount.KERNEL32 ref: 00406693
                                • GetTickCount.KERNEL32 ref: 004066AB
                                • GetCurrentThreadId.KERNEL32 ref: 004066DA
                                • GetTickCount.KERNEL32 ref: 00406705
                                • GetTickCount.KERNEL32 ref: 0040673C
                                • GetTickCount.KERNEL32 ref: 00406766
                                • GetCurrentThreadId.KERNEL32 ref: 004067D6
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CountTick$CurrentThread
                                • String ID:
                                • API String ID: 3968769311-0
                                • Opcode ID: 72bf5cf191fff23eea650aef81e54304f71ab1849b51d2c2f8be95d33ba0f9a3
                                • Instruction ID: d55af3395c34765ca91144e68d0792783d215dccc41bd3b69e0d2f57a8242420
                                • Opcode Fuzzy Hash: 72bf5cf191fff23eea650aef81e54304f71ab1849b51d2c2f8be95d33ba0f9a3
                                • Instruction Fuzzy Hash: C441A0712083418EE721AF7CC44432BBAD5AF84358F16893EE4DA973C1EB7DC8948756
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004063F8, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 36%
                                			E004063F8(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064A6);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064AD);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E004071E4();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}












                                0x004063f9
                                0x004063fb
                                0x00406400
                                0x0040641a
                                0x004064ad
                                0x004064ad
                                0x00000000
                                0x00406420
                                0x00406420
                                0x00406423
                                0x00406424
                                0x00406426
                                0x0040642d
                                0x00000000
                                0x00406439
                                0x00406441
                                0x00406446
                                0x00406447
                                0x0040644c
                                0x0040644f
                                0x00406455
                                0x00406459
                                0x0040645a
                                0x0040645f
                                0x00406466
                                0x00406490
                                0x00406492
                                0x00406495
                                0x00406498
                                0x004064a5
                                0x00406468
                                0x00406468
                                0x00406483
                                0x00406486
                                0x0040648e
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0040648e
                                0x00406479
                                0x0040647c
                                0x004064b4
                                0x004064ba
                                0x004064ba
                                0x00406466
                                0x0040642d
                                0x00000000

                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 0040640D
                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406413
                                • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040642F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressErrorHandleLastModuleProc
                                • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                • API String ID: 4275029093-79381301
                                • Opcode ID: 9a328c14a2360e788c5d7c27423bd1e3d2ec7813e67ce0fbf63762a3592cbdfc
                                • Instruction ID: 0ade09f5ec255af418c15bc26d56a5e77a61777008c3a3a20ffec8f8ea5cdbb2
                                • Opcode Fuzzy Hash: 9a328c14a2360e788c5d7c27423bd1e3d2ec7813e67ce0fbf63762a3592cbdfc
                                • Instruction Fuzzy Hash: 5E115E71D00204BEDB20EFA5D845B6EBBB8DB40715F1180BBF815B36C2D67D9A908A1D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040768C, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 43%
                                			E0040768C(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4ad058 == 0) {
					if( *0x4a9032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4ad344 == 0xd7b2 &&  *0x4ad34c > 0) {
						 *0x4ad35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E004081CC(0x407720);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}






                                0x00407694
                                0x004076fa
                                0x004076fc
                                0x004076fe
                                0x00407703
                                0x00407708
                                0x0040770a
                                0x0040770a
                                0x00407710
                                0x00407696
                                0x0040769f
                                0x004076af
                                0x004076af
                                0x004076cb
                                0x004076de
                                0x004076f2
                                0x004076f2

                                APIs
                                • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?,0040553F), ref: 004076C5
                                • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?,0040785E,004054DF,00405526,?,?), ref: 004076CB
                                • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?,?), ref: 004076E6
                                • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407744,?,?), ref: 004076EC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileHandleWrite
                                • String ID: Error$Runtime error at 00000000
                                • API String ID: 3320372497-2970929446
                                • Opcode ID: bcadf97d171622b971a48ef55ce44254769ff37e7ce13582472eefcd77e0394f
                                • Instruction ID: 8e7c00c9dcfef4ecea202c25e54e487df448fc8b33d2ce18683e8ba9e0f24e41
                                • Opcode Fuzzy Hash: bcadf97d171622b971a48ef55ce44254769ff37e7ce13582472eefcd77e0394f
                                • Instruction Fuzzy Hash: 8DF0C2E1E8820078EA207BA54C86F5B2A5C4752B2AF10493FF621B56C2C6BD5884872F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00429208, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                Download Yara Rule
                                C-Code - Quality: 77%
                                			E00429208(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428EC8(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427140();
					return E00428EC8(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427714();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428C20(_t110);
						}
						E00429164(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429180(_v788 - 1, _t125) != 0) {
								L0042772C();
								E00428EC8(_v792);
								L0042772C();
								E00428EC8( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004291B0(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L0042771C();
							E00428EC8(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427724();
							E00428EC8(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}





























                                0x00429208
                                0x00429214
                                0x0042921a
                                0x00429220
                                0x00429230
                                0x00429237
                                0x00429237
                                0x00429242
                                0x00429250
                                0x004293db
                                0x004293e2
                                0x004293e3
                                0x00000000
                                0x00429256
                                0x00429259
                                0x00429277
                                0x0042925b
                                0x00429266
                                0x00429266
                                0x00429286
                                0x00429292
                                0x00429295
                                0x00429302
                                0x00429308
                                0x00429309
                                0x0042930f
                                0x00429310
                                0x00429312
                                0x00429317
                                0x0042931b
                                0x0042931d
                                0x0042931d
                                0x00429328
                                0x00429333
                                0x0042933e
                                0x00429347
                                0x0042934a
                                0x00429366
                                0x0042936d
                                0x00429378
                                0x0042938f
                                0x00429394
                                0x004293a8
                                0x004293ad
                                0x004293c0
                                0x004293c0
                                0x004293c9
                                0x0042934c
                                0x0042934c
                                0x0042934d
                                0x00429353
                                0x00429359
                                0x0042935b
                                0x0042935d
                                0x00429360
                                0x00429363
                                0x00429363
                                0x00429366
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00429366
                                0x00429297
                                0x00429297
                                0x00429298
                                0x0042929a
                                0x004292a0
                                0x004292a2
                                0x004292b1
                                0x004292b2
                                0x004292bc
                                0x004292bd
                                0x004292c2
                                0x004292cd
                                0x004292ce
                                0x004292d8
                                0x004292d9
                                0x004292de
                                0x004292f9
                                0x004292fb
                                0x004292fc
                                0x004292ff
                                0x004292ff
                                0x00000000
                                0x004292a0
                                0x00429295

                                APIs
                                • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004292BD
                                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004292D9
                                • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429312
                                • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0042938F
                                • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004293A8
                                • VariantCopy.OLEAUT32(?,?), ref: 004293E3
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                • String ID:
                                • API String ID: 351091851-0
                                • Opcode ID: 2794ac47a9dfeb26b88a03ac4d1a853a299fb3d03b0a8c1988b6f7382be60e0b
                                • Instruction ID: ed5b5572db2c6aea52d03e12d037d8ed927b089f3383118c81215fa9c213cc81
                                • Opcode Fuzzy Hash: 2794ac47a9dfeb26b88a03ac4d1a853a299fb3d03b0a8c1988b6f7382be60e0b
                                • Instruction Fuzzy Hash: CC51DA75A012399BCB22DB59DD81BD9B3FCAF4C304F8041DAE508E7251DA34AF818F69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041F01C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E0041F01C(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f1c8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4b0634,  &_v1056, 0x105);
					_v12 = E0041F010(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A69C( &_v534, 0x104, E004204FC() + 2);
				_t83 = 0x41f1dc;
				_t100 = 0x41f1dc;
				_t95 =  *0x414ecc; // 0x414f24
				if(E00405F48(_t102, _t95) != 0) {
					_t83 = E004084C8( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407ED8(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f1e0;
					}
				}
				_t55 =  *0x4ac774; // 0x40e9f8
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E0040A364( *0x4b0634),  *_t18,  &_v1568, 0x100);
				E00405BC8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A934(4,  &_v1636);
				E00407ED8(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f1cf);
				return E004079F4( &_v1640);
			}





























                                0x0041f02a
                                0x0041f030
                                0x0041f033
                                0x0041f035
                                0x0041f039
                                0x0041f03a
                                0x0041f03f
                                0x0041f042
                                0x0041f04f
                                0x0041f05e
                                0x0041f08e
                                0x0041f09a
                                0x0041f09f
                                0x0041f0a5
                                0x0041f0a5
                                0x0041f0c7
                                0x0041f0cc
                                0x0041f0d1
                                0x0041f0d8
                                0x0041f0e5
                                0x0041f0ef
                                0x0041f0f3
                                0x0041f0fa
                                0x0041f104
                                0x0041f104
                                0x0041f0fa
                                0x0041f115
                                0x0041f11a
                                0x0041f129
                                0x0041f136
                                0x0041f141
                                0x0041f147
                                0x0041f154
                                0x0041f15a
                                0x0041f164
                                0x0041f16a
                                0x0041f171
                                0x0041f177
                                0x0041f17e
                                0x0041f184
                                0x0041f1a0
                                0x0041f1a8
                                0x0041f1b1
                                0x0041f1b4
                                0x0041f1b7
                                0x0041f1c7

                                APIs
                                • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F1C8), ref: 0041F04F
                                • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041F073
                                • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041F08E
                                • LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F129
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileModuleName$LoadQueryStringVirtual
                                • String ID: $OA
                                • API String ID: 3990497365-3057587682
                                • Opcode ID: 9e498a0eef0bc3ee9cc3e234d5bfc36b54bccd8d3492712c005ffcb68ea33541
                                • Instruction ID: d6d88cd0fe853d51226c3c26c9cb5cf48511ec36f022bd765e41d06481bb46b4
                                • Opcode Fuzzy Hash: 9e498a0eef0bc3ee9cc3e234d5bfc36b54bccd8d3492712c005ffcb68ea33541
                                • Instruction Fuzzy Hash: 92412170A002189FDB20DF69CD81BCABBF9AB59304F4044FAE508E7241D7799E95CF59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00491184, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 80%
                                			E00491184(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E00406284(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x49127d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405C98(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x48f520
						 *((intOrPtr*)(_t66 + 8)) = E004078B4(0, E00491090, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x48f520
						 *((intOrPtr*)(_t66 + 8)) = E004078B4(0, E00491090, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041E0D0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ac740; // 0x40ed5c
						E0041F47C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E004070F0();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x491284);
				return E004079F4( &_v20);
			}


















                                0x00491184
                                0x00491184
                                0x00491184
                                0x00491185
                                0x00491187
                                0x0049118e
                                0x00491193
                                0x00491195
                                0x00491198
                                0x00491198
                                0x0049119d
                                0x0049119f
                                0x004911a2
                                0x004911a6
                                0x004911a7
                                0x004911ac
                                0x004911af
                                0x004911b6
                                0x004911bb
                                0x004911c1
                                0x004911c6
                                0x004911ce
                                0x004911d2
                                0x004911d2
                                0x004911d2
                                0x004911d4
                                0x004911db
                                0x0049125c
                                0x00491264
                                0x004911dd
                                0x004911e1
                                0x00491204
                                0x00491216
                                0x004911e3
                                0x004911e9
                                0x004911fc
                                0x004911fc
                                0x0049121d
                                0x00491229
                                0x00491231
                                0x00491234
                                0x0049123e
                                0x0049124b
                                0x00491250
                                0x00491250
                                0x0049121d
                                0x00491269
                                0x0049126c
                                0x0049126f
                                0x0049127c

                                APIs
                                • GetLastError.KERNEL32(00000000,0049127D,?,0048F51C,00000000), ref: 0049121F
                                  • Part of subcall function 004078B4: CreateThread.KERNEL32(?,?,Function_0000787C,00000000,?,?), ref: 0040790E
                                • GetCurrentThread.KERNEL32 ref: 00491257
                                • GetCurrentThreadId.KERNEL32 ref: 0049125F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Thread$Current$CreateErrorLast
                                • String ID: 47G$\@
                                • API String ID: 3539746228-2634516527
                                • Opcode ID: 78d5e28396d5c6bfe0eaf9a81ba77ed7bef2470bd980318d9d5ed6f6947695ac
                                • Instruction ID: fd641b35a7450a3fd1d4980a4b0f488d183fdc80e53fc3501e051f9b155edd51
                                • Opcode Fuzzy Hash: 78d5e28396d5c6bfe0eaf9a81ba77ed7bef2470bd980318d9d5ed6f6947695ac
                                • Instruction Fuzzy Hash: 6331F470904785AEDB11EB72C8427AB7FE4AF0A304F40C87FE595E76E1D638A444C759
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004A1750, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 34%
                                			E004A1750(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4a17da);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4b36e5 & 0x00000001) == 0) {
					E004079F4( &_v8);
				} else {
					E00407E1C( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4a2a60);
				_push(L"For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087A4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084C8(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004A17E1);
				return E00407A54( &_v12, 2);
			}










                                0x004a1750
                                0x004a1750
                                0x004a1753
                                0x004a1755
                                0x004a1758
                                0x004a175c
                                0x004a175d
                                0x004a1762
                                0x004a1765
                                0x004a176f
                                0x004a1783
                                0x004a1771
                                0x004a1779
                                0x004a1779
                                0x004a1788
                                0x004a178d
                                0x004a1790
                                0x004a1791
                                0x004a1796
                                0x004a17a3
                                0x004a17ba
                                0x004a17c1
                                0x004a17c4
                                0x004a17c7
                                0x004a17d9

                                APIs
                                • MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004A17BA
                                Strings
                                • For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004A1796
                                • Setup, xrefs: 004A17AA
                                • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004A1788
                                • /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004A1774
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Message
                                • String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
                                • API String ID: 2030045667-3658955972
                                • Opcode ID: ceb808711e98851f50635005308cee1467cfb4ba77f42434b26f72a138f36514
                                • Instruction ID: 110cfd79ce70ca75f2a8f945fc7576142825d428e9a6a316e3da2a6fbd1868fc
                                • Opcode Fuzzy Hash: ceb808711e98851f50635005308cee1467cfb4ba77f42434b26f72a138f36514
                                • Instruction Fuzzy Hash: 0101A238344208BAE311EA91CD43F5EB7ACDB5A704F604477F500B26E1D6BC6A40952D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0042F6DC, Relevance: 7.8, APIs: 5, Instructions: 335COMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E0042F6DC(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __esi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t361;
				void* _t363;
				intOrPtr _t364;

				_t368 = __fp0;
				_t358 = __edi;
				_t361 = _t363;
				_t364 = _t363 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430584(_t272,  &_v20) != 0) {
								_push( &_v14);
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430584(_t275,  &_v24) != 0) {
											_push( &_v12);
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428ADC(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4ab3d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427130();
													_push(_t361);
													_push(0x42fad4);
													_push( *[fs:eax]);
													 *[fs:eax] = _t364;
													_t289 = _v12 & 0x0000ffff;
													E00429890( &_v48, _v12 & 0x0000ffff, _v28, __edi, __esi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E004289E4(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4ab3d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fb09);
													return E00429164( &_v48);
												}
											}
										} else {
											E00428ADC(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427130();
										_push(_t361);
										_push(0x42fa1b);
										_push( *[fs:eax]);
										 *[fs:eax] = _t364;
										_t294 =  *_v32 & 0x0000ffff;
										E00429890( &_v48,  *_v32 & 0x0000ffff, _v28, __edi, __esi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E004289E4(_t294);
										}
										_v9 = E0042F4F4( &_v48, _v8, _v32, _t358, _t361, _t368);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fb09);
										return E00429164( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4ab3d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427130();
										_push(_t361);
										_push(0x42f976);
										_push( *[fs:eax]);
										 *[fs:eax] = _t364;
										_t299 = _v14 & 0x0000ffff;
										E00429890( &_v48, _v14 & 0x0000ffff, _v32, __edi, __esi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E004289E4(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4ab3d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fb09);
										return E00429164( &_v48);
									}
								}
							} else {
								E00428ADC(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F274(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F260(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430584( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427130();
									_push(_t361);
									_push(0x42f887);
									_push( *[fs:eax]);
									 *[fs:eax] = _t364;
									_t306 =  *_v28 & 0x0000ffff;
									E00429890( &_v48,  *_v28 & 0x0000ffff, _v32, __edi, __esi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E004289E4(_t306);
									}
									_v9 = E0042F4F4(_v28, _v8,  &_v48, _t358, _t361, _t368);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fb09);
									return E00429164( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4ab3d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427130();
										_push(_t361);
										_push(0x42f7f0);
										_push( *[fs:eax]);
										 *[fs:eax] = _t364;
										_t311 = _v12 & 0x0000ffff;
										E00429890( &_v48, _v12 & 0x0000ffff, _v28, __edi, __esi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E004289E4(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4ab3d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fb09);
										return E00429164( &_v48);
									}
								}
							} else {
								E00428ADC(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F274(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F260(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}























                                0x0042f6dc
                                0x0042f6dc
                                0x0042f6dd
                                0x0042f6df
                                0x0042f6e3
                                0x0042f6e6
                                0x0042f6e9
                                0x0042f6ec
                                0x0042f6f3
                                0x0042f700
                                0x0042f891
                                0x0042f897
                                0x0042f8ae
                                0x0042f8d0
                                0x0042f8df
                                0x0042f8f2
                                0x0042f9ac
                                0x0042f9b9
                                0x0042fa2e
                                0x0042fa3d
                                0x0042fa50
                                0x0042fb04
                                0x00000000
                                0x0042fa56
                                0x0042fa60
                                0x0042fafa
                                0x0042faff
                                0x00000000
                                0x0042fa62
                                0x0042fa65
                                0x0042fa66
                                0x0042fa6d
                                0x0042fa6e
                                0x0042fa73
                                0x0042fa76
                                0x0042fa79
                                0x0042fa83
                                0x0042fa90
                                0x0042fa92
                                0x0042fa92
                                0x0042fab6
                                0x0042fabb
                                0x0042fac0
                                0x0042fac3
                                0x0042fac6
                                0x0042fad3
                                0x0042fad3
                                0x0042fa60
                                0x0042fa30
                                0x0042fa30
                                0x00000000
                                0x0042fa30
                                0x0042f9bb
                                0x0042f9be
                                0x0042f9bf
                                0x0042f9c6
                                0x0042f9c7
                                0x0042f9cc
                                0x0042f9cf
                                0x0042f9d5
                                0x0042f9de
                                0x0042f9ed
                                0x0042f9ef
                                0x0042f9ef
                                0x0042fa02
                                0x0042fa07
                                0x0042fa0a
                                0x0042fa0d
                                0x0042fa1a
                                0x0042fa1a
                                0x0042f8f8
                                0x0042f902
                                0x0042f99c
                                0x0042f9a1
                                0x00000000
                                0x0042f904
                                0x0042f907
                                0x0042f908
                                0x0042f90f
                                0x0042f910
                                0x0042f915
                                0x0042f918
                                0x0042f91b
                                0x0042f925
                                0x0042f932
                                0x0042f934
                                0x0042f934
                                0x0042f958
                                0x0042f95d
                                0x0042f962
                                0x0042f965
                                0x0042f968
                                0x0042f975
                                0x0042f975
                                0x0042f902
                                0x0042f8d2
                                0x0042f8d2
                                0x00000000
                                0x0042f8d2
                                0x0042f8b0
                                0x0042f8bc
                                0x00000000
                                0x0042f8bc
                                0x0042f899
                                0x0042f8a2
                                0x00000000
                                0x0042f8a2
                                0x0042f706
                                0x0042f709
                                0x0042f720
                                0x0042f746
                                0x0042f755
                                0x0042f768
                                0x0042f826
                                0x0042f827
                                0x0042f82e
                                0x0042f82f
                                0x0042f834
                                0x0042f837
                                0x0042f83d
                                0x0042f846
                                0x0042f859
                                0x0042f85b
                                0x0042f85b
                                0x0042f86e
                                0x0042f873
                                0x0042f876
                                0x0042f879
                                0x0042f886
                                0x0042f76e
                                0x0042f778
                                0x0042f816
                                0x0042f81b
                                0x00000000
                                0x0042f77a
                                0x0042f77d
                                0x0042f77e
                                0x0042f785
                                0x0042f786
                                0x0042f78b
                                0x0042f78e
                                0x0042f791
                                0x0042f79b
                                0x0042f7ac
                                0x0042f7ae
                                0x0042f7ae
                                0x0042f7d2
                                0x0042f7d7
                                0x0042f7dc
                                0x0042f7df
                                0x0042f7e2
                                0x0042f7ef
                                0x0042f7ef
                                0x0042f778
                                0x0042f748
                                0x0042f748
                                0x00000000
                                0x0042f748
                                0x0042f722
                                0x0042f72e
                                0x00000000
                                0x0042f72e
                                0x0042f70b
                                0x0042f714
                                0x0042fb09
                                0x0042fb11
                                0x0042fb11
                                0x0042f709

                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 74738e14bd11834c42270b1f526ff37a822d84726435ceec5f4335d4c6c5fa18
                                • Instruction ID: 66614a77be29197391dbf0046290447a78b6802db73ccca8e639b69c8d9a2377
                                • Opcode Fuzzy Hash: 74738e14bd11834c42270b1f526ff37a822d84726435ceec5f4335d4c6c5fa18
                                • Instruction Fuzzy Hash: 8AD16F74F002199FCF00DBA5D4928FEBBB5EF49300BD084BBE840A7351D638A949DB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00422D94, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 91%
                                			E00422D94(void* __eax, void* __ebx, char __ecx, short* __edx, void* __edi, void* __esi, intOrPtr _a4, char _a8) {
				char _v8;
				short* _v12;
				char _v16;
				int _v20;
				int _v24;
				signed int _t58;
				char _t66;
				intOrPtr _t82;
				void* _t87;
				signed int _t93;
				void* _t96;

				_v8 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_t87 = __eax;
				_push(_t96);
				_push(0x422eca);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96 + 0xffffffec;
				while(1) {
					_v24 = 0;
					if(RegQueryValueExW(_t87, _v12, 0,  &_v20, 0,  &_v24) != 0) {
						break;
					}
					_t9 =  &_a8; // 0x42300a
					if(_v20 ==  *_t9 || _v20 == _a4) {
						if(_v24 != 0) {
							__eflags = _v24 - 0x70000000;
							if(__eflags >= 0) {
								E0041F378();
							}
							_t80 = _v24 + 1 >> 1;
							E00407B7C( &_v8, _v24 + 1 >> 1, 0, __eflags);
							_t58 = RegQueryValueExW(_t87, _v12, 0,  &_v20, E00407F74( &_v8),  &_v24);
							__eflags = _t58 - 0xea;
							if(_t58 == 0xea) {
								continue;
							} else {
								__eflags = _t58;
								if(_t58 != 0) {
									break;
								}
								_t22 =  &_a8; // 0x42300a
								__eflags = _v20 -  *_t22;
								if(_v20 ==  *_t22) {
									L12:
									_t93 = _v24 >> 1;
									while(1) {
										__eflags = _t93;
										if(_t93 == 0) {
											break;
										}
										_t66 = _v8;
										__eflags =  *((short*)(_t66 + _t93 * 2 - 2));
										if( *((short*)(_t66 + _t93 * 2 - 2)) == 0) {
											_t93 = _t93 - 1;
											__eflags = _t93;
											continue;
										}
										break;
									}
									__eflags = _v20 - 7;
									if(_v20 == 7) {
										__eflags = _t93;
										if(_t93 != 0) {
											_t93 = _t93 + 1;
											__eflags = _t93;
										}
									}
									E00408644( &_v8, _t80, _t93);
									__eflags = _v20 - 7;
									if(_v20 == 7) {
										__eflags = _t93;
										if(_t93 != 0) {
											(E00407F74( &_v8))[_t93 * 2 - 2] = 0;
										}
									}
									_t37 =  &_v16; // 0x42300a
									E00407DD4( *_t37, _v8);
									break;
								}
								__eflags = _v20 - _a4;
								if(_v20 != _a4) {
									break;
								}
								goto L12;
							}
						} else {
							_t13 =  &_v16; // 0x42300a
							E004079F4( *_t13);
							break;
						}
					} else {
						break;
					}
				}
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E00422ED1);
				return E004079F4( &_v8);
			}














                                0x00422d9f
                                0x00422da2
                                0x00422da5
                                0x00422da8
                                0x00422dac
                                0x00422dad
                                0x00422db2
                                0x00422db5
                                0x00422dba
                                0x00422dbc
                                0x00422dd7
                                0x00000000
                                0x00000000
                                0x00422de0
                                0x00422de3
                                0x00422df5
                                0x00422e06
                                0x00422e0d
                                0x00422e0f
                                0x00422e0f
                                0x00422e1d
                                0x00422e21
                                0x00422e3e
                                0x00422e43
                                0x00422e48
                                0x00000000
                                0x00422e4e
                                0x00422e4e
                                0x00422e50
                                0x00000000
                                0x00000000
                                0x00422e55
                                0x00422e55
                                0x00422e58
                                0x00422e62
                                0x00422e65
                                0x00422e6a
                                0x00422e6a
                                0x00422e6c
                                0x00000000
                                0x00000000
                                0x00422e6e
                                0x00422e71
                                0x00422e77
                                0x00422e69
                                0x00422e69
                                0x00000000
                                0x00422e69
                                0x00000000
                                0x00422e77
                                0x00422e79
                                0x00422e7d
                                0x00422e7f
                                0x00422e81
                                0x00422e83
                                0x00422e83
                                0x00422e83
                                0x00422e81
                                0x00422e89
                                0x00422e8e
                                0x00422e92
                                0x00422e94
                                0x00422e96
                                0x00422ea0
                                0x00422ea0
                                0x00422e96
                                0x00422ea7
                                0x00422ead
                                0x00000000
                                0x00422eb2
                                0x00422e5d
                                0x00422e60
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00422e60
                                0x00422df7
                                0x00422df7
                                0x00422dfa
                                0x00000000
                                0x00422dff
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00422de3
                                0x00422eb6
                                0x00422eb9
                                0x00422ebc
                                0x00422ec9

                                APIs
                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00422ECA,?,004A1368,00000000), ref: 00422DD0
                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,70000000,?,?,00000000,00000000,00000000,?,00000000,00422ECA,?,004A1368), ref: 00422E3E
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: QueryValue
                                • String ID: 0B$0B
                                • API String ID: 3660427363-2047223620
                                • Opcode ID: 85ea2ee95df027a8257bc04a9519c47954d8331ee6ef31d063f3570c986b0507
                                • Instruction ID: 98124c36cd85d2e56ec74749d84b118a58c0a5b819721e5426fed98b2f6fb40a
                                • Opcode Fuzzy Hash: 85ea2ee95df027a8257bc04a9519c47954d8331ee6ef31d063f3570c986b0507
                                • Instruction Fuzzy Hash: AE414F31A00229BBDB14DB95DA81ABFB3B8FF14700F91446AE800B7290D778AE41D799
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0041C8B0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 75%
                                			E0041C8B0(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c993);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E004079F4(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E1C( &_v8, L"yyyy");
				} else {
					E00407E1C( &_v8, 0x41c9ac);
				}
				_t32 = E004084C8(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040856C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E0040888C( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c99a);
				return E004079F4( &_v8);
			}














                                0x0041c8bd
                                0x0041c8c0
                                0x0041c8c2
                                0x0041c8c6
                                0x0041c8c7
                                0x0041c8cc
                                0x0041c8cf
                                0x0041c8d4
                                0x0041c8e0
                                0x0041c8eb
                                0x0041c8f6
                                0x0041c8fd
                                0x0041c916
                                0x0041c8ff
                                0x0041c907
                                0x0041c907
                                0x0041c92a
                                0x0041c943
                                0x0041c952
                                0x0041c958
                                0x0041c962
                                0x0041c966
                                0x0041c96b
                                0x0041c96b
                                0x0041c978
                                0x0041c978
                                0x0041c958
                                0x0041c97f
                                0x0041c982
                                0x0041c985
                                0x0041c992

                                APIs
                                • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C993), ref: 0041C936
                                • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C993), ref: 0041C93C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DateFormatLocaleThread
                                • String ID: $yyyy
                                • API String ID: 3303714858-404527807
                                • Opcode ID: df7dc0c0cfe83e2716fada29b3ec226a844ef90c6556877d7290f236e844f23c
                                • Instruction ID: 7872b70f8d9c9f4bf3ec9f73f967c83ea165cdf14193664953d7fcc649099f55
                                • Opcode Fuzzy Hash: df7dc0c0cfe83e2716fada29b3ec226a844ef90c6556877d7290f236e844f23c
                                • Instruction Fuzzy Hash: C8218371A502189BDB10EF55CD82AAEB3B8EF08740F5044BAF844E7291D6389E40C7AA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040AA3C, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E0040AA3C(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4afc08()) {
					_v16 = E0040A9F8( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4afc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A9F8( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408530(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4afc04(0, 0,  &_v20);
					_t68 = E0040A9F8( &_v12);
					if(_v8 != _v12 || E0040A9D4(_v16, _v12, _t68) != 0) {
						 *0x4afc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}





















                                0x0040aa44
                                0x0040aa46
                                0x0040aa4a
                                0x0040aa56
                                0x0040aa60
                                0x0040aa63
                                0x0040aa65
                                0x0040aa6c
                                0x0040aa6f
                                0x0040aa80
                                0x0040aa86
                                0x0040aa89
                                0x0040aa8c
                                0x0040aa8f
                                0x0040aa95
                                0x0040aa9b
                                0x0040aaab
                                0x0040aaab
                                0x0040aab4
                                0x0040aab9
                                0x0040aabd
                                0x0040aac2
                                0x0040aac7
                                0x0040aac9
                                0x0040aaca
                                0x0040aad1
                                0x0040aad9
                                0x0040aade
                                0x0040aade
                                0x0040aae4
                                0x0040aae7
                                0x0040aae7
                                0x0040aad1
                                0x0040aaee
                                0x0040aaf5
                                0x0040aaf5
                                0x0040aafe
                                0x0040ab08
                                0x0040ab16
                                0x0040ab1e
                                0x0040ab3b
                                0x0040ab3b
                                0x0040ab43
                                0x00000000
                                0x0040ab4b
                                0x0040ab55

                                APIs
                                • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040AA4D
                                • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040AAAB
                                • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040AB08
                                • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040AB3B
                                  • Part of subcall function 0040A9F8: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040AAB9), ref: 0040AA0F
                                  • Part of subcall function 0040A9F8: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040AAB9), ref: 0040AA2C
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Thread$LanguagesPreferred$Language
                                • String ID:
                                • API String ID: 2255706666-0
                                • Opcode ID: cd06836042f7dc8c715063394acf5e4e52feefd8764bcfa4f6b7f58fc5ac6852
                                • Instruction ID: b1904a49824afe99751246d4952eda1d7de773daf142b1b34e0f1b3e25ee96c1
                                • Opcode Fuzzy Hash: cd06836042f7dc8c715063394acf5e4e52feefd8764bcfa4f6b7f58fc5ac6852
                                • Instruction Fuzzy Hash: 07317A70A0021A9BDB10EBE9C885AAFB7B8FF04304F40427AE911F72D1DB789E45CB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E4A8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 65%
                                			E0040E4A8(void* __ebx, void* __esi, struct HINSTANCE__* _a4, char _a8) {
				char _v8;
				_Unknown_base(*)()* _v12;
				CHAR* _t31;
				intOrPtr _t38;
				intOrPtr _t39;
				struct HINSTANCE__* _t41;
				void* _t43;
				void* _t44;
				intOrPtr _t45;

				_t43 = _t44;
				_t45 = _t44 + 0xfffffff8;
				_v8 = 0;
				_t2 =  &_a8; // 0x42300a
				_t31 =  *_t2;
				_t41 = _a4;
				_push(_t43);
				_push(0x40e546);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				if(_t31 >> 0x10 != 0) {
					_push(_t43);
					 *[fs:eax] = _t45;
					E00407A18( &_v8);
					E00408104( &_v8, 0, _t31,  *[fs:eax]);
					_v12 = GetProcAddress(_t41, E004081CC(_v8));
					_t38 = 0x40e529;
					 *[fs:eax] = _t38;
					_push(E0040E530);
					return E00407A18( &_v8);
				} else {
					_v12 = GetProcAddress(_t41, _t31);
					_pop(_t39);
					 *[fs:eax] = _t39;
					_push(E0040E54D);
					return E00407A18( &_v8);
				}
			}












                                0x0040e4a9
                                0x0040e4ab
                                0x0040e4b2
                                0x0040e4b5
                                0x0040e4b5
                                0x0040e4b8
                                0x0040e4bd
                                0x0040e4be
                                0x0040e4c3
                                0x0040e4c6
                                0x0040e4ce
                                0x0040e4de
                                0x0040e4e7
                                0x0040e4ed
                                0x0040e4fc
                                0x0040e510
                                0x0040e515
                                0x0040e518
                                0x0040e51b
                                0x0040e528
                                0x0040e4d0
                                0x0040e4d7
                                0x0040e532
                                0x0040e535
                                0x0040e538
                                0x0040e545
                                0x0040e545

                                APIs
                                • GetProcAddress.KERNEL32(?,0B), ref: 0040E4D2
                                • GetProcAddress.KERNEL32(?,00000000), ref: 0040E50B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressProc
                                • String ID: 0B
                                • API String ID: 190572456-3041020555
                                • Opcode ID: 73c9e18d93592e43fe666bfe4bf432486626273dc5cba755a9ef1ec8c293c77a
                                • Instruction ID: 64ac29280dfebcd60019ca95f25d34e387ec400068b91dc547cac48b7599c2c3
                                • Opcode Fuzzy Hash: 73c9e18d93592e43fe666bfe4bf432486626273dc5cba755a9ef1ec8c293c77a
                                • Instruction Fuzzy Hash: 6D117770614608BFE701DF62DC5295EB7ACDB49718BA14C7BF404F26C1E63C5F109559
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00421B7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E00421B7C(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				struct _cpinfo _v24;
				void* __ebp;
				void* _t14;
				struct _cpinfo _t20;
				void* _t23;
				void* _t29;
				int _t30;
				intOrPtr _t31;
				void* _t32;
				void* _t34;
				void* _t35;
				void* _t36;
				int _t40;

				_t32 = __edx;
				_t30 = __ecx;
				if(__edx != 0) {
					_t36 = _t36 + 0xfffffff0;
					_t14 = E00406284(_t14, _t35);
				}
				_t29 = _t32;
				_t34 = _t14;
				if(_t30 != 0) {
					 *(_t34 + 0xc) = _t30;
				} else {
					 *(_t34 + 0xc) = GetACP();
				}
				 *((intOrPtr*)(_t34 + 0x10)) = _a8;
				 *((intOrPtr*)(_t34 + 0x14)) = _a4;
				_t40 = GetCPInfo( *(_t34 + 0xc),  &_v24);
				if(_t40 == 0) {
					_t31 =  *0x4ac694; // 0x40ec78
					E0041F440(_t31, 1);
					E004070F0();
				}
				_t20 = _v24;
				 *(_t34 + 8) = _t20;
				 *((char*)(_t34 + 4)) = _t20 - 0x00000001 & 0xffffff00 | _t40 == 0x00000000;
				_t23 = _t34;
				if(_t29 != 0) {
					E004062DC(_t23);
					_pop( *[fs:0x0]);
				}
				return _t34;
			}
















                                0x00421b7c
                                0x00421b7c
                                0x00421b86
                                0x00421b88
                                0x00421b8b
                                0x00421b8b
                                0x00421b90
                                0x00421b92
                                0x00421b96
                                0x00421ba2
                                0x00421b98
                                0x00421b9d
                                0x00421b9d
                                0x00421ba8
                                0x00421bae
                                0x00421bbe
                                0x00421bc0
                                0x00421bc2
                                0x00421bcf
                                0x00421bd4
                                0x00421bd4
                                0x00421bd9
                                0x00421bdc
                                0x00421be3
                                0x00421be6
                                0x00421bea
                                0x00421bec
                                0x00421bf1
                                0x00421bf8
                                0x00421c02

                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Info
                                • String ID: x@
                                • API String ID: 1807457897-1747526965
                                • Opcode ID: cf44248a1c658bdd47b36df632dd9645ef3597e39912394a14df77dcb10368e0
                                • Instruction ID: 462749be72c426496f1a41d89de2effdbae1b1a2d75a6ab79572deab56c71eea
                                • Opcode Fuzzy Hash: cf44248a1c658bdd47b36df632dd9645ef3597e39912394a14df77dcb10368e0
                                • Instruction Fuzzy Hash: 9C012631A006008FC320EF6AE881957BBF89F14358700853FFC49C7752E639E9008BA9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00422EE8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00422EE8(void* __eax, short* __ecx, void* __edx, void** _a4, char _a8, int _a12) {
				short* _t8;
				void* _t9;
				int _t10;

				_t9 = __edx;
				_t8 = __ecx;
				_t1 =  &_a8; // 0x42300a
				_t10 =  *_t1;
				if(__eax == 2) {
					_t10 = _t10 | 0x00000100;
				}
				return RegOpenKeyExW(_t9, _t8, _a12, _t10, _a4);
			}






                                0x00422ee8
                                0x00422ee8
                                0x00422eec
                                0x00422eec
                                0x00422ef1
                                0x00422ef3
                                0x00422ef3
                                0x00422f0b

                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,0B,?,00000000,?,00422FAA,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,0042300A), ref: 00422F04
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Open
                                • String ID: 0B$Control Panel\Desktop\ResourceLocale
                                • API String ID: 71445658-3141456704
                                • Opcode ID: 3b69ebcaa1c44acc297296391af532f1a488bbb5d67ca1580915a5ac9ed8a3b1
                                • Instruction ID: 754d8ca44475c60336da28a52261fe1ed214884b621adf6beb20dea320f59cf5
                                • Opcode Fuzzy Hash: 3b69ebcaa1c44acc297296391af532f1a488bbb5d67ca1580915a5ac9ed8a3b1
                                • Instruction Fuzzy Hash: ABD092729102287BAB109A89DC41DFB7B9DAB19360F41852AFD4497200C2B4AC519BE8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00420ACC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00420ACC() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E4A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4a9e30 = _t1;
				}
				if( *0x4a9e30 == 0) {
					 *0x4a9e30 = E0041A5FC;
					return E0041A5FC;
				}
				return _t1;
			}






                                0x00420ad2
                                0x00420ad7
                                0x00420adb
                                0x00420ae3
                                0x00420ae8
                                0x00420ae8
                                0x00420af4
                                0x00420afb
                                0x00000000
                                0x00420afb
                                0x00420b01

                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00420BA8,00000000,00420BC0,?,?,00420B5D), ref: 00420AD2
                                  • Part of subcall function 0040E4A8: GetProcAddress.KERNEL32(?,0B), ref: 0040E4D2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.728039055.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000000.00000002.728030594.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728121150.00000000004A9000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728133904.00000000004B2000.00000004.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728145316.00000000004B6000.00000002.00020000.sdmp Download File
                                • Associated: 00000000.00000002.728155965.00000000004B8000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                • API String ID: 1646373207-1127948838
                                • Opcode ID: d3fba4843dc8b289438757c69ca8191ca322e81c70d910c138525665c107990f
                                • Instruction ID: 4be4f1343aa80eda7f8312904a91226add29b11054fd17f8baa2da6a23536271
                                • Opcode Fuzzy Hash: d3fba4843dc8b289438757c69ca8191ca322e81c70d910c138525665c107990f
                                • Instruction Fuzzy Hash: 71D05EB03203115FE710DBE5A8C1B5B2ECAA307319F80043BA40065293C7BD9C50C71C
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: spjYwLgrAT.tmp PID: 6932 Parent PID: 6844 spjYwLgrAT.tmpCOMMON

                                Executed Functions

                                Function 005A41D0, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 181memoryCOMMON
                                Download Yara Rule
                                APIs
                                • AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A4212
                                • GetVersion.KERNEL32(00000000,005A43BB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A422F
                                • GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005A43BB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A4249
                                • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005A43BB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A4264
                                • FreeSid.ADVAPI32(00000000,005A43C2,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A43B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
                                • String ID: CheckTokenMembership$advapi32.dll
                                • API String ID: 2691416632-1888249752
                                • Opcode ID: ebaae9c4c22b3b717a65dd91e064ae59e42f59a67d226a98a5452ca861047559
                                • Instruction ID: da52d013c590274382013a7b81b61d3b3830c733aa63b3232528348692c0ccdb
                                • Opcode Fuzzy Hash: ebaae9c4c22b3b717a65dd91e064ae59e42f59a67d226a98a5452ca861047559
                                • Instruction Fuzzy Hash: 4F516775E443056ADF10EBE58C42BEE7BA8FF46304F204867FA00E7591D6B899848B65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040CD4C, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040CE0C,?,?), ref: 0040CD7E
                                • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040CE0C,?,?), ref: 0040CD87
                                  • Part of subcall function 0040CBFC: FindFirstFileW.KERNEL32(00000000,?,00000000,0040CC5A,?,?), ref: 0040CC2F
                                  • Part of subcall function 0040CBFC: FindClose.KERNEL32(00000000,00000000,?,00000000,0040CC5A,?,?), ref: 0040CC3F
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                • String ID:
                                • API String ID: 3216391948-0
                                • Opcode ID: ed5ceb2a2d881983c875fddec993d9a098c5de3b1d942cfc1e15b03daaacfbff
                                • Instruction ID: 1e6bc69c0a1381f92b9e69733a46d54d0aa19dc84cca161867292b39dd9e4508
                                • Opcode Fuzzy Hash: ed5ceb2a2d881983c875fddec993d9a098c5de3b1d942cfc1e15b03daaacfbff
                                • Instruction Fuzzy Hash: 96116670A00209DBDB00EBA6D992AAEB7B8EF48304F50457FB504B73D2DB785E05C669
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060107C, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON
                                Download Yara Rule
                                APIs
                                • GetVersion.KERNEL32(00000000,00601112,?,00000000,00000000,?,00601128,?,00604C43), ref: 00601099
                                • CoCreateInstance.OLE32(00651B18,00000000,00000001,00651B28,00000000,00000000,00601112,?,00000000,00000000,?,00601128,?,00604C43), ref: 006010BF
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateInstanceVersion
                                • String ID:
                                • API String ID: 1462612201-0
                                • Opcode ID: 9923adfd74a1c0745825ee4712b98ec549e7c294a2580a6dee03e5dddbd14884
                                • Instruction ID: 2bcf689b128f7f2f0804eaf0d0edccd2353674a5bba145875147dc541db21351
                                • Opcode Fuzzy Hash: 9923adfd74a1c0745825ee4712b98ec549e7c294a2580a6dee03e5dddbd14884
                                • Instruction Fuzzy Hash: 5211AD30280345AFDB14DBA9CD46B9AB7EAEB0A304F5140B5F500DB6A1DB799E448B25
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005E9B24, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,005E9B87,?,?,?,00000000), ref: 005E9B61
                                • GetLastError.KERNEL32(00000000,?,00000000,005E9B87,?,?,?,00000000), ref: 005E9B69
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorFileFindFirstLast
                                • String ID:
                                • API String ID: 873889042-0
                                • Opcode ID: 7716583424e90d0740664033fd0c1acd084a61cc15e0590addf2ab474462a1e3
                                • Instruction ID: 7b7d611b9531415f3146867e2bbecd29773f1d8d9b34cbce8b0a8e68c9c9ab84
                                • Opcode Fuzzy Hash: 7716583424e90d0740664033fd0c1acd084a61cc15e0590addf2ab474462a1e3
                                • Instruction Fuzzy Hash: 1CF0F431A08244AB8B14DFBAAC418DDFBECFB8A73075146BAF854D3281EA754D008298
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040CBFC, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,0040CC5A,?,?), ref: 0040CC2F
                                • FindClose.KERNEL32(00000000,00000000,?,00000000,0040CC5A,?,?), ref: 0040CC3F
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Find$CloseFileFirst
                                • String ID:
                                • API String ID: 2295610775-0
                                • Opcode ID: c57d05c6e5c9f8dd64bfbcd321f14c3bd43acccbb32e047ba0053132613ef6eb
                                • Instruction ID: 3a670b773e27689e6367c7af3837c4a9af7244e7933b1c0da2c77d0df124bc1d
                                • Opcode Fuzzy Hash: c57d05c6e5c9f8dd64bfbcd321f14c3bd43acccbb32e047ba0053132613ef6eb
                                • Instruction Fuzzy Hash: 3CF05471514604EED711EBB9CE9395DB7ACEB4471576006B6F404F32D2EA385F00A558
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C820, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CA45,?,?), ref: 0040C859
                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040CA45,?,?), ref: 0040C8A2
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040CA45,?,?), ref: 0040C8C4
                                • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040C8E2
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040C900
                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040C91E
                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040C93C
                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040CA28,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040CA45), ref: 0040C97C
                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040CA28,?,80000001), ref: 0040C9A7
                                • RegCloseKey.ADVAPI32(?,0040CA2F,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040CA28,?,80000001,Software\Embarcadero\Locales), ref: 0040CA22
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Open$QueryValue$CloseFileModuleName
                                • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                • API String ID: 2701450724-3496071916
                                • Opcode ID: 194e6143593ccc1efb3b30973152faaaa93991d78dd1d3be2031898ce4543148
                                • Instruction ID: 0710d48149da5ae319f413f3ef24fbf4f5cead902eccefb92f2df938dc6c631d
                                • Opcode Fuzzy Hash: 194e6143593ccc1efb3b30973152faaaa93991d78dd1d3be2031898ce4543148
                                • Instruction Fuzzy Hash: 0A510276B4024CFEEB10EB95CC82FEE77ACDB08704F50417ABA04F62C1D6789A448A59
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00634A90, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 192COMMON
                                Download Yara Rule
                                APIs
                                • SHGetKnownFolderPath.SHELL32(00652118,00008000,00000000,?,00000000,00634D6C,?,00000005,00000000,00000000,?,0063FF42,00000006,?,00000000,006404F8), ref: 00634C6D
                                • CoTaskMemFree.OLE32(?,00634CB0,?,00000005,00000000,00000000,?,0063FF42,00000006,?,00000000,006404F8,?,00000000,006405B7), ref: 00634CA3
                                • SHGetKnownFolderPath.SHELL32(00652128,00008000,00000000,?,?,00000005,00000000,00000000,?,0063FF42,00000006,?,00000000,006404F8,?,00000000), ref: 00634CC0
                                • CoTaskMemFree.OLE32(?,00634D03,?,00000005,00000000,00000000,?,0063FF42,00000006,?,00000000,006404F8,?,00000000,006405B7), ref: 00634CF6
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FolderFreeKnownPathTask
                                • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                • API String ID: 969438705-544719455
                                • Opcode ID: 1de90dd828992b26e00cd93d225f176b622761ab3005320b8db4637704a11a4f
                                • Instruction ID: 7aee2a46cc3d15be14cdb28d80d3f2f19f3e766e7f90dfdec6e650a43ed8d52a
                                • Opcode Fuzzy Hash: 1de90dd828992b26e00cd93d225f176b622761ab3005320b8db4637704a11a4f
                                • Instruction Fuzzy Hash: 29615F34600209DBDF10EFA4D942B9EBBA7EF89305F50546AF800A7791DF78AD05CAB5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040F039, Relevance: 13.8, APIs: 9, Instructions: 257COMMON
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040F0F0
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: 952772936b625a05045e0f0d807f9bb0effe6297b57815a1d24512bdf3250246
                                • Instruction ID: 6b0dc7d59608b69efff4ce31ae2b27f6452f4bcffc7f20108e7e83d8b8ac3a46
                                • Opcode Fuzzy Hash: 952772936b625a05045e0f0d807f9bb0effe6297b57815a1d24512bdf3250246
                                • Instruction Fuzzy Hash: 14A17E75A003099FDB24DFA9D881BAEB7B5BB48310F10453EE905BB7C0DB78A949CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005EC554, Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,005EC784,005EC784,?,005EC784,00000000), ref: 005EC709
                                • CloseHandle.KERNEL32(006401DB,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,005EC784,005EC784,?,005EC784), ref: 005EC716
                                  • Part of subcall function 005EC4C0: WaitForInputIdle.USER32 ref: 005EC4EC
                                  • Part of subcall function 005EC4C0: MsgWaitForMultipleObjects.USER32 ref: 005EC50E
                                  • Part of subcall function 005EC4C0: GetExitCodeProcess.KERNEL32 ref: 005EC51F
                                  • Part of subcall function 005EC4C0: CloseHandle.KERNEL32(00000001,005EC54C,005EC545,?,?,?,00000001,?,?,005EC8EE,?,00000000,005EC904,?,?,?), ref: 005EC53F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                • String ID: .bat$.cmd$0c$COMMAND.COM" /C $D$cmd.exe" /C "
                                • API String ID: 854858120-2923708497
                                • Opcode ID: 5e27db88bd8fac06dd8565cb78c15d03f697483ec09f1df14d06cdf7df2aacf7
                                • Instruction ID: 8e9245fd98948e38bcff90a7ebafd4af643097529eee841eb70aa673352d1653
                                • Opcode Fuzzy Hash: 5e27db88bd8fac06dd8565cb78c15d03f697483ec09f1df14d06cdf7df2aacf7
                                • Instruction Fuzzy Hash: 82514170A002499ACF14EFA6C982A9EBFB5FF45704F20403EB984A7282D7749E468E55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005960FC, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                Download Yara Rule
                                APIs
                                • PeekMessageW.USER32 ref: 00596110
                                • IsWindowUnicode.USER32 ref: 00596124
                                • PeekMessageW.USER32 ref: 00596147
                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0059615D
                                • TranslateMessage.USER32 ref: 005961E2
                                • DispatchMessageW.USER32 ref: 005961EF
                                • DispatchMessageA.USER32 ref: 005961F7
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                • String ID:
                                • API String ID: 2190272339-0
                                • Opcode ID: 833a6f9365a515c8367170e1a5361e90cb07d8eacc9ccdadc3e6d091f67b6886
                                • Instruction ID: f346d8be13cb5f03fbadba967532c177b08a47f18eb0794a78fdfc0accf2974e
                                • Opcode Fuzzy Hash: 833a6f9365a515c8367170e1a5361e90cb07d8eacc9ccdadc3e6d091f67b6886
                                • Instruction Fuzzy Hash: 4E213A3030434025EE313F290E02BBEAF99BFD2708F14445AF592E7183DB959C4A9256
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A57B8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON
                                Download Yara Rule
                                APIs
                                • GetActiveWindow.USER32 ref: 005A57E7
                                • GetFocus.USER32(00000000,005A58CA,?,?,00000000,00000001,00000000,?,0060B8DB,0065916C,?,00000000,0064180A,?,00000001,00000000), ref: 005A57EF
                                • RegisterClassW.USER32 ref: 005A5810
                                • ShowWindow.USER32(00000000,00000008,00000000,00400000,00000000,41178000,00000000,00000000,00000000,00000000,80000000,00000000,00400000,00000000,00000000,00000000), ref: 005A58A8
                                • SetFocus.USER32(00000000,00000000,005A58CA,?,?,00000000,00000001,00000000,?,0060B8DB,0065916C,?,00000000,0064180A,?,00000001), ref: 005A58AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FocusWindow$ActiveClassRegisterShow
                                • String ID: TWindowDisabler-Window
                                • API String ID: 495420250-1824977358
                                • Opcode ID: cccbcf312d218f97f693a23fd54b578d45f18bac7cb1facd166151230d0f7142
                                • Instruction ID: 2f552b2ee1362b3598182f051a37022d5bb1fa21f30630609c75f61cba618f61
                                • Opcode Fuzzy Hash: cccbcf312d218f97f693a23fd54b578d45f18bac7cb1facd166151230d0f7142
                                • Instruction Fuzzy Hash: 0D219171700B02AFD310EB75DD52F6E7AA5FB45B04F214529B900EB2D1E6B89C50C7D8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005ABE4C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 005ABE5D
                                  • Part of subcall function 004D0694: EnterCriticalSection.KERNEL32(?,00000000,004D0903,?,?), ref: 004D06DC
                                • SelectObject.GDI32(006041FC,00000000), ref: 005ABE7F
                                • GetTextExtentPointW.GDI32(006041FC,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005ABE93
                                • GetTextMetricsW.GDI32(006041FC,?,00000000,005ABED8,?,00000000,?,?,006041FC), ref: 005ABEB5
                                • ReleaseDC.USER32 ref: 005ABED2
                                Strings
                                • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005ABE8A
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
                                • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                • API String ID: 1334710084-222967699
                                • Opcode ID: 4168b2762172b8c6dc4852ff0159214f1dc8806904792a44891b73b4754f1ba9
                                • Instruction ID: 45d6e03c6a691c7257d89026bb7d47016b7108a199935961b2161bebffef958f
                                • Opcode Fuzzy Hash: 4168b2762172b8c6dc4852ff0159214f1dc8806904792a44891b73b4754f1ba9
                                • Instruction Fuzzy Hash: 310184B6A00208BFEB04DBE9CD41FAEB7ECEB59714F50046AF604D3281D6B49E108764
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 006350B0, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00635202,?,?,00000005,00000000,00000000,?,00641671,00000000,00641824,?,00000000,00641888), ref: 0063513B
                                • GetLastError.KERNEL32(00000000,00000000,00000000,00635202,?,?,00000005,00000000,00000000,?,00641671,00000000,00641824,?,00000000,00641888), ref: 00635144
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateDirectoryErrorLast
                                • String ID: Created temporary directory: $\_setup64.tmp$_isetup
                                • API String ID: 1375471231-2952887711
                                • Opcode ID: 0726cb8c8689b7c89697d2d5e7109631fa746f50c32ee32571e92870788ebd05
                                • Instruction ID: 33b46da8606da08a4281ad4da2d29623523104845aa9578a0b2effc7011ff9cd
                                • Opcode Fuzzy Hash: 0726cb8c8689b7c89697d2d5e7109631fa746f50c32ee32571e92870788ebd05
                                • Instruction Fuzzy Hash: 58414374A001099FDB05EBA4D982ADEB7B6EF88304F10407AF901A7391DB74AE05CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0064C4A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040EFEC: GetModuleHandleW.KERNEL32(00000000,?,0064C4B3), ref: 0040EFF8
                                • GetWindowLongW.USER32(?,000000EC), ref: 0064C4C3
                                • SetWindowLongW.USER32 ref: 0064C4DF
                                • SetErrorMode.KERNEL32(00000001,00000000,0064C524,?,?,000000EC,00000000), ref: 0064C4F4
                                  • Part of subcall function 00641BBC: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0064C4FE,00000001,00000000,0064C524,?,?,000000EC,00000000), ref: 00641BC6
                                  • Part of subcall function 0059624C: SendMessageW.USER32(?,0000B020,00000000,?), ref: 00596271
                                  • Part of subcall function 00595D5C: SetWindowTextW.USER32(?,00000000), ref: 00595D8D
                                • ShowWindow.USER32(?,00000005,00000000,0064C524,?,?,000000EC,00000000), ref: 0064C55E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
                                • String ID: Setup
                                • API String ID: 1533765661-3839654196
                                • Opcode ID: 312a5ae4e72ba19751cf5242689b1d1186dca8565ebef088daa11869a7763427
                                • Instruction ID: 097188e59419368c36efe5636f2594cf68dbdfaf126a4a393cc8b5c68ae68f22
                                • Opcode Fuzzy Hash: 312a5ae4e72ba19751cf5242689b1d1186dca8565ebef088daa11869a7763427
                                • Instruction Fuzzy Hash: 7D218E38204705AFC740EF69DC92D967BEAEB4F720B116664F510CB7B1CB34A890CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0046D950, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Class$InfoLongRegisterUnregisterWindow
                                • String ID:
                                • API String ID: 4025006896-0
                                • Opcode ID: cd921b6e3b1cd673e393e0c1f35f4c01efccb144665bdb30e403c9c78f4519fa
                                • Instruction ID: 2628de6f81621debde77dc65526e8016da9aec42ed83804e67804d16d32ecd08
                                • Opcode Fuzzy Hash: cd921b6e3b1cd673e393e0c1f35f4c01efccb144665bdb30e403c9c78f4519fa
                                • Instruction Fuzzy Hash: A80184B1F002006BCB00FFA9DD81F9A739AE709308F105226F904D73A1D675D954C79A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005EC4C0, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • WaitForInputIdle.USER32 ref: 005EC4EC
                                • MsgWaitForMultipleObjects.USER32 ref: 005EC50E
                                • GetExitCodeProcess.KERNEL32 ref: 005EC51F
                                • CloseHandle.KERNEL32(00000001,005EC54C,005EC545,?,?,?,00000001,?,?,005EC8EE,?,00000000,005EC904,?,?,?), ref: 005EC53F
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                • String ID:
                                • API String ID: 4071923889-0
                                • Opcode ID: 1f020eeb784677a50f32e66d6ea7fcff1a9355016b74f18ac6d7cc4b5e5da9c8
                                • Instruction ID: 893d087c97e2bd93c13536bc0eb57ca8ee31050955602498d171a55514f4de04
                                • Opcode Fuzzy Hash: 1f020eeb784677a50f32e66d6ea7fcff1a9355016b74f18ac6d7cc4b5e5da9c8
                                • Instruction Fuzzy Hash: 5D012D70A402447EEB28979B8D06FAA7FECEB45760F500163F600D71D1D6B4DD41C665
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005AE65C, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005ABE4C: GetDC.USER32(00000000), ref: 005ABE5D
                                  • Part of subcall function 005ABE4C: SelectObject.GDI32(006041FC,00000000), ref: 005ABE7F
                                  • Part of subcall function 005ABE4C: GetTextExtentPointW.GDI32(006041FC,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005ABE93
                                  • Part of subcall function 005ABE4C: GetTextMetricsW.GDI32(006041FC,?,00000000,005ABED8,?,00000000,?,?,006041FC), ref: 005ABEB5
                                  • Part of subcall function 005ABE4C: ReleaseDC.USER32 ref: 005ABED2
                                • MulDiv.KERNEL32(K`,00000006,00000006), ref: 005AE729
                                • MulDiv.KERNEL32(?,?,0000000D), ref: 005AE740
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Text$ExtentMetricsObjectPointReleaseSelect
                                • String ID: K`
                                • API String ID: 844173074-3121505034
                                • Opcode ID: a024acd0fea74cc7faa08724354d078289c3acb300c2a7099ea5b49a0b2c4ad6
                                • Instruction ID: f1dce2406087b12cba5fae15e828585e09f86f2e0e8386303c02644ea79bef33
                                • Opcode Fuzzy Hash: a024acd0fea74cc7faa08724354d078289c3acb300c2a7099ea5b49a0b2c4ad6
                                • Instruction Fuzzy Hash: A041C535A00209EFDB04DBA8D986EADBBF9FB49310F1541A5F904AB361D771AE00DB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005EAD90, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,005EAE85,?,0065916C,?,00000003,00000000,00000000,?,006350D7,00000000,00635202), ref: 005EADD8
                                • GetLastError.KERNEL32(00000000,00000000,?,00000000,005EAE85,?,0065916C,?,00000003,00000000,00000000,?,006350D7,00000000,00635202), ref: 005EADE1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateDirectoryErrorLast
                                • String ID: .tmp
                                • API String ID: 1375471231-2986845003
                                • Opcode ID: 6e330b102a7bffb9f43698dafd2671212b8f5489c692855ed88d0cab1d3fceff
                                • Instruction ID: 661b59eeea5787d22e650a173906ffe318ad9c6c94841d189fdf46a2ec3b718a
                                • Opcode Fuzzy Hash: 6e330b102a7bffb9f43698dafd2671212b8f5489c692855ed88d0cab1d3fceff
                                • Instruction Fuzzy Hash: 25217475A002099FDB05EBB1CD42ADEB7F9FB88304F10447AF541A3781DB74AE018AA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 006349D4, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,00634D51,00000000,00634D6C,?,00000005,00000000,00000000,?,0063FF42), ref: 00634A36
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Close
                                • String ID: RegisteredOrganization$RegisteredOwner
                                • API String ID: 3535843008-1113070880
                                • Opcode ID: 6751bf2f875f6edc6e58ffd9b761e4db52f0a2538d63046432edfedb286cf922
                                • Instruction ID: 04b3e523e6d49486a151e4bfccda0551a2d52f669b319885da147b1bce188b8a
                                • Opcode Fuzzy Hash: 6751bf2f875f6edc6e58ffd9b761e4db52f0a2538d63046432edfedb286cf922
                                • Instruction Fuzzy Hash: 2CF0B435748208ABD700DBE4ED87B9FBBABE786308F202064B60547396DA34AE80D755
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005E9290, Relevance: 4.6, APIs: 3, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                • GetFileVersionInfoSizeW.VERSION(00000000,?,?,?,?), ref: 005E92B0
                                • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,005E9327,?,00000000,?,?,?,?), ref: 005E92DD
                                • VerQueryValueW.VERSION(?,005E9350,?,?,00000000,?,00000000,?,00000000,005E9327,?,00000000,?,?,?,?), ref: 005E92F7
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileInfoVersion$QuerySizeValue
                                • String ID:
                                • API String ID: 2179348866-0
                                • Opcode ID: c77317c4d07e4c0ff58ae09a0fd98dcd6e617186053b6723016f0df45c2d27b3
                                • Instruction ID: b1a3b1a8cc695d7728d22805522fb202075838a9eca72965a170be53d95b95de
                                • Opcode Fuzzy Hash: c77317c4d07e4c0ff58ae09a0fd98dcd6e617186053b6723016f0df45c2d27b3
                                • Instruction Fuzzy Hash: 6F21D871A04149AFDB05DAAA8C429FFBBFCFB48310F4504B6F844E3282D6749E00C7A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00636B9C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 148windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendNotifyMessageW.USER32(001F0260,00000496,00002711,-00000001), ref: 00636DC4
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: MessageNotifySend
                                • String ID: MS PGothic
                                • API String ID: 3556456075-3532686627
                                • Opcode ID: da26fd93eb39b983b66df6ba9099611ba0eeab4a4099d55480da3de6e28d2b9a
                                • Instruction ID: 72c7ad9c9852677a0c234090603cdfb86c85e449587ba5def5e334d4d94466d5
                                • Opcode Fuzzy Hash: da26fd93eb39b983b66df6ba9099611ba0eeab4a4099d55480da3de6e28d2b9a
                                • Instruction Fuzzy Hash: 12514D30310305DBCB00EF25EC85A9A77A3EF86305F54927AB8449B3A6CA34EC46CBD5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412E84, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateWindow
                                • String ID: TWindowDisabler-Window
                                • API String ID: 716092398-1824977358
                                • Opcode ID: 6c7facdfd0e66ee599a1159b40424e0c067c3ede558cbe5f898d13db70d6f81c
                                • Instruction ID: bb8e3ddeb58cf41b6c5bd30de7c2c2887b00180dd447bf5933bbb47be1ef0363
                                • Opcode Fuzzy Hash: 6c7facdfd0e66ee599a1159b40424e0c067c3ede558cbe5f898d13db70d6f81c
                                • Instruction Fuzzy Hash: 89F07FB2600118AF8B80DE9DDC81EDB77ECEB4D2A4B05412ABA08E3201D634ED118BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00634924, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005A3F04: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A45DE,?,00000000,?,005A457E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A45DE), ref: 005A3F20
                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,?,?,00634B67,00000000,00634D6C,?,00000005,00000000,00000000), ref: 00634969
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion, xrefs: 0063493B
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseOpen
                                • String ID: Software\Microsoft\Windows\CurrentVersion
                                • API String ID: 47109696-1019749484
                                • Opcode ID: 5b80d210c8d1c42326ca72b54559c4e31d057b30236668584ac3ef7cbc8fb183
                                • Instruction ID: 40f6d115b2434a2897c65565ea69f525a8c7835f1e026d357e97333cbc914d4f
                                • Opcode Fuzzy Hash: 5b80d210c8d1c42326ca72b54559c4e31d057b30236668584ac3ef7cbc8fb183
                                • Instruction Fuzzy Hash: 9FF0A7317041146BDB00A5DEAD42BAFE7DD9BC5768F20007AF544D7392DEA5EE0143E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A3F04, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A45DE,?,00000000,?,005A457E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A45DE), ref: 005A3F20
                                Strings
                                • Control Panel\Desktop\ResourceLocale, xrefs: 005A3F1E
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Open
                                • String ID: Control Panel\Desktop\ResourceLocale
                                • API String ID: 71445658-1109908249
                                • Opcode ID: 4f303e7e954f70e2c87fdb7f58bbe22084279b80d37b2e5f69bd15cafff4530a
                                • Instruction ID: ffac0b243a5b93095826e0e7a89ad4b0c07d31fc352b7fc0fa689479419298c5
                                • Opcode Fuzzy Hash: 4f303e7e954f70e2c87fdb7f58bbe22084279b80d37b2e5f69bd15cafff4530a
                                • Instruction Fuzzy Hash: C2D0C9729102287BAB00AA89DC41DFB77ADEB1A760F44841AFE0897100C2B4ED918BF4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005EB524, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindNextFileW.KERNEL32(000000FF,?,00000000,005EB74E,?,00000000,005EB7C2,?,?,?,0063534D,00000000,0063529C,00000000,00000000,00000001), ref: 005EB72A
                                • FindClose.KERNEL32(000000FF,005EB755,005EB74E,?,00000000,005EB7C2,?,?,?,0063534D,00000000,0063529C,00000000,00000000,00000001,00000001), ref: 005EB748
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Find$CloseFileNext
                                • String ID:
                                • API String ID: 2066263336-0
                                • Opcode ID: 4b0de0f42426be1c71a49a55170065b211cf8efed66cc8864226c1dddf2a8942
                                • Instruction ID: d855b5fe1e20cba4a74742df1c09306256b94b962aeaf4ebbc7e9e1c45004741
                                • Opcode Fuzzy Hash: 4b0de0f42426be1c71a49a55170065b211cf8efed66cc8864226c1dddf2a8942
                                • Instruction Fuzzy Hash: 2B818F309082C99AEF29DFA6C9457EEBFB5FF85301F1441AAE89463691C7349E44CB60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A3CE4, Relevance: 3.1, APIs: 2, Instructions: 112registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005A3E1A,?,00636DF4,00000000,00000000), ref: 005A3D20
                                • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005A3E1A,?,00636DF4), ref: 005A3D8E
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: QueryValue
                                • String ID:
                                • API String ID: 3660427363-0
                                • Opcode ID: e4ed9c41878e857ee8f646572edc688f408fd9a34fb8bd9d6d7328e311373610
                                • Instruction ID: a6d9077da32777e36d38ba64d4e6fecbf4c5e5258f170a35fd57c996a8a57a4f
                                • Opcode Fuzzy Hash: e4ed9c41878e857ee8f646572edc688f408fd9a34fb8bd9d6d7328e311373610
                                • Instruction Fuzzy Hash: 19413A71A00119EFDB10DF95C982AEEBBB8FB46748F50446AF801B7290D734AF448B95
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040CE18, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                • GetUserDefaultUILanguage.KERNEL32(00000000,0040CF2F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CFB6,00000000,?,00000105), ref: 0040CEC3
                                • GetSystemDefaultUILanguage.KERNEL32(00000000,0040CF2F,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040CFB6,00000000,?,00000105), ref: 0040CEEB
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DefaultLanguage$SystemUser
                                • String ID:
                                • API String ID: 384301227-0
                                • Opcode ID: c08593278f2acc9eb0caa773162e349b273b0cdcde15bb0f2a9fcafb0bd50602
                                • Instruction ID: 55d412cfb3b799a6d33ec5c55340b9471f9e8a02532c6bbbd58f985ac8bca56a
                                • Opcode Fuzzy Hash: c08593278f2acc9eb0caa773162e349b273b0cdcde15bb0f2a9fcafb0bd50602
                                • Instruction Fuzzy Hash: 57312F70A14209DFDB10EB99C9C1AAEB7B5EB44704F60467BE400B73D1DB78AD41CB99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005E98AC, Relevance: 3.1, APIs: 2, Instructions: 60processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessW.KERNEL32 ref: 005E9900
                                • GetLastError.KERNEL32(00000000,00000000,0065916C,?,?,0060B788,00000000,0060B76C,?,00000000,00000000,005E9926,?,?,00000000,00000001), ref: 005E9908
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateErrorLastProcess
                                • String ID:
                                • API String ID: 2919029540-0
                                • Opcode ID: 735ff4dcca9c3c3e0ef12f873b75c697f1bddc78cde2600592a0d9cf895f3982
                                • Instruction ID: 65599f7473e29599ee384ff62e3384456179fa34052a55ea76638c71db84d559
                                • Opcode Fuzzy Hash: 735ff4dcca9c3c3e0ef12f873b75c697f1bddc78cde2600592a0d9cf895f3982
                                • Instruction Fuzzy Hash: 8F113C72604248AF8B54CEAADC41DDBBBECEB8D350B11456AF908D3201D634ED108764
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00412174, Relevance: 3.1, APIs: 2, Instructions: 57libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                • GetProcAddress.KERNEL32(?,00000000), ref: 004121D7
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressProc
                                • String ID:
                                • API String ID: 190572456-0
                                • Opcode ID: 0ba5fe61560f27676b41c1adef95d7e1e8ae8f412f5d6776b5b07b083d9e533d
                                • Instruction ID: c235e8af4864aa2492a3e9253a8948da1b1d6369952aa228640533ef2e312267
                                • Opcode Fuzzy Hash: 0ba5fe61560f27676b41c1adef95d7e1e8ae8f412f5d6776b5b07b083d9e533d
                                • Instruction Fuzzy Hash: 8211E570614608BFD701DF61CE529DEB7ACEB4A714BA144BBF804E3281DB785E14A668
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040CF3C, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CFF6,?,00400000,0064DC28), ref: 0040CF78
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CFF6,?,00400000,0064DC28), ref: 0040CFC9
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileLibraryLoadModuleName
                                • String ID:
                                • API String ID: 1159719554-0
                                • Opcode ID: 464859309196379f67021aea7ea27efbc712f53039171fb3208da62640459a80
                                • Instruction ID: bcd7cfb62d12acf44e760b2cc37d5a9a6c3f2f2744d4c9653b1ef10c08e20f9b
                                • Opcode Fuzzy Hash: 464859309196379f67021aea7ea27efbc712f53039171fb3208da62640459a80
                                • Instruction Fuzzy Hash: 6311BF71A4020CEBDB20EF60CC86BDEB3B9DB44704F5145BAB408B32C1DA785F80CA99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00589698, Relevance: 3.0, APIs: 2, Instructions: 50threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentThreadId.KERNEL32 ref: 005896EA
                                • EnumThreadWindows.USER32(00000000,00589648,00000000), ref: 005896F0
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Thread$CurrentEnumWindows
                                • String ID:
                                • API String ID: 2396873506-0
                                • Opcode ID: 75ac60d46e3e3d99b6ec54f71af33327ca8794d0b06dc6ededf12c2e6de00f5a
                                • Instruction ID: fba9a751c5d83f74837f6714f94623ecca1d81e4ac093f1fe10b235fdb0012bb
                                • Opcode Fuzzy Hash: 75ac60d46e3e3d99b6ec54f71af33327ca8794d0b06dc6ededf12c2e6de00f5a
                                • Instruction Fuzzy Hash: 9911CCB4A14344AFD701CF6AEC51B66BFE9F34B790F699A6AE800D7760E7745900CB20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00428574, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(00008000,00000000), ref: 0042857E
                                • LoadLibraryW.KERNEL32(00000000,00000000,004285C8,?,00000000,004285E6,?,00008000,00000000), ref: 004285AD
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLibraryLoadMode
                                • String ID:
                                • API String ID: 2987862817-0
                                • Opcode ID: b888b82b72268303b6d78acdab932a1c788b7d79e5a0c83aeae9fb43575f317d
                                • Instruction ID: ba6c2c3bca7b28f84dca392f2503051b26451b7b25f23774df3a0d956cb4e674
                                • Opcode Fuzzy Hash: b888b82b72268303b6d78acdab932a1c788b7d79e5a0c83aeae9fb43575f317d
                                • Instruction Fuzzy Hash: DEF08970614704BFDB115F769C5245E7AECDB49B047524879F810E2591E67C5910C568
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00595D5C, Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowTextW.USER32(?,00000000), ref: 00595D8D
                                • SetWindowTextW.USER32(?,00000000), ref: 00595DA3
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: TextWindow
                                • String ID:
                                • API String ID: 530164218-0
                                • Opcode ID: 1e012cd9f16be89ec969d60e22c67e861dd83a1908bfb1db5042d541c5b039de
                                • Instruction ID: a39920f6514ab203883019037f4e0da70a62f8b8a1a5e564c376582ff4f678a7
                                • Opcode Fuzzy Hash: 1e012cd9f16be89ec969d60e22c67e861dd83a1908bfb1db5042d541c5b039de
                                • Instruction Fuzzy Hash: 07F0A7613006006ADF56AA19C988BDB2A98AF85714F0C00BBFD08DF247DB785E518365
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00634CB0, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • SHGetKnownFolderPath.SHELL32(00652128,00008000,00000000,?,?,00000005,00000000,00000000,?,0063FF42,00000006,?,00000000,006404F8,?,00000000), ref: 00634CC0
                                • CoTaskMemFree.OLE32(?,00634D03,?,00000005,00000000,00000000,?,0063FF42,00000006,?,00000000,006404F8,?,00000000,006405B7), ref: 00634CF6
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FolderFreeKnownPathTask
                                • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                • API String ID: 969438705-544719455
                                • Opcode ID: eeab8ec3b9ead7c4d94d987ac522c95889da51d7318b019910fd38d236887a54
                                • Instruction ID: a4d03600e844f9dcca3baf2253d9fa5777550983b49c21ddfd523ccf04340a6d
                                • Opcode Fuzzy Hash: eeab8ec3b9ead7c4d94d987ac522c95889da51d7318b019910fd38d236887a54
                                • Instruction Fuzzy Hash: 42E0D870744705BFE711DBA1DD12F1AB7A9FB49B00F724475F900D7990DA78BD008664
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00458704, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceW.KERNEL32(00000000,00000000,0000000A,?,108B0065,00000000,0045A04F,?,00459F70,00000000,00459F88,?,0000FFA2,00000000,00000000), ref: 00458726
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FindResource
                                • String ID:
                                • API String ID: 1635176832-0
                                • Opcode ID: 8b37c83a89fc887146436e5f481fed26e5378614ba831f77972062288ec74b0f
                                • Instruction ID: dfa4557557347a9381fdef1e375365ad7b87b907f69f5d2ad3143fd039e27e84
                                • Opcode Fuzzy Hash: 8b37c83a89fc887146436e5f481fed26e5378614ba831f77972062288ec74b0f
                                • Instruction Fuzzy Hash: AB01F271300300ABE700EF6ADC8292AB7EDDB89715B21003EFD00E7252DE79AC09C628
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00420E80, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,0043EB1C,0045EF45,00000000,0045F030,?,?,0043EB1C), ref: 00420EC9
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 58f81754850b267197efe6fc049d19036def0bed1eea641d976781380e4eba7d
                                • Instruction ID: bc8b568c40745a41643234ea4b12d2ba80a47ad4594f4256b79279a04afc93fd
                                • Opcode Fuzzy Hash: 58f81754850b267197efe6fc049d19036def0bed1eea641d976781380e4eba7d
                                • Instruction Fuzzy Hash: 4DE048F7B1056466F710669D9C81FA751498742775F0A0536FB50DB3D1C155DC4182E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A4A6C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                Download Yara Rule
                                APIs
                                • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005A98F2,00000000,005A9943,?,005A9B24), ref: 005A4A8B
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FormatMessage
                                • String ID:
                                • API String ID: 1306739567-0
                                • Opcode ID: b5d9aa525f93bf5f30fef719de4470e90307dc61337520d2021a84c47c44d69d
                                • Instruction ID: 688962f965b31ccd769d88c12d4ccc9817239dbef5138d7eb3694c08f09830b6
                                • Opcode Fuzzy Hash: b5d9aa525f93bf5f30fef719de4470e90307dc61337520d2021a84c47c44d69d
                                • Instruction Fuzzy Hash: 2EE026727D430222F32421844C03B7E160BA7C5B00FE4C8397780DD2D6EAF99855879E
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A2CF8, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNEL32(00000000,00000000,005A2D3E,?,00000000,00000000,?,005A2D8E,00000000,005E9AE9,00000000,005E9B0A,?,00000000,00000000,00000000), ref: 005A2D21
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 5542e21e023cfb7fdc8093738e2e38422ceced4b888513ffc5a0c365df1752c1
                                • Instruction ID: dd39fcb6bfc3c441fc53a6c008be7af00bd88b81f2f6c9d2120c2de2a14094b4
                                • Opcode Fuzzy Hash: 5542e21e023cfb7fdc8093738e2e38422ceced4b888513ffc5a0c365df1752c1
                                • Instruction Fuzzy Hash: ABE09231304308BBD701EAB5CD5395DB7ACE78AB00F910875F500E7692D6786E008418
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040BCB0, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00400000,?,0000020A), ref: 0040BCCE
                                  • Part of subcall function 0040CF3C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040CFF6,?,00400000,0064DC28), ref: 0040CF78
                                  • Part of subcall function 0040CF3C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040CFF6,?,00400000,0064DC28), ref: 0040CFC9
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileModuleName$LibraryLoad
                                • String ID:
                                • API String ID: 4113206344-0
                                • Opcode ID: fb461025cbe681df2a143f1f7a0c40bf3d41b7aceca76d0f144364663fdcf8d6
                                • Instruction ID: 1f5600aeeeef4e32b1f9c7225543f83e9437731e2d57e16c847b264f9fd5aaae
                                • Opcode Fuzzy Hash: fb461025cbe681df2a143f1f7a0c40bf3d41b7aceca76d0f144364663fdcf8d6
                                • Instruction Fuzzy Hash: 29E039B1A003109BDB10DF58C8C1A5737D8AB08714F004A6AAC24EF386D374CD1087D9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A2D4C, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNEL32(00000000,00000000,005AB113,00000000), ref: 005A2D57
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: e33f76ddfdf39103893fc8d0be439ec3405ae6192abe25d28d9678d0b62f2748
                                • Instruction ID: 20ba1d387bb6d0fe541888f194cd28f04d00cddf974e1c0a5f4b06361d413e52
                                • Opcode Fuzzy Hash: e33f76ddfdf39103893fc8d0be439ec3405ae6192abe25d28d9678d0b62f2748
                                • Instruction Fuzzy Hash: 68C08CB133120006AE34A5BD1DC728D0288990A6387244E6AF028E21D3D23998A32024
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00411FE4, Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CreateMutexW.KERNEL32(?,00000001,00000000,?,00641593,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006418B7,?,?,00000000), ref: 00411FFA
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateMutex
                                • String ID:
                                • API String ID: 1964310414-0
                                • Opcode ID: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                • Instruction ID: 17771853574b2dc6cb8315a9c587b9dce1d3e72867bd59f58d8409b472a021cf
                                • Opcode Fuzzy Hash: 21e0619b74412fae9514185c35c6bd95fbb7b52f213a822672066e7264c0ded7
                                • Instruction Fuzzy Hash: B1C01273150248AF8B00EEA9CC05D9B33DC5718609F008419F518C7110C239E5908B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004216CC, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                Download Yara Rule
                                APIs
                                • SetCurrentDirectoryW.KERNEL32(00000000,?,00640DC2,00000000,00640FCF,?,?,00000005,00000000,00641008,?,?,00000000), ref: 004216D7
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CurrentDirectory
                                • String ID:
                                • API String ID: 1611563598-0
                                • Opcode ID: 0560a588341776e1a24a554ebae2b1a4e19a55e1a660f563376fe8c02dc871f0
                                • Instruction ID: 564d134ef7185f85f8d01be3fce57125d53e0ced79d182862342ca5686891228
                                • Opcode Fuzzy Hash: 0560a588341776e1a24a554ebae2b1a4e19a55e1a660f563376fe8c02dc871f0
                                • Instruction Fuzzy Hash: ADB012F37302408ADE0079FE0CC1A0D00CC950D60E7100C3FB415D3103D47EC8540118
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004285CF, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • SetErrorMode.KERNEL32(?,004285ED), ref: 004285E0
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorMode
                                • String ID:
                                • API String ID: 2340568224-0
                                • Opcode ID: ade7a1d517dbef6a3e356a02d8a129981931f4a0d0732e0555545bb657248ec9
                                • Instruction ID: 568c60eda5aa1572bc2e1142576596c1e9a0f01cb60d8405de23d4eee8032556
                                • Opcode Fuzzy Hash: ade7a1d517dbef6a3e356a02d8a129981931f4a0d0732e0555545bb657248ec9
                                • Instruction Fuzzy Hash: 61B09B7670C2047DEB05D6E5791156C63D4D7C47103E1487BF414C2540D97CA450C618
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040E8C4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: InfoSystem
                                • String ID:
                                • API String ID: 31276548-0
                                • Opcode ID: 3c697633d840bb24647ac05e8ba59606fced48aa54a110b736518492aea7a936
                                • Instruction ID: 47ab257af6e364695ea890f9b43c82e37ccfc4e8ddd737aab863078b62403aa0
                                • Opcode Fuzzy Hash: 3c697633d840bb24647ac05e8ba59606fced48aa54a110b736518492aea7a936
                                • Instruction Fuzzy Hash: 0DA012108084001AC404BB194C4340F39C45941514FC40264745CB56C2E61A866403DB
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0046D7B4, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,?,?,004F30BB,004F5680,?,?,?,00000000,?,0058A7BB), ref: 0046D7D2
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: e4efb3cacb048bf1adda2bb082639a98ffeceb59c7158f40635c8fa6bce7aa5c
                                • Instruction ID: 1db4a87fc098e97a082929d32093da3ecdd6da744adc7e423a13c95d542fb6ec
                                • Opcode Fuzzy Hash: e4efb3cacb048bf1adda2bb082639a98ffeceb59c7158f40635c8fa6bce7aa5c
                                • Instruction Fuzzy Hash: 5C115A78B003059FC710DF19C880B92FBE5EF98351F10C53AE9589B785E774E8048BAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403C6C, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,-00000004,000000BF,00404283,0000001B,00404828,02628810,00407262,00407603,?,00000000,02628810,004072D1), ref: 00403C83
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 0f1367d0f5c35e37497b23dbda582d6566936f2873303db932a3e6ab1e984a52
                                • Instruction ID: aea4181c5ef3fe23b5b26a0d5ce4752f4b4066b60672ec6448a665f9873dc325
                                • Opcode Fuzzy Hash: 0f1367d0f5c35e37497b23dbda582d6566936f2873303db932a3e6ab1e984a52
                                • Instruction Fuzzy Hash: 62F0AFF2B003214FE714DF789D41702BBE6E704796F11417EE989EB794D7B099018784
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 0060C184, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetTickCount.KERNEL32 ref: 0060C1EC
                                • QueryPerformanceCounter.KERNEL32(025DF200,00000000,0060C47F,?,?,025DF200,00000000,?,0060CE7E,?,025DF200,00000000), ref: 0060C1F5
                                • GetSystemTimeAsFileTime.KERNEL32(025DF200,025DF200,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0060C1FF
                                • GetCurrentProcessId.KERNEL32(?,025DF200,00000000,0060C47F,?,?,025DF200,00000000,?,0060CE7E,?,025DF200,00000000), ref: 0060C208
                                • CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0060C27E
                                • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0060C28C
                                • CreateFileW.KERNEL32(00000000,C0000000,00000000,00651F4C,00000003,00000000,00000000,00000000,0060C43B,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 0060C2D4
                                • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,0060C42A,?,00000000,C0000000,00000000,00651F4C,00000003,00000000,00000000,00000000,0060C43B), ref: 0060C30D
                                  • Part of subcall function 005A394C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005A395F
                                • CreateProcessW.KERNEL32 ref: 0060C3B6
                                • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 0060C3EC
                                • CloseHandle.KERNEL32(000000FF,0060C431,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 0060C424
                                  • Part of subcall function 005EA6F0: GetLastError.KERNEL32(00000000,005EB406,00000005,00000000,005EB42E,?,?,0065916C,?,00000000,00000000,00000000,?,006414CB,00000000,006414E6), ref: 005EA6F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                • API String ID: 770386003-3271284199
                                • Opcode ID: 49a0c3052cbd8c1cfb075f2cb37ad64a0473952e5922773894a6b14ad3f16977
                                • Instruction ID: 370784aa0278ef79c3a230c2905fdc44cf0870162ce0d73162c4ce97d15b8762
                                • Opcode Fuzzy Hash: 49a0c3052cbd8c1cfb075f2cb37ad64a0473952e5922773894a6b14ad3f16977
                                • Instruction Fuzzy Hash: 99718E70A403489EEB24DFB9CC51B9EBBF9AB09314F1145A9F508EB2C2D7749A40CF65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0062EBF4, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0062EA10: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 0062EA3C
                                  • Part of subcall function 0062EA10: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0062EA55
                                  • Part of subcall function 0062EA10: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0062EA7F
                                  • Part of subcall function 0062EA10: CloseHandle.KERNEL32(00000000), ref: 0062EA9D
                                  • Part of subcall function 0062EB20: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,0062EBB1,?,00000097,00000000,?,0062EC2B,00000000,0062ED43,?,?,00000001), ref: 0062EB4F
                                • ShellExecuteExW.SHELL32(0000003C), ref: 0062EC7B
                                • GetLastError.KERNEL32(0000003C,00000000,0062ED43,?,?,00000001), ref: 0062EC84
                                • MsgWaitForMultipleObjects.USER32 ref: 0062ECD1
                                • GetExitCodeProcess.KERNEL32 ref: 0062ECF7
                                • CloseHandle.KERNEL32(00000000,0062ED28,00000000,00000000,000000FF,000004FF,00000000,0062ED21,?,0000003C,00000000,0062ED43,?,?,00000001), ref: 0062ED1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
                                • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                • API String ID: 254331816-221126205
                                • Opcode ID: 6f88159eaf4f4fe0f9fd8ccfe2bd6c32bfb04f062893cbab0281b3554c52e596
                                • Instruction ID: 03e6c5e90054e8ec310909928018bb1e0b23d5797563299d26e923759c449f9b
                                • Opcode Fuzzy Hash: 6f88159eaf4f4fe0f9fd8ccfe2bd6c32bfb04f062893cbab0281b3554c52e596
                                • Instruction Fuzzy Hash: B0319470A006189FDF10EFE9E8826DDBAA9EF48304F41483AF514E7281D7759940CF55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C630, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,0041AEC8,?,?), ref: 0040C64D
                                • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040C65E
                                • FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041AEC8,?,?), ref: 0040C75E
                                • FindClose.KERNEL32(?,?,?,kernel32.dll,0041AEC8,?,?), ref: 0040C770
                                • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041AEC8,?,?), ref: 0040C77C
                                • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041AEC8,?,?), ref: 0040C7C1
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                • String ID: GetLongPathNameW$\$kernel32.dll
                                • API String ID: 1930782624-3908791685
                                • Opcode ID: 4773db546d1690116369375d742ab2497b584d83e0c4ddfbfa3afb5929d1cbd5
                                • Instruction ID: 39d58d8c64e7cc71e6dd469938ce122afd0884a6e0bc7c1439aad5226bf35ab4
                                • Opcode Fuzzy Hash: 4773db546d1690116369375d742ab2497b584d83e0c4ddfbfa3afb5929d1cbd5
                                • Instruction Fuzzy Hash: 98418172A00619DBCB10EBA4C8C5ADEB3B9AB44314F1486BAE505F72C1E7789E45CE49
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0062F3BC, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 159windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsIconic.USER32 ref: 0062F411
                                • GetWindowLongW.USER32(?,000000F0), ref: 0062F42E
                                • GetWindowLongW.USER32(?,000000EC), ref: 0062F453
                                  • Part of subcall function 00589758: IsWindow.USER32(?), ref: 00589766
                                  • Part of subcall function 00589758: EnableWindow.USER32(?,000000FF), ref: 00589775
                                • GetActiveWindow.USER32 ref: 0062F51F
                                • SetActiveWindow.USER32(00000005,0062F587,0062F59D,?,?,000000EC,?,000000F0,?,00000000,?,00000000), ref: 0062F570
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$ActiveLong$EnableIconic
                                • String ID: @aR$`
                                • API String ID: 4222481217-3458811154
                                • Opcode ID: 6059c4f1061467443958b0117358483af30c51a7de5c966efe23677049acb740
                                • Instruction ID: dbb16626f1d9e96942b88ffed94711c8d458f1f11fe25f4442937639beff2465
                                • Opcode Fuzzy Hash: 6059c4f1061467443958b0117358483af30c51a7de5c966efe23677049acb740
                                • Instruction Fuzzy Hash: 66513474A006199FDB00EFA9E884ADEBBF6EF09310F154179E808EB362D774A941CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 006411A0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileW.KERNEL32(00000000,?,00000000,006412DD,?,0065916C,?,?,00641492,00000000,006414E6,?,00000000,00000000,00000000), ref: 006411F1
                                • SetFileAttributesW.KERNEL32(00000000,00000010), ref: 00641274
                                • FindNextFileW.KERNEL32(000000FF,?,00000000,006412B0,?,00000000,?,00000000,006412DD,?,0065916C,?,?,00641492,00000000,006414E6), ref: 0064128C
                                • FindClose.KERNEL32(000000FF,006412B7,006412B0,?,00000000,?,00000000,006412DD,?,0065916C,?,?,00641492,00000000,006414E6), ref: 006412AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileFind$AttributesCloseFirstNext
                                • String ID: isRS-$isRS-???.tmp
                                • API String ID: 134685335-3422211394
                                • Opcode ID: 03529fd99d5dd8e3ad53b5fc2169b982df478db83f347c6d823d20194b2ae8a5
                                • Instruction ID: fe94dc53552a48db6acf1cce08237b6c7df8e9c4eabf981dedfd326a3d077f68
                                • Opcode Fuzzy Hash: 03529fd99d5dd8e3ad53b5fc2169b982df478db83f347c6d823d20194b2ae8a5
                                • Instruction Fuzzy Hash: 3F318330A0065C9FDB10EE65CC45ADEB7B9EB89304F5145BAA804F7691DB789FC08A58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A55A4, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsIconic.USER32 ref: 005A55E9
                                • GetWindowLongW.USER32(?,000000F0), ref: 005A5606
                                • GetWindowLongW.USER32(?,000000EC), ref: 005A562B
                                • GetActiveWindow.USER32 ref: 005A5639
                                • MessageBoxW.USER32(00000000,00000000,?,-00000030), ref: 005A5666
                                • SetActiveWindow.USER32(00000000,005A5694,-00000030,00000000,005A568D,?,?,000000EC,?,000000F0,?,00000000,005A56CA,?,?,00000000), ref: 005A5687
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$ActiveLong$IconicMessage
                                • String ID:
                                • API String ID: 1633107849-0
                                • Opcode ID: 25d0dbca044281ae1caf548afb1ca6747c077c490e0af742dfe8748b12f50df3
                                • Instruction ID: 7b3c6351ceff3ceb8cd14220de1ae8bb0a1ecb7973c7b812e1b04bb176bad809
                                • Opcode Fuzzy Hash: 25d0dbca044281ae1caf548afb1ca6747c077c490e0af742dfe8748b12f50df3
                                • Instruction Fuzzy Hash: F4318C74A04705AFDB00EF69CD46EAD7BE9FB4E310F9144A5F404EB3A1EA34A9409B14
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A502C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005A5039
                                • SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005A5049
                                  • Part of subcall function 00411FE4: CreateMutexW.KERNEL32(?,00000001,00000000,?,00641593,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006418B7,?,?,00000000), ref: 00411FFA
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                • String ID:
                                • API String ID: 3525989157-0
                                • Opcode ID: d8af1c1b96e736859decefec77ae61b0fb96ddb8db3927916252ff4c7aec282d
                                • Instruction ID: dc41c1bf403f01e50fcf204102a3f95e2db8d65bb8f23d2a9785caaf8e82bb17
                                • Opcode Fuzzy Hash: d8af1c1b96e736859decefec77ae61b0fb96ddb8db3927916252ff4c7aec282d
                                • Instruction Fuzzy Hash: 9AE065B16443006FE600DFB58C82F8B73DC9B44714F10492EB764D71D1E778D549879A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001130, Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E10001130() {
				signed char _t24;
				signed char _t25;
				intOrPtr _t30;
				signed char _t34;
				intOrPtr _t35;
				char _t37;
				intOrPtr _t41;
				char* _t43;
				char* _t48;
				signed char* _t52;
				void* _t54;

				_t41 =  *((intOrPtr*)(_t54 + 4));
				_t35 =  *((intOrPtr*)(_t54 + 0x10));
				_t24 =  *((intOrPtr*)(_t41 + 0x101));
				_t34 =  *(_t41 + 0x100);
				if(_t35 <= 0) {
					 *(_t41 + 0x100) = _t34;
					 *((char*)(_t41 + 0x101)) = _t24;
					return _t24;
				} else {
					_t52 =  *(_t54 + 0x14);
					 *((intOrPtr*)(_t54 + 0x18)) =  *(_t54 + 0x14) - _t52;
					 *((intOrPtr*)(_t54 + 0x20)) = _t35;
					while(1) {
						_t34 = _t34 + 1;
						_t48 = (_t34 & 0x000000ff) + _t41;
						_t37 =  *_t48;
						_t25 = _t24 + _t37;
						 *(_t54 + 0x14) = _t25;
						_t43 = (_t25 & 0x000000ff) + _t41;
						 *_t48 =  *_t43;
						 *_t43 = _t37;
						if( *((intOrPtr*)(_t54 + 0x1c)) != 0) {
							 *_t52 =  *((0 + _t37 & 0x000000ff) + _t41) ^  *( *((intOrPtr*)(_t54 + 0x18)) + _t52);
						}
						_t52 =  &(_t52[1]);
						_t30 =  *((intOrPtr*)(_t54 + 0x20)) - 1;
						 *((intOrPtr*)(_t54 + 0x20)) = _t30;
						if(_t30 == 0) {
							break;
						}
						_t24 =  *(_t54 + 0x14);
					}
					 *(_t41 + 0x100) = _t34;
					 *((char*)(_t41 + 0x101)) =  *(_t54 + 0x14);
					return _t30;
				}
			}














                                0x10001130
                                0x10001134
                                0x1000113a
                                0x10001141
                                0x10001147
                                0x100011c1
                                0x100011c7
                                0x100011ce
                                0x10001149
                                0x1000114a
                                0x10001156
                                0x1000115a
                                0x10001164
                                0x10001164
                                0x10001169
                                0x1000116c
                                0x1000116e
                                0x10001170
                                0x10001177
                                0x1000117e
                                0x10001186
                                0x10001188
                                0x1000119b
                                0x1000119b
                                0x100011a2
                                0x100011a3
                                0x100011a4
                                0x100011a8
                                0x00000000
                                0x00000000
                                0x10001160
                                0x10001160
                                0x100011b1
                                0x100011b7
                                0x100011be
                                0x100011be

                                Memory Dump Source
                                • Source File: 00000002.00000002.727503357.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000002.00000002.727484992.0000000010000000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.727513697.0000000010002000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                • Instruction ID: 1c94840b05858ddf3503627acbaac9226f9c4a6e1659969bf0a936c2f155f8a0
                                • Opcode Fuzzy Hash: 550b9f88123d0c3b213a5d4b99e682963a3eaac5120c60ac7846f9a0f3bba5ba
                                • Instruction Fuzzy Hash: FF11303254D3D28FC305CF2894506D6FFE4AF6A640F194AAEE1D45B203C2659549C7A2
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 10001000, Relevance: .0, Instructions: 2COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E10001000() {

				return 1;
			}



                                0x10001005

                                Memory Dump Source
                                • Source File: 00000002.00000002.727503357.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                • Associated: 00000002.00000002.727484992.0000000010000000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.727513697.0000000010002000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                • Instruction ID: 837d35c9df4effc004866add7a9100bdfed479f04b3922bb4bd4c5469ecd81ba
                                • Opcode Fuzzy Hash: aff350dcda9d135b5489d453054620cf61adfe11cc5af5bb48cdce25d513e1a9
                                • Instruction Fuzzy Hash:
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060F8D0, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 214COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000000,0060FB92,?,?,?,?,00000005,00000000,00000000,?,?,00610F6D,00000000,00000000,?,00000000), ref: 0060FA46
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLast
                                • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                • API String ID: 1452528299-3112430753
                                • Opcode ID: cff8336e227c699088bbab0dcc39d6168e41a1b5ebb8c2f9d771453787735add
                                • Instruction ID: 3f785b7a155deb3ce47676d2326a833948f3cc731dbc04ca15e2dd282b51c4d8
                                • Opcode Fuzzy Hash: cff8336e227c699088bbab0dcc39d6168e41a1b5ebb8c2f9d771453787735add
                                • Instruction Fuzzy Hash: 3D71B430B402455BDB29EB6CC8567EF7BA6AF88700F108439F401EBBC5DB789D068B65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 006414F4, Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 260COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(?,00000005,00000000,006418B7,?,?,00000000,?,00000000,00000000,?,00641D9A,00000000,00641DA4,?,00000000), ref: 0064157B
                                • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006418B7,?,?,00000000,?,00000000,00000000), ref: 006415A1
                                • MsgWaitForMultipleObjects.USER32 ref: 006415C2
                                • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006418B7,?,?,00000000,?,00000000), ref: 006415D7
                                  • Part of subcall function 005A34A0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005A3535,?,?,?,00000001,?,005ED856,00000000,005ED8C1), ref: 005A34D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ShowWindow$FileModuleMultipleNameObjectsWait
                                • String ID: .lst$.msg$/REG$/REGU$Inno-Setup-RegSvr-Mutex$Setup
                                • API String ID: 66301061-3672972446
                                • Opcode ID: 51a5a6079aaa597febbf9f14f65394c9490ec11934428f43bb48f337ab5e38df
                                • Instruction ID: 76fd0ad8b94f5e333514ba576db2cfdf9b1ec2cb5620ecaae20ab01016b1d93d
                                • Opcode Fuzzy Hash: 51a5a6079aaa597febbf9f14f65394c9490ec11934428f43bb48f337ab5e38df
                                • Instruction Fuzzy Hash: 5D91E134A043099FDB11EBA4C856BEEBBF6FB4A304F514465F500AF692DB39AD81CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005EBD30, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005A3F04: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A45DE,?,00000000,?,005A457E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A45DE), ref: 005A3F20
                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,005EBFCE,?,?,00000003,00000000,00000000,005EC012), ref: 005EBE4D
                                  • Part of subcall function 005A4A6C: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005A98F2,00000000,005A9943,?,005A9B24), ref: 005A4A8B
                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,005EBF0C,?,?,00000000,00000000,?,00000000,?,00000000), ref: 005EBECE
                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,005EBF0C,?,?,00000000,00000000,?,00000000,?,00000000), ref: 005EBEF5
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 005EBD6D
                                • RegOpenKeyEx, xrefs: 005EBDC9
                                • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 005EBDA6
                                • , xrefs: 005EBDC0
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: QueryValue$FormatMessageOpen
                                • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                • API String ID: 2812809588-1577016196
                                • Opcode ID: fb92550075b663ad41aa795197b835a9f6e04cee4e40dfca06f108bcbdc61e99
                                • Instruction ID: d4be95b5bf5697a2c2317a1a847dc5a8aa86bda7723b386fe91cd059ed6c7232
                                • Opcode Fuzzy Hash: fb92550075b663ad41aa795197b835a9f6e04cee4e40dfca06f108bcbdc61e99
                                • Instruction Fuzzy Hash: DC914E71A04249EFEB04DFA6CC82BEEBBB9FB48304F10442AF550E7291D774A945CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060DAD0, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 162registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0060DCD9,?,0060D7D0,?,00000000,00000000,00000000,?,?,0060DF44,00000000), ref: 0060DB7D
                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,0060DCD9,?,0060D7D0,?,00000000,00000000,00000000,?,?,0060DF44,00000000), ref: 0060DBE7
                                • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,00000001,00000000,00000000,0060DCD9,?,0060D7D0,?,00000000,00000000,00000000,?), ref: 0060DC4E
                                Strings
                                • v1.1.4322, xrefs: 0060DC40
                                • v2.0.50727, xrefs: 0060DBD9
                                • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 0060DB33
                                • v4.0.30319, xrefs: 0060DB6F
                                • .NET Framework not found, xrefs: 0060DC9A
                                • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 0060DB9D
                                • .NET Framework version %s not found, xrefs: 0060DC86
                                • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 0060DC04
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Close
                                • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                • API String ID: 3535843008-446240816
                                • Opcode ID: 07d2800d602682467840877082f0c34b5ac01fd25e8470ff64ceb498d0440caa
                                • Instruction ID: 7670716dd19c67c5d9ece5d0c915865bf346f30408318fd4bfe38577db2ef6c8
                                • Opcode Fuzzy Hash: 07d2800d602682467840877082f0c34b5ac01fd25e8470ff64ceb498d0440caa
                                • Instruction Fuzzy Hash: 1A51C371A442455BDF08DBE8C861BFE7BBBEF85304F14026AE541A72D1D778AA05CB20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060C744, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNEL32(?), ref: 0060C77B
                                • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 0060C797
                                • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 0060C7A5
                                • GetExitCodeProcess.KERNEL32 ref: 0060C7B6
                                • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0060C7FD
                                • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 0060C819
                                Strings
                                • Stopping 64-bit helper process. (PID: %u), xrefs: 0060C76D
                                • Helper process exited., xrefs: 0060C7C5
                                • Helper process exited, but failed to get exit code., xrefs: 0060C7EF
                                • Helper process exited with failure code: 0x%x, xrefs: 0060C7E3
                                • Helper isn't responding; killing it., xrefs: 0060C787
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                • API String ID: 3355656108-1243109208
                                • Opcode ID: 45fc011756b7bf5f1698b7791ab4e09ad19a7da32488c74c3ab529e014e697b9
                                • Instruction ID: de5961a00d05dd6df469e7866390b9c6bfbc5d95a14e654ee04a34333298af1f
                                • Opcode Fuzzy Hash: 45fc011756b7bf5f1698b7791ab4e09ad19a7da32488c74c3ab529e014e697b9
                                • Instruction Fuzzy Hash: FA21C2306843409ED324EB7DC449B9BBBD59F48324F00CE2DB699C7281E778E8848B26
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0063F7E8, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 145fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005EAC14: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005EAD4F), ref: 005EACFF
                                  • Part of subcall function 005EAC14: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005EAD4F), ref: 005EAD0F
                                • CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,0063F9D6), ref: 0063F86B
                                • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,0063F9D6), ref: 0063F892
                                • SetWindowLongW.USER32 ref: 0063F8CC
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0063F99F,?,?,000000FC,0063EEE4,00000000,00400000,00000000), ref: 0063F901
                                • MsgWaitForMultipleObjects.USER32 ref: 0063F975
                                • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0063F99F,?,?,000000FC,0063EEE4,00000000), ref: 0063F983
                                  • Part of subcall function 005EB10C: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005EB1F2
                                • DestroyWindow.USER32(?,0063F9A6,00000000,00000000,00000000,00000000,00000000,00000097,00000000,0063F99F,?,?,000000FC,0063EEE4,00000000,00400000), ref: 0063F999
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                • String ID: /SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                • API String ID: 1779715363-2312673372
                                • Opcode ID: c6e91bdc15304c3974cf9acd0ab5d35559258714dfd84fe763261205d9e52735
                                • Instruction ID: c69001889ef773f60ff1480697859cff66decfad70ad81c5ddd815baab191673
                                • Opcode Fuzzy Hash: c6e91bdc15304c3974cf9acd0ab5d35559258714dfd84fe763261205d9e52735
                                • Instruction Fuzzy Hash: 5F415A71E00209AFDB00EFB5C952BDEBBB9EB49714F11447AF504E7291E7799A00CBA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005966D8, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00597C58: GetActiveWindow.USER32 ref: 00597C7F
                                  • Part of subcall function 00597C58: GetLastActivePopup.USER32(?), ref: 00597C94
                                • MonitorFromWindow.USER32(00000000,00000002), ref: 00596711
                                • MonitorFromWindow.USER32(?,00000002), ref: 00596725
                                • GetMonitorInfoW.USER32 ref: 00596744
                                • GetWindowRect.USER32 ref: 00596757
                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?,00000000,00000028,?,00000002,?,?,00000000), ref: 00596792
                                • MessageBoxW.USER32(00000000,00000000,?,?), ref: 005967D1
                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0059684A,?,00000002,?,?,00000000), ref: 00596824
                                  • Part of subcall function 00589758: IsWindow.USER32(?), ref: 00589766
                                  • Part of subcall function 00589758: EnableWindow.USER32(?,000000FF), ref: 00589775
                                • SetActiveWindow.USER32(00000000,0059684A,?,00000002,?,?,00000000), ref: 00596835
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$ActiveMonitor$From$EnableInfoLastMessagePopupRect
                                • String ID: (
                                • API String ID: 2800294577-3887548279
                                • Opcode ID: df638a0f405d57aae3b1ba976451288fee4f3120d526acb7ec09b6fad0b15353
                                • Instruction ID: 9dac885a3fc6f62c5b6649a49af2ad62bca6a78ec05f00bd829ae840c4bd3c31
                                • Opcode Fuzzy Hash: df638a0f405d57aae3b1ba976451288fee4f3120d526acb7ec09b6fad0b15353
                                • Instruction Fuzzy Hash: 55410A75E00109AFDF04DBE9C996FEEBBF9FB48304F548469F500AB291DA74AD408B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060C9F4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON
                                Download Yara Rule
                                APIs
                                • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,0060CBD7,?,00000000,0060CC32,?,?,025DF200,00000000), ref: 0060CA51
                                • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,025DF200,?,00000000,0060CB6C,?,00000000,000000FF,00000000,00000000,00000000,0060CBD7), ref: 0060CAAE
                                • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,025DF200,?,00000000,0060CB6C,?,00000000,000000FF,00000000,00000000,00000000,0060CBD7), ref: 0060CABB
                                • MsgWaitForMultipleObjects.USER32 ref: 0060CB07
                                • GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,0060CB45,025DF200,00000000), ref: 0060CB31
                                • GetLastError.KERNEL32(?,?,00000000,000000FF,0060CB45,025DF200,00000000), ref: 0060CB38
                                  • Part of subcall function 005EA6F0: GetLastError.KERNEL32(00000000,005EB406,00000005,00000000,005EB42E,?,?,0065916C,?,00000000,00000000,00000000,?,006414CB,00000000,006414E6), ref: 005EA6F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                • String ID: CreateEvent$TransactNamedPipe
                                • API String ID: 2182916169-3012584893
                                • Opcode ID: a28d32dfdf7083f81ebe4c470cfe6850f4b5d83d1979bdcff2beeb2205aad380
                                • Instruction ID: 46b13299e2cca992767d5f198eaed42631b9bc76583f00ff6230d98ceb2376bc
                                • Opcode Fuzzy Hash: a28d32dfdf7083f81ebe4c470cfe6850f4b5d83d1979bdcff2beeb2205aad380
                                • Instruction Fuzzy Hash: E1417C70A40208AFDB05DF99CD82EDEBBB9EB09720F1142A5FA04E7291D7749A40CA64
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C4EC, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                • EnterCriticalSection.KERNEL32(00655C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F,?,?,00000000,00000000,00000000), ref: 0040C50A
                                • LeaveCriticalSection.KERNEL32(00655C14,00655C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F,?,?,00000000,00000000), ref: 0040C52E
                                • LeaveCriticalSection.KERNEL32(00655C14,00655C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F,?,?,00000000,00000000), ref: 0040C53D
                                • IsValidLocale.KERNEL32(00000000,00000002,00655C14,00655C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F), ref: 0040C54F
                                • EnterCriticalSection.KERNEL32(00655C14,00000000,00000002,00655C14,00655C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F), ref: 0040C5AC
                                • LeaveCriticalSection.KERNEL32(00655C14,00655C14,00000000,00000002,00655C14,00655C14,00000000,0040C5F0,?,?,?,00000000,?,0040CED0,00000000,0040CF2F), ref: 0040C5D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CriticalSection$Leave$Enter$LocaleValid
                                • String ID: en-US,en,
                                • API String ID: 975949045-3579323720
                                • Opcode ID: 90697448efcb43d61fa5602f0d93582666c889760caed1969fc1681076a76671
                                • Instruction ID: 12b32d5edc61c2b415d74e80337db58b78331f5c6b7bba2a690499546554e17f
                                • Opcode Fuzzy Hash: 90697448efcb43d61fa5602f0d93582666c889760caed1969fc1681076a76671
                                • Instruction Fuzzy Hash: A721DBA4310710F6D710BB7A4C9261E368A9B89B05F50457FB441BB2C2DE7C9D4187AF
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060B134, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0060B24E,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00610245,00000000,00610259), ref: 0060B15A
                                  • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0060B19E
                                  • Part of subcall function 005EA6F0: GetLastError.KERNEL32(00000000,005EB406,00000005,00000000,005EB42E,?,?,0065916C,?,00000000,00000000,00000000,?,006414CB,00000000,006414E6), ref: 005EA6F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressErrorHandleLastLoadModuleProcType
                                • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                • API String ID: 1914119943-2711329623
                                • Opcode ID: e5fa747cbe308ee8720a082ce4f4428c5f30e7aecf9f4a9d38e6d68a27955243
                                • Instruction ID: 3ec5d3b7b5de1241cb4825b8717db2923e5da448e44e5b12165fadf048c6b170
                                • Opcode Fuzzy Hash: e5fa747cbe308ee8720a082ce4f4428c5f30e7aecf9f4a9d38e6d68a27955243
                                • Instruction Fuzzy Hash: 0B215C71640205AFDB08EFAACC56D6F7BBEEF8974070184A5F510D72A2EB74ED018760
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A44E4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005A45DE,?,00000000), ref: 005A450B
                                  • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                • RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A45DE,?,00000000), ref: 005A455E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressCloseHandleModuleProc
                                • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                • API String ID: 4190037839-2401316094
                                • Opcode ID: 7c90a40b15c7ccdb39d47662d0341a756a0de2090c880493ff7f93d5d7378f4f
                                • Instruction ID: e352b44e6c1de8b68b5519ac5fe44b9c18267d466845249f15e567ba5a764dcb
                                • Opcode Fuzzy Hash: 7c90a40b15c7ccdb39d47662d0341a756a0de2090c880493ff7f93d5d7378f4f
                                • Instruction Fuzzy Hash: E8213074E00209AFDB10EAF5C946A9EBBE9FB8A304F504865B500E3281EBB49A41CF54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004070F8, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 63libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 0040710D
                                • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407113
                                • GetLogicalProcessorInformation.KERNEL32(00000000,005A41DF,GetLogicalProcessorInformation), ref: 00407126
                                • GetLastError.KERNEL32(00000000,005A41DF,GetLogicalProcessorInformation), ref: 0040712F
                                • GetLogicalProcessorInformation.KERNEL32(00000000,005A41DF,00000000,004071A6,?,00000000,005A41DF,GetLogicalProcessorInformation), ref: 0040715A
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: InformationLogicalProcessor$AddressErrorHandleLastModuleProc
                                • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                • API String ID: 1184211438-79381301
                                • Opcode ID: db4f45c6f7a51730c4f9e085af97346337fcb1d2e7f6c391c29b9d0cf55beb76
                                • Instruction ID: b32848a7681182275f687d561da14b36461a078c67b786b57a386ce806aebad7
                                • Opcode Fuzzy Hash: db4f45c6f7a51730c4f9e085af97346337fcb1d2e7f6c391c29b9d0cf55beb76
                                • Instruction Fuzzy Hash: B1116371D08204BEEB10EFA5D845B5EBBF8DB40705F1481BBE814B77C1D67CAA40CA5A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060B5D8, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005A394C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005A395F
                                • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,0060B788,00000000, /s ",0065916C,regsvr32.exe",?,0060B788), ref: 0060B6F6
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseDirectoryHandleSystem
                                • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                • API String ID: 2051275411-1862435767
                                • Opcode ID: 7c141d38aed84a1b98e5bd9ace7506c5735fa271153401d730cd4b3cfa38cd35
                                • Instruction ID: b1e29c0c6e3a8ad565de129af67a25a15727a89c6114eeb580c4c8d6976b3392
                                • Opcode Fuzzy Hash: 7c141d38aed84a1b98e5bd9ace7506c5735fa271153401d730cd4b3cfa38cd35
                                • Instruction Fuzzy Hash: 88414370A402489BDF14EFE5C881BCEBBBAFF88304F51807EA544A7292DB749E05CB55
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040430C, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,?,00000000,02628810,0040762E,?,00000000,02628810,004072D1,00000000,00000220,00427294,?,004272E2,005A41DF,00000000), ref: 004043A2
                                • Sleep.KERNEL32(0000000A,00000000,?,00000000,02628810,0040762E,?,00000000,02628810,004072D1,00000000,00000220,00427294,?,004272E2,005A41DF), ref: 004043BC
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: 4c90f87fadfb9e5d289896a014ed5de4313d8d833458e6526264687e6038496f
                                • Instruction ID: c6c2c7f5a2cdf800e0e96f7a9df44700948c6260df3aee5bc27e43afcd0aba55
                                • Opcode Fuzzy Hash: 4c90f87fadfb9e5d289896a014ed5de4313d8d833458e6526264687e6038496f
                                • Instruction Fuzzy Hash: FC7102B16043104BE715DF29C884B16BBD8AFC5716F1482BFE984AB3D2D7B8D941CB89
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060EEBC, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000000,0060F042,?,00000000,?), ref: 0060EF84
                                  • Part of subcall function 005EB808: FindClose.KERNEL32(000000FF,005EB8FD), ref: 005EB8EC
                                Strings
                                • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 0060EFFB
                                • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 0060EF5E
                                • Failed to delete directory (%d)., xrefs: 0060F01C
                                • Failed to strip read-only attribute., xrefs: 0060EF52
                                • Deleting directory: %s, xrefs: 0060EF0B
                                • Stripped read-only attribute., xrefs: 0060EF46
                                • Failed to delete directory (%d). Will retry later., xrefs: 0060EF9D
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseErrorFindLast
                                • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                • API String ID: 754982922-1448842058
                                • Opcode ID: eb17b102bac10d5e1bb4eaa349decfcf725c79a30e5f500986d0c2a7ab0cc64d
                                • Instruction ID: 84d34128acf01da4d6198fa55f7b04efeed97b8ab189a994dd2c1e8e0ccac705
                                • Opcode Fuzzy Hash: eb17b102bac10d5e1bb4eaa349decfcf725c79a30e5f500986d0c2a7ab0cc64d
                                • Instruction Fuzzy Hash: E741D630A442598ADB1CEB69C4553EF7BE7AF84304F50887AB451D73C2DB798E05C762
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00595E9C, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                                Download Yara Rule
                                APIs
                                • GetCapture.USER32 ref: 00595EC2
                                • IsWindowUnicode.USER32(00000000), ref: 00595F05
                                • SendMessageW.USER32(00000000,-0000BBEE,02604910,00000000), ref: 00595F20
                                • SendMessageA.USER32 ref: 00595F3F
                                • GetWindowThreadProcessId.USER32(00000000), ref: 00595F4E
                                • GetWindowThreadProcessId.USER32(?,?), ref: 00595F5F
                                • SendMessageW.USER32(00000000,-0000BBEE,02604910,00000000), ref: 00595F7F
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                                • String ID:
                                • API String ID: 1994056952-0
                                • Opcode ID: b19e950d0a9f3d3539bd08ed9b2c7da5e8d1849e73c9e0e61d1ef6030b08b024
                                • Instruction ID: ed4605ec75f9dee70edadedbe4db7e2be30cf2407baa3948c8360ce022dd0e80
                                • Opcode Fuzzy Hash: b19e950d0a9f3d3539bd08ed9b2c7da5e8d1849e73c9e0e61d1ef6030b08b024
                                • Instruction Fuzzy Hash: 5721A6B1204A095FDB61EA5ACD40FA777DCFF14324B144429FA9AC7642FB58FCA08768
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404504, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d55122c0d2663f1149c81c692237ff08aff870e2c590a2dd0b3a3e0a931df02b
                                • Instruction ID: ab8a89fed6ddc0bdc439e8573a1ff4537266c28d874a4b8a261f272b406ed386
                                • Opcode Fuzzy Hash: d55122c0d2663f1149c81c692237ff08aff870e2c590a2dd0b3a3e0a931df02b
                                • Instruction Fuzzy Hash: D5C104A2B103010BD714AE7DDC8476EB69A9BC5316F18827FF214EB3D6DA7CD9058348
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005EB10C, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON
                                Download Yara Rule
                                APIs
                                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005EB1F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: PrivateProfileStringWrite
                                • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                • API String ID: 390214022-3304407042
                                • Opcode ID: 8c6413ac7b86545102e131ddc9a25b4f41f87a3ba2660b42188b2b948bea6e3d
                                • Instruction ID: f4ae4f01b2540b0ca9f6569c5255bf60dbf58b8086e57b7f2c1dc856186f637e
                                • Opcode Fuzzy Hash: 8c6413ac7b86545102e131ddc9a25b4f41f87a3ba2660b42188b2b948bea6e3d
                                • Instruction Fuzzy Hash: C2812834A0024A9FEF04EBA5C982BDEBBB5FF89305F104469F540B7292D774AE45CB54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040735C, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0040781C: GetCurrentThreadId.KERNEL32 ref: 0040781F
                                • GetTickCount.KERNEL32 ref: 00407393
                                • GetTickCount.KERNEL32 ref: 004073AB
                                • GetCurrentThreadId.KERNEL32 ref: 004073DA
                                • GetTickCount.KERNEL32 ref: 00407405
                                • GetTickCount.KERNEL32 ref: 0040743C
                                • GetTickCount.KERNEL32 ref: 00407466
                                • GetCurrentThreadId.KERNEL32 ref: 004074D6
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CountTick$CurrentThread
                                • String ID:
                                • API String ID: 3968769311-0
                                • Opcode ID: f8a1729c71aab02df8982efe38de60e31064d9a8a573ea8b0e8ae6a266ec72fa
                                • Instruction ID: e250e34fe65102177786314a30a4446396b7c83449bfc00bd6ffc58c39c43da3
                                • Opcode Fuzzy Hash: f8a1729c71aab02df8982efe38de60e31064d9a8a573ea8b0e8ae6a266ec72fa
                                • Instruction Fuzzy Hash: 60416E71A0C3419ED321AE38C98431FBED5AB80354F14893EE8D8973C1EA7CA8859757
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005798B0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID: |W
                                • API String ID: 0-2461296177
                                • Opcode ID: 81ea93b0a06b6a19938e488f64671b7a99ad8386e4d7c3f8c1adb48b6a07164a
                                • Instruction ID: cb57fd278a6b9844c30b8fa1df27fbab2eee4f40d305e0c9f997a95850e148b3
                                • Opcode Fuzzy Hash: 81ea93b0a06b6a19938e488f64671b7a99ad8386e4d7c3f8c1adb48b6a07164a
                                • Instruction Fuzzy Hash: 4E11B7217002495BFB306E7A6D0ABDE7F88BF91784F04801EBE8DDB252CE64CD45A670
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0062EA10, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 0062EA3C
                                • GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0062EA55
                                • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 0062EA7F
                                • CloseHandle.KERNEL32(00000000), ref: 0062EA9D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileHandle$AttributesCloseCreateModule
                                • String ID: GetFinalPathNameByHandleW$kernel32.dll
                                • API String ID: 791737717-340263132
                                • Opcode ID: 742563f6cb1268bb351afbbf5db6044ed420add69cdaaaa40c32528eac88ddc8
                                • Instruction ID: e4d36035e27e92180bb7425daecc1e5fe85ed39cec5462929d2fc2cd3e333d3a
                                • Opcode Fuzzy Hash: 742563f6cb1268bb351afbbf5db6044ed420add69cdaaaa40c32528eac88ddc8
                                • Instruction Fuzzy Hash: 07110C61740B2536F92071AE6C87FBB204EAB51758F14053ABB04D73D3D9AA9C424569
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004083A4, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 004083DD
                                • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 004083E3
                                • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 004083FE
                                • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000), ref: 00408404
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileHandleWrite
                                • String ID: Error$Runtime error at 00000000
                                • API String ID: 3320372497-2970929446
                                • Opcode ID: 203356d06247d6784d22d83442042fe3ada2eac01ea97d7311ff6c430b52cb9d
                                • Instruction ID: b44450ddde1e9f951f88cd77f0de20c7f134a673dec4cb4c9223145d13894fe8
                                • Opcode Fuzzy Hash: 203356d06247d6784d22d83442042fe3ada2eac01ea97d7311ff6c430b52cb9d
                                • Instruction Fuzzy Hash: 0EF046A0A4434079E720FB604C0BF2A360D9340F67F00453FB190B96C2DFBE4A84436D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045EEE0, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 107COMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00000000,0045F030,?,?,0043EB1C,00000001), ref: 0045EF6E
                                  • Part of subcall function 00420E28: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,0043EB1C,0045EFB0,00000000,0045F030,?,?,0043EB1C), ref: 00420E77
                                  • Part of subcall function 0042127C: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,0043EB1C,0045EFCB,00000000,0045F030,?,?,0043EB1C,00000001), ref: 0042129F
                                • GetLastError.KERNEL32(00000000,0045F030,?,?,0043EB1C,00000001), ref: 0045EFD5
                                  • Part of subcall function 00425310: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,0043EB1C,00000000,?,0045EFE4,00000000,0045F030), ref: 00425334
                                  • Part of subcall function 00425310: LocalFree.KERNEL32(00000001,0042538D,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,0043EB1C,00000000,?,0045EFE4,00000000,0045F030), ref: 00425380
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
                                • String ID: 6A$(6A$HPc$HuC
                                • API String ID: 503893064-3556063787
                                • Opcode ID: 73b5a09b3e7327736dfb5ef8197cbf8c284da99d5edd4df8591135f24c9c3980
                                • Instruction ID: 7c60b26bc488e4da28b8c910c50423e09c77c5121920494602206aa09c40f610
                                • Opcode Fuzzy Hash: 73b5a09b3e7327736dfb5ef8197cbf8c284da99d5edd4df8591135f24c9c3980
                                • Instruction Fuzzy Hash: AE41DB70E002198FDB14EFB5C8415EEB7F5AF49314F41457AE904A73C3CB7959058BAA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00636E70, Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowLongW.USER32(?,000000EC), ref: 00636E8C
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,0063FC99,00000000,006405B7), ref: 00636EBB
                                • GetWindowLongW.USER32(?,000000EC), ref: 00636ED0
                                • SetWindowLongW.USER32 ref: 00636EF7
                                • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 00636F10
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 00636F31
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$Long$Show
                                • String ID:
                                • API String ID: 3609083571-0
                                • Opcode ID: ef1537426818ec0c621fe7b1fe4c7ab9ebe1b5afc821a385e534b7043de924a8
                                • Instruction ID: 1f06cb3d4a676d54f6470a4134562d1c9cfcda7995d060ce9e677c05f4e729be
                                • Opcode Fuzzy Hash: ef1537426818ec0c621fe7b1fe4c7ab9ebe1b5afc821a385e534b7043de924a8
                                • Instruction Fuzzy Hash: 1F115E79304301AFDB00EB68DC91FD233EAAB0E311F045294F654DB3F2CA24E8809B80
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00404850, Relevance: 9.1, APIs: 6, Instructions: 51fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00404872
                                • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 00404878
                                • GetStdHandle.KERNEL32(000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00404897
                                • WriteFile.KERNEL32(00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 0040489D
                                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 004048B4
                                • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,004039C0,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 004048BA
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileHandleWrite
                                • String ID:
                                • API String ID: 3320372497-0
                                • Opcode ID: 6f2b91e5c5ccb5aa1728786370fde72a3d45049c5ee5216e3b568c554878604d
                                • Instruction ID: e27c139d19cfe41005e634967910480cb6d000998c88df6cc81ea5246ce5bb62
                                • Opcode Fuzzy Hash: 6f2b91e5c5ccb5aa1728786370fde72a3d45049c5ee5216e3b568c554878604d
                                • Instruction Fuzzy Hash: 8F01A9D26453103EF210FB6A9D86F5B2ACCCB4576AF10863B7218F31D2C9389D449779
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00403F88, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                Download Yara Rule
                                APIs
                                • Sleep.KERNEL32(00000000,0000001B,00404828,02628810,00407262,00407603,?,00000000,02628810,004072D1,00000000,00000220,00427294,?,004272E2,005A41DF), ref: 0040403F
                                • Sleep.KERNEL32(0000000A,00000000,0000001B,00404828,02628810,00407262,00407603,?,00000000,02628810,004072D1,00000000,00000220,00427294,?,004272E2), ref: 00404055
                                • Sleep.KERNEL32(00000000,?,-00000004,0000001B,00404828,02628810,00407262,00407603,?,00000000,02628810,004072D1,00000000,00000220,00427294), ref: 00404083
                                • Sleep.KERNEL32(0000000A,00000000,?,-00000004,0000001B,00404828,02628810,00407262,00407603,?,00000000,02628810,004072D1,00000000,00000220,00427294), ref: 00404099
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Sleep
                                • String ID:
                                • API String ID: 3472027048-0
                                • Opcode ID: 7d735074aa47b7395fe7cb5a0b194c9a492bdbb7f8464986878fabc2c672d0c0
                                • Instruction ID: 64215f56bf3da2d14df81d2f012890a3b442fe560f615457725b47e1166d0c85
                                • Opcode Fuzzy Hash: 7d735074aa47b7395fe7cb5a0b194c9a492bdbb7f8464986878fabc2c672d0c0
                                • Instruction Fuzzy Hash: 24C135B26003218FD715CF69E884316BBE6ABC5352F0882BFE555AB3D1C3B8DA41C795
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005F2D24, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005F2DA1
                                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005F2DC8
                                • SetForegroundWindow.USER32(?,00000000,005F30A0,?,00000000,005F30DE), ref: 005F2DD9
                                • DefWindowProcW.USER32(00000000,?,?,?,00000000,005F30A0,?,00000000,005F30DE), ref: 005F308B
                                Strings
                                • Cannot evaluate variable because [Code] isn't running yet, xrefs: 005F2F13
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: MessagePostWindow$ForegroundProc
                                • String ID: Cannot evaluate variable because [Code] isn't running yet
                                • API String ID: 602442252-3182603685
                                • Opcode ID: 418cf1be22e4c743a466afce4df7a25ab7fdadaba17556700bf16acf0e0ba9fa
                                • Instruction ID: 5ef74b07c3c648d78dbebe83694b7ef637cbf67bada48e0ac9da7f2a9d7dbc11
                                • Opcode Fuzzy Hash: 418cf1be22e4c743a466afce4df7a25ab7fdadaba17556700bf16acf0e0ba9fa
                                • Instruction Fuzzy Hash: 70910274604208EFE715DF68D955F69BBFAFB49700F11C4AAFA04977A1DA39AD00CB20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407B9E, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 124COMMON
                                Download Yara Rule
                                APIs
                                • UnhandledExceptionFilter.KERNEL32(?,00000000), ref: 00407C72
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID: $kB$X7@$`mB
                                • API String ID: 3192549508-2267937664
                                • Opcode ID: edbcd18c22b47f778d0dedce24c0a05bb5a3c9f42009005ff99f0b9c078c7133
                                • Instruction ID: bfc8b3d0eb13383f69738713459f9a7099d99c0a99cea929340faa3270e82de4
                                • Opcode Fuzzy Hash: edbcd18c22b47f778d0dedce24c0a05bb5a3c9f42009005ff99f0b9c078c7133
                                • Instruction Fuzzy Hash: B9419070A0C2059FE720DF14D980B27B7E6EF84714F18856AE944A7391C738FC42CB6A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00596DD4, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103timethreadwindowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00596D48: GetCursorPos.USER32 ref: 00596D4F
                                • SetTimer.USER32(00000000,00000000,00000000,00000000), ref: 00596EBF
                                • GetCurrentThreadId.KERNEL32 ref: 00596EF9
                                • WaitMessage.USER32(00000000,00596F3D,?,?,?,02604910), ref: 00596F1D
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CurrentCursorMessageThreadTimerWait
                                • String ID: D0e$DbY
                                • API String ID: 3909455694-1698663556
                                • Opcode ID: aa448e25db22d44093637dc825e26b85cc90e90d380c7511de6909f71b8cf81e
                                • Instruction ID: 38d9c7e1dbaa4601aa1f5de55ab27c49be960f1ba25b80ebc90e299a09cfae4a
                                • Opcode Fuzzy Hash: aa448e25db22d44093637dc825e26b85cc90e90d380c7511de6909f71b8cf81e
                                • Instruction Fuzzy Hash: 96418E34A04249EFDF11DFA8D98ABAE7BF9FB05304F5144AAE408A7291D7749E48CB10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00640D54, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00595D5C: SetWindowTextW.USER32(?,00000000), ref: 00595D8D
                                • ShowWindow.USER32(?,00000005,00000000,00641008,?,?,00000000), ref: 00640D9A
                                  • Part of subcall function 005A394C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005A395F
                                  • Part of subcall function 004216CC: SetCurrentDirectoryW.KERNEL32(00000000,?,00640DC2,00000000,00640FCF,?,?,00000005,00000000,00641008,?,?,00000000), ref: 004216D7
                                  • Part of subcall function 005A34A0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005A3535,?,?,?,00000001,?,005ED856,00000000,005ED8C1), ref: 005A34D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                • String ID: .dat$.msg$IMsg$Uninstall
                                • API String ID: 3312786188-1660910688
                                • Opcode ID: 542365f3ded6cbf7d55791414b111671c0b4ebdfa2477972ecece18cae847bae
                                • Instruction ID: 766794d897bd22edf573b0e8d6b1b94f3fa349b312996d8d2d18249e6800c585
                                • Opcode Fuzzy Hash: 542365f3ded6cbf7d55791414b111671c0b4ebdfa2477972ecece18cae847bae
                                • Instruction Fuzzy Hash: 6241A034A00605DFDB10EFA8C95699FBBF6FB8A700F108465F500AB761DB34AE04CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005F286C, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 005F2886
                                • SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 005F2923
                                Strings
                                • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 005F28B2
                                • ((_, xrefs: 005F28D5
                                • Failed to create DebugClientWnd, xrefs: 005F28EC
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: MessageSend
                                • String ID: ((_$Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd
                                • API String ID: 3850602802-2200022173
                                • Opcode ID: 2afa2afb36d9a1406f7f0ef5a38c9e42160c877168ec57712e8e9f371c3f0e1b
                                • Instruction ID: 8e4be547cc1daf5586554e8015e77e42bde4dec2e6c902c5f17a6f46015fd0fa
                                • Opcode Fuzzy Hash: 2afa2afb36d9a1406f7f0ef5a38c9e42160c877168ec57712e8e9f371c3f0e1b
                                • Instruction Fuzzy Hash: 0B11C1B0A443559FE301EB29DC81B6A7FD8BB45318F044029F684CB282D7B9AC44CBA6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060B4D4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • MsgWaitForMultipleObjects.USER32 ref: 0060B506
                                • GetExitCodeProcess.KERNEL32 ref: 0060B529
                                • CloseHandle.KERNEL32(?,0060B55C,00000001,00000000,000000FF,000004FF,00000000,0060B555), ref: 0060B54F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                • API String ID: 2573145106-3235461205
                                • Opcode ID: fd628f6c70799eb9ce4afecb6b9397c58bebc8f0f1e5c1299393ee93eb61947f
                                • Instruction ID: e08c47e4c5ea54001925f95501c5c6010835319c3d6830d2539c812cfec8abc3
                                • Opcode Fuzzy Hash: fd628f6c70799eb9ce4afecb6b9397c58bebc8f0f1e5c1299393ee93eb61947f
                                • Instruction Fuzzy Hash: E4012B34680204AFDB15DFACCD52E9E37E9EB49720F1181A1F620D73D1E770ED408655
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00405634, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 0040566B
                                • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00405671
                                • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 00405680
                                • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 00405691
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CurrentDirectory
                                • String ID: :
                                • API String ID: 1611563598-336475711
                                • Opcode ID: 4ce3efd95f6a8c063e693d23740d65480703e682682a7dd49421bedd2138ea98
                                • Instruction ID: 235d6df361bd0d32668981a988864fb0fb722a42ac84d823f2286f0eede1056f
                                • Opcode Fuzzy Hash: 4ce3efd95f6a8c063e693d23740d65480703e682682a7dd49421bedd2138ea98
                                • Instruction Fuzzy Hash: 0FF0F061140B447AD320EB65C852AEB72DCDF44305F40883F7AC8D73D2E67E8948976A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004210CC, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000,?,?,0065916C,?,00641833,00000000,00641888,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 004210DC
                                • GetLastError.KERNEL32(00000000,?,?,0065916C,?,00641833,00000000,00641888,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 004210EB
                                • GetFileAttributesW.KERNEL32(00000000,00000000,?,?,0065916C,?,00641833,00000000,00641888,?,?,00000005,?,00000000,00000000,00000000), ref: 004210F3
                                • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,0065916C,?,00641833,00000000,00641888,?,?,00000005,?,00000000,00000000), ref: 0042110E
                                • SetLastError.KERNEL32(00000000,00000000,00000000,?,?,0065916C,?,00641833,00000000,00641888,?,?,00000005,?,00000000,00000000), ref: 0042111C
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                • String ID:
                                • API String ID: 2814369299-0
                                • Opcode ID: 59f5c75ed3776cb4ac37be97d76fb0a0d9fe590bc91d05eee131d8a746586936
                                • Instruction ID: 56de61ba13cc10ac5a03dba103e106efa26abbfc9da42fd87a77cee8a775e7f8
                                • Opcode Fuzzy Hash: 59f5c75ed3776cb4ac37be97d76fb0a0d9fe590bc91d05eee131d8a746586936
                                • Instruction Fuzzy Hash: E5F0EC6134022859DA2435BE2DC2ABF515CC94676DB50073FFB50D31A3C97D4C66416D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00593E28, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON
                                Download Yara Rule
                                APIs
                                • UnhookWindowsHookEx.USER32(00000000), ref: 00593E3A
                                • SetEvent.KERNEL32(00000000), ref: 00593E66
                                • GetCurrentThreadId.KERNEL32 ref: 00593E6B
                                • MsgWaitForMultipleObjects.USER32 ref: 00593E94
                                • CloseHandle.KERNEL32(00000000,00000000), ref: 00593EA1
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
                                • String ID:
                                • API String ID: 2132507429-0
                                • Opcode ID: 0257b4b429b8d7f9d47ada1965b53dffa194f3a753d41319886b180668cebcdc
                                • Instruction ID: d8695721ee137fe429a98df97b1d1e9fc5bf4375ecd82768c8cfad844b7a707f
                                • Opcode Fuzzy Hash: 0257b4b429b8d7f9d47ada1965b53dffa194f3a753d41319886b180668cebcdc
                                • Instruction Fuzzy Hash: 87018170204712EFDF20EB74DD4AB5A7BE9FB44315F104A29B254C71E0EB789880CB66
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407FB4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 109COMMON
                                Download Yara Rule
                                APIs
                                • UnhandledExceptionFilter.KERNEL32(00000006), ref: 00407FD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID: X7@$`mB$hnB
                                • API String ID: 3192549508-2544690251
                                • Opcode ID: d9083a1245a855c717ea033d033e80e4fa19fd87eea08a2ee9fe6ad497760385
                                • Instruction ID: 56e2d853ab2e8500a80376cbe5af95d8675b512381606f7eaf224fd0c8e92af6
                                • Opcode Fuzzy Hash: d9083a1245a855c717ea033d033e80e4fa19fd87eea08a2ee9fe6ad497760385
                                • Instruction Fuzzy Hash: E831A3A5E0C207AAD7148E28C944B3777526B89300F25913BE405AB3D5C67CFC82EB6F
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005EAC14, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 105fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005EAD4F), ref: 005EACFF
                                • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,005EAD4F), ref: 005EAD0F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseCreateFileHandle
                                • String ID: .tmp$_iu
                                • API String ID: 3498533004-10593223
                                • Opcode ID: a97939560c10554e31f42f96ceabdc46af242167b30421498adf4ec05bf31530
                                • Instruction ID: 8468b1998000916b73e2102fff46f2e14beed355d75e57ccd28a2bbbbe2f1847
                                • Opcode Fuzzy Hash: a97939560c10554e31f42f96ceabdc46af242167b30421498adf4ec05bf31530
                                • Instruction Fuzzy Hash: 4C31C270E00249ABCF15EBA5CD42BDDBBB4BF44704F204069F580B76D2D7386E018B99
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00641320, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,0064141E,?,?,0065916C,?,0064184E,00000000,00641858,?,00000000,00641888,?,?), ref: 00641390
                                • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,0064141E,?,?,0065916C,?,0064184E,00000000,00641858,?,00000000,00641888), ref: 006413B9
                                • MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,0064141E,?,?,0065916C,?,0064184E,00000000,00641858,?,00000000), ref: 006413D2
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: File$Attributes$Move
                                • String ID: isRS-%.3u.tmp
                                • API String ID: 3839737484-3657609586
                                • Opcode ID: ee7ada865235040f3fba8906cea44d32bd3cc7e2e356c3d1b0da97dfffd32c0c
                                • Instruction ID: dddb97c00e74b5b8738748a180a192619256773ccd7f92a13f05bcaedb417451
                                • Opcode Fuzzy Hash: ee7ada865235040f3fba8906cea44d32bd3cc7e2e356c3d1b0da97dfffd32c0c
                                • Instruction Fuzzy Hash: FF318171E102089BCB01EFA9C981ADEB7B9EF45314F10417AF814F72D2DB785E81CA58
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407A72, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00407ADE
                                • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00007A74), ref: 00407B1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID: X7@$`mB
                                • API String ID: 3192549508-3822899693
                                • Opcode ID: acfcf4f0c9e567356c4dedf2411d2579bee2c75055790a51c4c917a81e5e6098
                                • Instruction ID: 3b57c11cd21ff31855dd3bf6b5d93731912632b382d1f1822908de7606851bc2
                                • Opcode Fuzzy Hash: acfcf4f0c9e567356c4dedf2411d2579bee2c75055790a51c4c917a81e5e6098
                                • Instruction Fuzzy Hash: 6A3132B4A08304AFE714DB14C885F2BB7F5EB85758F15856AE514A7292C738FC41CB2A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0063EDCC, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessW.KERNEL32 ref: 0063EE39
                                • CloseHandle.KERNEL32(c,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,0063EEA0,?,0063EE90,00000000), ref: 0063EE56
                                  • Part of subcall function 0063ED24: GetLastError.KERNEL32(00000000,0063EDBF,?,?,?), ref: 0063ED47
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseCreateErrorHandleLastProcess
                                • String ID: D$c
                                • API String ID: 3798668922-732338598
                                • Opcode ID: b910634b0c660ee44f9518151d5d142ba2cd295b60aea8ffe1aac25128a58b03
                                • Instruction ID: a76c743656288d7409e30da4365344639ee8a687576a0d8a36d3ae332561be3a
                                • Opcode Fuzzy Hash: b910634b0c660ee44f9518151d5d142ba2cd295b60aea8ffe1aac25128a58b03
                                • Instruction Fuzzy Hash: E8113C71604208AFEB00DBE5D882F9E77BDEF08704F51007AF904E72C1D679AD008AA8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060B03C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005A2898: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,0065916C,00000000,005EB153,00000000,005EB42E,?,?,0065916C), ref: 005A28C9
                                • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0060B07F
                                • RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 0060B09B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Type$FullLoadNamePathRegister
                                • String ID: LoadTypeLib$RegisterTypeLib
                                • API String ID: 4170313675-2435364021
                                • Opcode ID: 787203fadadf1bb34b1dc2591ee9c125816f1073d40601862303c0115a9b293b
                                • Instruction ID: d327688d706b04cea3b7c22e8a032ac3a5cb325325ddc079b5fff15279d7451c
                                • Opcode Fuzzy Hash: 787203fadadf1bb34b1dc2591ee9c125816f1073d40601862303c0115a9b293b
                                • Instruction Fuzzy Hash: 87012170B40209AADB14FAB6CC83B9F77ADEB44704F509476B510E72D2EB78AE058618
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00407FB2, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                • UnhandledExceptionFilter.KERNEL32(00000006), ref: 00407FD3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID: X7@$`mB$hnB
                                • API String ID: 3192549508-2544690251
                                • Opcode ID: 4d67955bc0a3ab48fab6a9d0b9370dd854469b59d809892bd7539e58df78ca5a
                                • Instruction ID: 2f4864147cc1ba724e54cee90e93e8451f1a826c55619bd06868dc905786b5ce
                                • Opcode Fuzzy Hash: 4d67955bc0a3ab48fab6a9d0b9370dd854469b59d809892bd7539e58df78ca5a
                                • Instruction Fuzzy Hash: 3C012974708301ABDB24DF25D980B2B77A6AF84B40F14D46EE4859B385CB38EC45DB2A
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005EB345, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON
                                Download Yara Rule
                                APIs
                                • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 005EB350
                                  • Part of subcall function 004210CC: DeleteFileW.KERNEL32(00000000,?,?,0065916C,?,00641833,00000000,00641888,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 004210DC
                                  • Part of subcall function 004210CC: GetLastError.KERNEL32(00000000,?,?,0065916C,?,00641833,00000000,00641888,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 004210EB
                                  • Part of subcall function 004210CC: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,0065916C,?,00641833,00000000,00641888,?,?,00000005,?,00000000,00000000,00000000), ref: 004210F3
                                  • Part of subcall function 004210CC: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,0065916C,?,00641833,00000000,00641888,?,?,00000005,?,00000000,00000000), ref: 0042110E
                                • MoveFileW.KERNEL32(00000000,00000000), ref: 005EB37D
                                  • Part of subcall function 005EA6F0: GetLastError.KERNEL32(00000000,005EB406,00000005,00000000,005EB42E,?,?,0065916C,?,00000000,00000000,00000000,?,006414CB,00000000,006414E6), ref: 005EA6F3
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
                                • String ID: DeleteFile$MoveFile
                                • API String ID: 3947864702-139070271
                                • Opcode ID: 6fd80354125dbb4379809672590ab41faad2cf04403bdd5e67ff10148a41c8e4
                                • Instruction ID: b6ee7f1feb9ed1f2c218bc936587419816df5ace98c0687c70325c9330a8c1f5
                                • Opcode Fuzzy Hash: 6fd80354125dbb4379809672590ab41faad2cf04403bdd5e67ff10148a41c8e4
                                • Instruction Fuzzy Hash: 67F01D756181858AFF08FAB6EA4266F67E4BB84704B61083AB444E35C7DA3CAC014669
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0060D97C, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005A3F04: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A45DE,?,00000000,?,005A457E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A45DE), ref: 005A3F20
                                • RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000003,0060D7D0,00000003,00000000,0060DB1F,00000000,0060DCD9,?,0060D7D0,?,00000000,00000000), ref: 0060D9C9
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseOpen
                                • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                • API String ID: 47109696-2631785700
                                • Opcode ID: 5b933e3601870fda77e202a50c8f1fdc8f89b796be14225c1a127625660e1cb7
                                • Instruction ID: 6229d22305a51dd3942b7f98a5f399f17d3a4273c01761a46a833f61d9c68e8a
                                • Opcode Fuzzy Hash: 5b933e3601870fda77e202a50c8f1fdc8f89b796be14225c1a127625660e1cb7
                                • Instruction Fuzzy Hash: 53F06231740110ABD718EB99D846B9F6BAAEF85311F50123AB185C7291E734CC41CB26
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A3F2C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegDeleteKeyW.ADVAPI32(?,00000000), ref: 005A3F38
                                • GetModuleHandleW.KERNEL32(advapi32.dll,RegDeleteKeyExW,?,00000000,005A411F,00000000,005A4137,?,?,?), ref: 005A3F53
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DeleteHandleModule
                                • String ID: RegDeleteKeyExW$advapi32.dll
                                • API String ID: 3550747403-4033151799
                                • Opcode ID: 93664791e969e2adf2c5096f7206eea161424f8b558cac8c90cf8a8142c977a4
                                • Instruction ID: 5213ad7f365f74f0cfb20dc4d2980dbc2b6e26723643a136b63529edda768e07
                                • Opcode Fuzzy Hash: 93664791e969e2adf2c5096f7206eea161424f8b558cac8c90cf8a8142c977a4
                                • Instruction Fuzzy Hash: 6AE0E570A54321BEE328A3796C4DB9B1F29B70331EF001026F201910A183AC0D84C2A4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A4BD0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006519D4,005F290A,005F2D24,005F2828,00000000,00000B06,00000000,00000000), ref: 005A4BEA
                                  • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                  • Part of subcall function 005A4B34: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005A4C2A,?,00000004,006519D4,005F290A,005F2D24,005F2828,00000000,00000B06,00000000,00000000), ref: 005A4B4B
                                • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,?,00000004,006519D4,005F290A,005F2D24,005F2828,00000000,00000B06,00000000,00000000), ref: 005A4C1B
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: HandleModule$AddressChangeFilterMessageProcWindow
                                • String ID: ChangeWindowMessageFilterEx$user32.dll
                                • API String ID: 989041661-2676053874
                                • Opcode ID: 097a6e726a036a9a004ee6e68d12ee4f07bc9591ab0e18afef902c9974ffe3e7
                                • Instruction ID: b2e339d7e329d0beb36c4dd8547e21348f714d259603e658bd98444c04c1f1fd
                                • Opcode Fuzzy Hash: 097a6e726a036a9a004ee6e68d12ee4f07bc9591ab0e18afef902c9974ffe3e7
                                • Instruction Fuzzy Hash: 89F08270206721EFE725BBA5EC49B996AA6FBC6326F001525B10896290C7F50C85CEA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0040C3D0, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040C3E1
                                • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040C43F
                                • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040C49C
                                • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040C4CF
                                  • Part of subcall function 0040C38C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040C44D), ref: 0040C3A3
                                  • Part of subcall function 0040C38C: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040C44D), ref: 0040C3C0
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Thread$LanguagesPreferred$Language
                                • String ID:
                                • API String ID: 2255706666-0
                                • Opcode ID: 8f9c9f47cb9c4430323cdcce71d23944cbdb9bf8e7eab520e0b38eeede1cc02d
                                • Instruction ID: ec621cdcd2b35a43f341d5f990a479e142f5119caf1430b94791005b8de3e997
                                • Opcode Fuzzy Hash: 8f9c9f47cb9c4430323cdcce71d23944cbdb9bf8e7eab520e0b38eeede1cc02d
                                • Instruction Fuzzy Hash: 19316D70E0021ADBCB10DFA9C8D4ABEB3B5FF04315F00827AE811F7291DB789A048B54
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005ABF54, Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • MulDiv.KERNEL32(?,?,?), ref: 005ABF6D
                                • MulDiv.KERNEL32(?,005AC09F,?), ref: 005ABF80
                                • MulDiv.KERNEL32(?,?,?), ref: 005ABF97
                                • MulDiv.KERNEL32(?,005AC09F,?), ref: 005ABFB5
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 142afa7b660b75a95c8abde50d1452c2ac57e9ace592c766e8ed1dc5ab1a254b
                                • Instruction ID: 6801d8a13079e4dabccedaf89cda5df646b33d4efd2cc11483a2572ac21373aa
                                • Opcode Fuzzy Hash: 142afa7b660b75a95c8abde50d1452c2ac57e9ace592c766e8ed1dc5ab1a254b
                                • Instruction Fuzzy Hash: F4112E72A04208AFDB44DEEDD8C4E9E7BEDAF4D324B144499FD18CB246C674ED408BA4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0059709C, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsWindowVisible.USER32(?), ref: 005970AF
                                • GetWindowLongW.USER32(?,000000EC), ref: 005970F1
                                • SetWindowLongW.USER32 ref: 0059710B
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,02612E70,?,005971C5,?,?,?,02612E70), ref: 00597133
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$Long$Visible
                                • String ID:
                                • API String ID: 2967648141-0
                                • Opcode ID: 238211d8815b92d2b6a8c4f7e582f4808410193c5e90ac73f6df2782b62e681f
                                • Instruction ID: e271d5922e5bc39e19cd95ba93d0a15817ecbc765eebe5c1d05cf4a3ee303b2a
                                • Opcode Fuzzy Hash: 238211d8815b92d2b6a8c4f7e582f4808410193c5e90ac73f6df2782b62e681f
                                • Instruction Fuzzy Hash: 3E113C70608244AFDB00DB68D889FAA7FE9EB0D311F559592F894CF262C635EAC0C754
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0045F7FC, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                • FindResourceW.KERNEL32(00400000,?,?,0043F820,00400000,00000001,00000000,?,0045F73E,00000000,00000000,?,0065916C,?,?,00635074), ref: 0045F813
                                • LoadResource.KERNEL32(00400000,0045F898,00400000,?,?,0043F820,00400000,00000001,00000000,?,0045F73E,00000000,00000000,?,0065916C,?), ref: 0045F82D
                                • SizeofResource.KERNEL32(00400000,0045F898,00400000,0045F898,00400000,?,?,0043F820,00400000,00000001,00000000,?,0045F73E,00000000,00000000), ref: 0045F847
                                • LockResource.KERNEL32(0045F0E4,00000000,00400000,0045F898,00400000,0045F898,00400000,?,?,0043F820,00400000,00000001,00000000,?,0045F73E,00000000), ref: 0045F851
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$FindLoadLockSizeof
                                • String ID:
                                • API String ID: 3473537107-0
                                • Opcode ID: f6916d3a5c7ef077b7dc1d142ceb87adad0f035a906a7aa80572c3c45fbbcfef
                                • Instruction ID: 23dc94b0acb02e3e4bb3ccd816abbe7d1c530744d06e12d9d3efe0f3803b09a3
                                • Opcode Fuzzy Hash: f6916d3a5c7ef077b7dc1d142ceb87adad0f035a906a7aa80572c3c45fbbcfef
                                • Instruction Fuzzy Hash: A9F06D726052046F4748EE6DA981D5B77DCEE88364310002FFE18C7203DA78ED158779
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005ED528, Relevance: 6.0, APIs: 4, Instructions: 41registrywindowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005A3F04: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005A45DE,?,00000000,?,005A457E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005A45DE), ref: 005A3F20
                                • RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,?,?,00610C8B), ref: 005ED564
                                • RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,?,00610C8B), ref: 005ED56D
                                • RemoveFontResourceW.GDI32(00000000), ref: 005ED57A
                                • SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 005ED58E
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseDeleteFontMessageNotifyOpenRemoveResourceSendValue
                                • String ID:
                                • API String ID: 4283692357-0
                                • Opcode ID: e08d091af7d2c6abdfdbc4df9e77e42d90ae0d0b4e9b84ce5d6290cdff25bcb3
                                • Instruction ID: 373bb326c52b0603e3e13f69b1a780ea161deb0cf9123938453c679611c164b3
                                • Opcode Fuzzy Hash: e08d091af7d2c6abdfdbc4df9e77e42d90ae0d0b4e9b84ce5d6290cdff25bcb3
                                • Instruction Fuzzy Hash: EAF0BEB271030176EA10F6BA9C8BF9B269C5F49758F10482AB640EB1D3DA78DD408228
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004EC354, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowThreadProcessId.USER32(00000000), ref: 004EC361
                                • GetCurrentProcessId.KERNEL32(?,02604910,00000000,00597EA6,?,?,02604910,00000001,005961A3,?,00000000,00000000,00000000,00000000), ref: 004EC36A
                                • GlobalFindAtomW.KERNEL32(00000000), ref: 004EC37F
                                • GetPropW.USER32(00000000,00000000), ref: 004EC396
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                • String ID:
                                • API String ID: 2582817389-0
                                • Opcode ID: c01a77715386027e7cd3d2b3d531d4fccbcad218c96c266c9b67f6c1682e8373
                                • Instruction ID: e0237c3bb992247d1a55f7235a8c06d931ad073b7fda1f8be48631a4bb1aca9b
                                • Opcode Fuzzy Hash: c01a77715386027e7cd3d2b3d531d4fccbcad218c96c266c9b67f6c1682e8373
                                • Instruction Fuzzy Hash: 9DF0A7A1210350A68A30B7779DC186F228C8F45797300582FFD41D3242C56CCC52A3BD
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0063529C, Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLast$CountSleepTick
                                • String ID:
                                • API String ID: 2227064392-0
                                • Opcode ID: 8fa44cc96f524b859eff4a234ea8994021403db04a280ab141d5cf55308a6713
                                • Instruction ID: a8440104fc43a49b90fb01f3027348366c27fa3177f5be9d03024c902676c87e
                                • Opcode Fuzzy Hash: 8fa44cc96f524b859eff4a234ea8994021403db04a280ab141d5cf55308a6713
                                • Instruction Fuzzy Hash: 2FE0923231CDD115962936BF19859BF4A8ACEC3359F2C097FF5C6C3142C8448A4596AA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0062E894, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000008), ref: 0062E89D
                                • OpenProcessToken.ADVAPI32(00000000,00000008), ref: 0062E8A3
                                • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 0062E8C5
                                • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 0062E8D6
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                • String ID:
                                • API String ID: 215268677-0
                                • Opcode ID: 72acdc50603c0a39a07fab55d2eddd86d93f4461e754e355eba7f07d003623ef
                                • Instruction ID: 58776ff24b22f576d4d69250430f6240d09ddeb3beb2bcde9e9683a8e6a4f491
                                • Opcode Fuzzy Hash: 72acdc50603c0a39a07fab55d2eddd86d93f4461e754e355eba7f07d003623ef
                                • Instruction Fuzzy Hash: 05F039B46443007BD600EAB58C82FDB72DCAB48314F00493ABF98C7292DB79D8699766
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004D7988, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 004D7991
                                • SelectObject.GDI32(00000000,058A00B4), ref: 004D79A3
                                • GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004D79AE
                                • ReleaseDC.USER32 ref: 004D79BF
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: MetricsObjectReleaseSelectText
                                • String ID:
                                • API String ID: 2013942131-0
                                • Opcode ID: bee1acd97d0579e104d67dae7ac4a50501ebcbb2c613de5786e9a62b97fef1a8
                                • Instruction ID: a8d81e0859bab453877ffe17d200dbbd9cc7387b612706a9caf2285db49f2872
                                • Opcode Fuzzy Hash: bee1acd97d0579e104d67dae7ac4a50501ebcbb2c613de5786e9a62b97fef1a8
                                • Instruction Fuzzy Hash: 52E0D8B260627022E911A1660DA2BEB29488F02265F08015BFD40DA3D1FA4DCD5083FA
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005EC820, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                • ShellExecuteExW.SHELL32(0000003C), ref: 005EC8BC
                                • GetLastError.KERNEL32(00000000,005EC904,?,?,?,00000001), ref: 005EC8CB
                                  • Part of subcall function 005A394C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005A395F
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DirectoryErrorExecuteLastShellSystem
                                • String ID: <
                                • API String ID: 893404051-4251816714
                                • Opcode ID: f0cfe4fb6739fcac59ea5e3a94dcd6237897f14c3e60cb2c6da8a340bb2b83f9
                                • Instruction ID: e5b88044cf06bc6d2b362cf7ffe3048fb6faf4d40e9da0ed09df2a3cb25b4758
                                • Opcode Fuzzy Hash: f0cfe4fb6739fcac59ea5e3a94dcd6237897f14c3e60cb2c6da8a340bb2b83f9
                                • Instruction Fuzzy Hash: 77213970904249DFDB14EF6AC982AAE7FE8BB49754F10043AF884E7281D7749D51CB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0063F69E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 0063F6DE
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window
                                • String ID: /INITPROCWND=$%x $@
                                • API String ID: 2353593579-4169826103
                                • Opcode ID: 902365667405933027b7b85fea27e0df72674fa42196420ecee1584ccccae153
                                • Instruction ID: f2f2b724b52e4e1375a92c65ebbc391119f608f9e6b6ce5807f1116e573b5d20
                                • Opcode Fuzzy Hash: 902365667405933027b7b85fea27e0df72674fa42196420ecee1584ccccae153
                                • Instruction Fuzzy Hash: 4F21AE30E043099FDB00DBA4E852AEEBBF6EB49300F50447AF900E72A1DA7899048B84
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00641068, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 006356D4: FreeLibrary.KERNEL32(73950000,00641094,00000000,006410A3,?,?,?,?,?,00641B87), ref: 006356EA
                                  • Part of subcall function 006352F0: GetTickCount.KERNEL32 ref: 00635338
                                  • Part of subcall function 005F2A20: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 005F2A3F
                                • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,00641B87), ref: 006410BD
                                • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,00641B87), ref: 006410C3
                                Strings
                                • Detected restart. Removing temporary directory., xrefs: 00641077
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                • String ID: Detected restart. Removing temporary directory.
                                • API String ID: 1717587489-3199836293
                                • Opcode ID: 0ccc46085b13ffea4a4f53df08120b8ba2af2fec1373948f383eb2d9dad52386
                                • Instruction ID: a80d3346214f79eb0be5f32a09dafdae75629b003cec1223241f7cb8cd70c2da
                                • Opcode Fuzzy Hash: 0ccc46085b13ffea4a4f53df08120b8ba2af2fec1373948f383eb2d9dad52386
                                • Instruction Fuzzy Hash: 33E0AB712086442EE32233B5BC078673F8EE787B14F51083AF200C7502DC2858E0C674
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A4C80, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 005A4D10: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005A4C8E,?,?,?,006401A9,0000000A,00000002,00000001,00000031,00000000,006403D7), ref: 005A4D1E
                                • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006401A9,0000000A,00000002,00000001,00000031,00000000,006403D7,?,00000000,006404A4), ref: 005A4C98
                                  • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: HandleModule$AddressProc
                                • String ID: ShutdownBlockReasonCreate$user32.dll
                                • API String ID: 1883125708-2866557904
                                • Opcode ID: d8c0ec2d9ff7e90798ad00bf96903fe90719b7c8adcb453a127bd0dabf42dd95
                                • Instruction ID: f5686fd5c3352b37d62bf10f6baee06cd87c673ca2b72b1ddafb04152291e94b
                                • Opcode Fuzzy Hash: d8c0ec2d9ff7e90798ad00bf96903fe90719b7c8adcb453a127bd0dabf42dd95
                                • Instruction Fuzzy Hash: 1FE0C2623522623A560172FE0C9186E09CCDDC3A79320083AF618D2202DAD8CD0204BC
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A3978, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,005EAED4,00000000,005EAFA6,?,?,0065916C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005A3992
                                  • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                • API String ID: 1646373207-1816364905
                                • Opcode ID: 4750d602ad308ccb7adb613c05a1d1678d2392c07dbf88f396cf309d05488d03
                                • Instruction ID: a3875471d22dbb8908dfc16eb6a04f758336defcc1aba30d91c990b7e63e7e7a
                                • Opcode Fuzzy Hash: 4750d602ad308ccb7adb613c05a1d1678d2392c07dbf88f396cf309d05488d03
                                • Instruction Fuzzy Hash: 94E026607407412BD70079BA4D83A5F16896BC2708F14093E3A84D63D7EDECCA4405A5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A4B34, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005A4C2A,?,00000004,006519D4,005F290A,005F2D24,005F2828,00000000,00000B06,00000000,00000000), ref: 005A4B4B
                                  • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: ChangeWindowMessageFilter$user32.dll
                                • API String ID: 1646373207-2498399450
                                • Opcode ID: caf34db5be61ae6469e658cbf304b0630bb86ccd49b17115889aa6b8a53ea783
                                • Instruction ID: b82861c74a6cc0106e7cca7d0862cbb5a313126ec04421456d41026ef1d98814
                                • Opcode Fuzzy Hash: caf34db5be61ae6469e658cbf304b0630bb86ccd49b17115889aa6b8a53ea783
                                • Instruction Fuzzy Hash: C2E09270200325EFEB11EB649C4CB8A3BA9EBC6306F101459B14086190C7FA48C8CAB0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005A4D10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005A4C8E,?,?,?,006401A9,0000000A,00000002,00000001,00000031,00000000,006403D7), ref: 005A4D1E
                                  • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: ShutdownBlockReasonDestroy$user32.dll
                                • API String ID: 1646373207-260599015
                                • Opcode ID: 42b195c067c28f7652c93cb0ee68bc7227fea085906d279e3cdeda4cdcd555de
                                • Instruction ID: 4ede204cae5e2b0d6ad9c99e364921ea429204a732818d560c908ff52081a9c0
                                • Opcode Fuzzy Hash: 42b195c067c28f7652c93cb0ee68bc7227fea085906d279e3cdeda4cdcd555de
                                • Instruction Fuzzy Hash: E5D0C9B2791762262A21A5FA2CD19EF068CDDD32AA3040576F700E6101EBD5DC5219A8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00641BBC, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,0064C4FE,00000001,00000000,0064C524,?,?,000000EC,00000000), ref: 00641BC6
                                  • Part of subcall function 00412174: GetProcAddress.KERNEL32(?,?), ref: 0041219E
                                Strings
                                Memory Dump Source
                                • Source File: 00000002.00000002.716734843.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000002.00000002.716722637.0000000000400000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717810194.000000000064D000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717828451.000000000064E000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717843458.000000000064F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717897553.0000000000658000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717921745.000000000065D000.00000008.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717933378.000000000065F000.00000004.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717951241.0000000000660000.00000002.00020000.sdmp Download File
                                • Associated: 00000002.00000002.717982643.0000000000662000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressHandleModuleProc
                                • String ID: DisableProcessWindowsGhosting$user32.dll
                                • API String ID: 1646373207-834958232
                                • Opcode ID: 0a01ee0967953c6b8ef590af1f0977cf1e960ea14c571fadc8ec9ea188df74e5
                                • Instruction ID: 251b0dc01c587cd5dace92349042517d10dda6d8719e2677602cdd68d47e6b29
                                • Opcode Fuzzy Hash: 0a01ee0967953c6b8ef590af1f0977cf1e960ea14c571fadc8ec9ea188df74e5
                                • Instruction Fuzzy Hash: E5B092902C0302205B0876B30E028C9000A888370A70104653A00E8182EE9880D00076
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: wmfdist.exe PID: 7092 Parent PID: 6932 wmfdist.exeCOMMON

                                Executed Functions

                                Non-executed Functions

                                Function 010022FF, Relevance: 59.8, APIs: 23, Strings: 11, Instructions: 255stringmemoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E010022FF(CHAR* _a4, CHAR** _a8, intOrPtr* _a12) {
				CHAR* _v8;
				CHAR* _v12;
				char _v272;
				char _v531;
				char _v532;
				char _v1556;
				CHAR* _t54;
				CHAR* _t56;
				CHAR* _t60;
				CHAR* _t61;
				void* _t62;
				signed char _t64;
				int _t80;
				CHAR* _t84;
				void* _t88;
				void* _t93;
				CHAR* _t94;
				char* _t114;
				CHAR* _t117;
				void* _t119;
				CHAR* _t123;
				CHAR* _t125;
				CHAR* _t126;
				CHAR* _t127;
				CHAR* _t131;

				lstrcpyA( &_v532, _a4);
				if(_v532 != 0x22) {
					_t54 =  &_v532;
					_push(" ");
				} else {
					_t54 =  &_v531;
					_push("\"");
				}
				_v8 = _t54;
				_push( &_v8);
				_t56 = E01001840();
				_t123 = _v8;
				_v12 = _t56;
				if(E01001DA9(_t123) != 0) {
					lstrcpyA( &_v272, _t123);
				} else {
					lstrcpyA( &_v272, 0x100ac44);
					E01005B32( &_v272, _t123);
				}
				_t60 = E01005BE8(_t123, 0x2e);
				if(_t60 == 0 || lstrcmpiA(_t60, ".INF") != 0) {
					_t61 = E01005BE8(_t123, 0x2e);
					if(_t61 == 0 || lstrcmpiA(_t61, ".BAT") != 0) {
						_t62 = LocalAlloc(0x40, 0x400);
						_v8 = _t62;
						if(_t62 != 0) {
							_t64 = GetFileAttributesA( &_v272);
							if(_t64 == 0xffffffff || (_t64 & 0x00000010) != 0) {
								_push(_a4);
								goto L43;
							} else {
								lstrcpyA( &_v1556,  &_v272);
								_t114 = _v12;
								if(_t114 == 0 ||  *_t114 == 0) {
									L44:
									E010021FB( &_v1556, _v8);
									goto L45;
								} else {
									lstrcatA( &_v1556, " ");
									_push(_t114);
									L43:
									lstrcpyA( &_v1556, ??);
									goto L44;
								}
							}
						}
						_push(0);
						_push(0x10);
						_push(0);
						_push(0);
						_push(0x4b5);
						_push(0);
						goto L36;
					} else {
						_t125 = "Command.com /c %s";
						_t80 = lstrlenA(_t125);
						_t35 = lstrlenA( &_v272) + 8; // 0x8
						_t84 = LocalAlloc(0x40, _t80 + _t35);
						_t119 = 0;
						_v8 = _t84;
						if(_t84 == 0) {
							goto L17;
						}
						wsprintfA(_t84, _t125,  &_v272);
						goto L45;
					}
				} else {
					_t88 = E01005BCA( &_v272);
					if(_t88 != 0) {
						_v8 = _v12;
						_t126 = E01001840( &_v8, "[");
						lstrlenA("DefaultInstall");
						if(_t126 == 0) {
							_t127 = _v8;
						} else {
							if( *_t126 != 0) {
								_v8 = _t126;
							}
							E01001840( &_v8, "]");
							_t127 = _v8;
							if( *_t127 != 0) {
								lstrlenA(_t127);
							}
						}
						_t93 = LocalAlloc(0x40, 0x200);
						_t119 = 0;
						_v8 = _t93;
						if(_t93 != 0) {
							_t117 = "DefaultInstall";
							_t94 = _t127;
							if( *_t127 == 0) {
								_t94 = _t117;
							}
							 *0x100aa60 = GetPrivateProfileIntA(_t94, "Reboot", 0,  &_v272);
							 *_a12 = 1;
							if(GetPrivateProfileStringA("Version", "AdvancedINF", 0x1001251, _v8, 8,  &_v272) <= 0) {
								 *0x100b494 =  *0x100b494 & 0xfffffffb;
								if( *0x100aa64 != 0) {
									_t131 = "setupapi.dll";
								} else {
									_t131 = "setupx.dll";
									GetShortPathNameA( &_v272,  &_v272, 0x104);
								}
								if( *_t127 == 0) {
									_t127 = _t117;
								}
								wsprintfA(_v8, "rundll32.exe %s,InstallHinfSection %s 128 %s", _t131, _t127,  &_v272);
							} else {
								 *0x100b494 =  *0x100b494 | 0x00000004;
								if( *_t127 == 0) {
									_t127 = _t117;
								}
								lstrcpyA(_a4, _t127);
								lstrcpyA(_v8,  &_v272);
							}
							L45:
							 *_a8 = _v8;
							return 1;
						} else {
							L17:
							_push(_t119);
							_push(0x10);
							_push(_t119);
							_push(_t119);
							_push(0x4b5);
							_push(_t119);
							goto L36;
						}
					} else {
						_push(_t88);
						_push(0x10);
						_push(_t88);
						_push( &_v272);
						_push(0x525);
						_push(_t88);
						L36:
						E010038CC();
						return 0;
					}
				}
			}




























                                0x0100231b
                                0x01002324
                                0x01002333
                                0x01002339
                                0x01002326
                                0x01002326
                                0x0100232c
                                0x0100232c
                                0x0100233e
                                0x01002344
                                0x01002345
                                0x0100234a
                                0x0100234e
                                0x0100235e
                                0x01002379
                                0x01002360
                                0x01002366
                                0x01002370
                                0x01002370
                                0x0100237e
                                0x0100238b
                                0x01002514
                                0x0100251d
                                0x0100257c
                                0x01002584
                                0x01002587
                                0x010025a4
                                0x010025ad
                                0x010025e6
                                0x00000000
                                0x010025b3
                                0x010025c1
                                0x010025c3
                                0x010025c8
                                0x010025f2
                                0x010025fc
                                0x00000000
                                0x010025cf
                                0x010025e1
                                0x010025e3
                                0x010025e9
                                0x010025f0
                                0x00000000
                                0x010025f0
                                0x010025c8
                                0x010025ad
                                0x01002589
                                0x0100258a
                                0x0100258c
                                0x0100258d
                                0x0100258e
                                0x01002593
                                0x00000000
                                0x0100252b
                                0x01002531
                                0x01002537
                                0x01002544
                                0x0100254b
                                0x01002551
                                0x01002555
                                0x01002558
                                0x00000000
                                0x00000000
                                0x01002567
                                0x00000000
                                0x0100256d
                                0x010023a1
                                0x010023a8
                                0x010023af
                                0x010023ca
                                0x010023e6
                                0x010023e8
                                0x010023ec
                                0x01002411
                                0x010023ee
                                0x010023f1
                                0x010023f3
                                0x010023f3
                                0x010023ff
                                0x01002404
                                0x0100240a
                                0x0100240d
                                0x0100240d
                                0x0100240a
                                0x0100241b
                                0x01002421
                                0x01002425
                                0x01002428
                                0x0100243d
                                0x01002442
                                0x01002444
                                0x01002446
                                0x01002446
                                0x0100245d
                                0x01002465
                                0x0100248e
                                0x010024b5
                                0x010024c4
                                0x010024e6
                                0x010024c6
                                0x010024d9
                                0x010024de
                                0x010024de
                                0x010024ee
                                0x010024f0
                                0x010024f0
                                0x01002503
                                0x01002490
                                0x01002490
                                0x0100249a
                                0x0100249c
                                0x0100249c
                                0x010024a2
                                0x010024ae
                                0x010024ae
                                0x01002601
                                0x01002607
                                0x00000000
                                0x0100242a
                                0x0100242a
                                0x0100242a
                                0x0100242b
                                0x0100242d
                                0x0100242e
                                0x0100242f
                                0x01002434
                                0x00000000
                                0x01002434
                                0x010023b1
                                0x010023b1
                                0x010023b2
                                0x010023b4
                                0x010023bb
                                0x010023bc
                                0x010023c1
                                0x01002594
                                0x01002594
                                0x00000000
                                0x01002599
                                0x010023af

                                APIs
                                • lstrcpyA.KERNEL32(?,?), ref: 0100231B
                                • lstrcpyA.KERNEL32(?,0100AC44), ref: 01002366
                                • lstrcpyA.KERNEL32(?,?), ref: 01002379
                                • lstrcmpiA.KERNEL32(00000000,.INF,?,0000002E), ref: 01002397
                                • lstrlenA.KERNEL32(DefaultInstall,?), ref: 010023E8
                                • lstrlenA.KERNEL32(?), ref: 0100240D
                                • LocalAlloc.KERNEL32(00000040,00000200), ref: 0100241B
                                • GetPrivateProfileIntA.KERNEL32 ref: 01002457
                                • GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,01001251,?,00000008,?), ref: 01002486
                                • lstrcpyA.KERNEL32(?,?), ref: 010024A2
                                • lstrcpyA.KERNEL32(?,?), ref: 010024AE
                                • GetShortPathNameA.KERNEL32(?,?,00000104), ref: 010024DE
                                • wsprintfA.USER32 ref: 01002503
                                • lstrcmpiA.KERNEL32(00000000,.BAT,?,0000002E,?,0000002E), ref: 01002525
                                • lstrlenA.KERNEL32(Command.com /c %s), ref: 01002537
                                • lstrlenA.KERNEL32(?), ref: 01002542
                                • LocalAlloc.KERNEL32(00000040,00000008), ref: 0100254B
                                • wsprintfA.USER32 ref: 01002567
                                • LocalAlloc.KERNEL32(00000040,00000400,?,0000002E,?,0000002E), ref: 0100257C
                                • GetFileAttributesA.KERNEL32(?), ref: 010025A4
                                • lstrcpyA.KERNEL32(?,?), ref: 010025C1
                                • lstrcatA.KERNEL32(?,01001324), ref: 010025E1
                                • lstrcpyA.KERNEL32(?,?), ref: 010025F0
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: lstrcpy$lstrlen$AllocLocal$PrivateProfilelstrcmpiwsprintf$AttributesFileNamePathShortStringlstrcat
                                • String ID: "$.BAT$.INF$AdvancedINF$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
                                • API String ID: 1932099537-3174370420
                                • Opcode ID: 9cfc3f925ef709eea2b6e4c056a8937429d4c1d82baa32382744840923556eea
                                • Instruction ID: f0cbcbf04177e37c30e3133f67ae01d03030f470cf72cf61e2aa79d8b69a16e6
                                • Opcode Fuzzy Hash: 9cfc3f925ef709eea2b6e4c056a8937429d4c1d82baa32382744840923556eea
                                • Instruction Fuzzy Hash: 47916071A00249BAFB23DBA4CD49FDE7BBCAB45700F144195F6C5E6080E7B5DA808B60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0100198B, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 169registrystringlibraryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E0100198B() {
				int* _v8;
				void* _v12;
				int* _v16;
				int _v20;
				int _v24;
				void _v283;
				char _v284;
				void _v543;
				char _v544;
				long _t47;
				struct HINSTANCE__* _t56;
				int _t59;
				CHAR* _t65;
				long _t71;
				signed int _t73;
				void* _t83;
				signed int _t85;
				signed int _t101;
				void* _t102;
				void* _t104;

				_v284 = _v284 & 0x00000000;
				_v544 = _v544 & 0x00000000;
				_t85 = 0x40;
				memset( &_v283, 0, _t85 << 2);
				asm("stosw");
				_push(0x40);
				asm("stosb");
				memset( &_v543, 0, 0 << 2);
				_t104 = _t102 + 0x18;
				asm("stosw");
				asm("stosb");
				_v16 = 0;
				_t47 = RegCreateKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20);
				if(_t47 != 0) {
					return _t47;
				}
				_v8 = 0;
				while(1) {
					wsprintfA(0x100a2e0, "wextract_cleanup%d", _v8);
					_t104 = _t104 + 0xc;
					if(RegQueryValueExA(_v12, 0x100a2e0, 0, 0, 0,  &_v24) != 0) {
						break;
					}
					_v8 =  &(_v8[0]);
					if(_v8 < 0xc8) {
						continue;
					}
					break;
				}
				if(_v8 != 0xc8) {
					GetSystemDirectoryA( &_v544, 0x104);
					E01005B32( &_v544, "advpack.dll");
					_t56 = LoadLibraryA( &_v544);
					_v8 = _t56;
					if(_t56 == 0) {
						L12:
						if(GetModuleFileNameA( *0x100b4a4,  &_v284, 0x104) != 0) {
							L10:
							_t59 = lstrlenA(0x100ac44);
							_t31 = lstrlenA( &_v284) + 0x50; // 0x50
							_t83 = LocalAlloc(0x40, _t59 + _t31);
							if(_t83 != 0) {
								_t65 = "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"";
								 *0x100a330 = 0 | _v16 == 0x00000000;
								if(_v16 == 0) {
									_t65 = "%s /D:%s";
								}
								wsprintfA(_t83, _t65,  &_v284, 0x100ac44);
								RegSetValueExA(_v12, 0x100a2e0, 0, 1, _t83, lstrlenA(_t83) + 1);
								RegCloseKey(_v12);
								_t71 = LocalFree(_t83);
								L17:
								return _t71;
							}
							E010038CC(0, 0x4b5, 0, 0, 0x10, 0);
						}
						_t71 = RegCloseKey(_v12);
						goto L17;
					}
					_t73 = GetProcAddress(_t56, "DelNodeRunDLL32");
					asm("sbb esi, esi");
					_t101 =  ~( ~_t73);
					_v16 = _t101;
					FreeLibrary(_v8);
					if(_t101 == 0) {
						goto L12;
					}
					if(GetSystemDirectoryA( &_v284, 0x104) != 0) {
						E01005B32( &_v284, 0x1001251);
					}
					goto L10;
				}
				_t71 = RegCloseKey(_v12);
				 *0x100a2e0 =  *0x100a2e0 & 0x00000000;
				goto L17;
			}























                                0x01001994
                                0x0100199d
                                0x010019a6
                                0x010019af
                                0x010019b1
                                0x010019b3
                                0x010019b6
                                0x010019bf
                                0x010019bf
                                0x010019c1
                                0x010019c3
                                0x010019e1
                                0x010019e4
                                0x010019ec
                                0x01001b8a
                                0x01001b8a
                                0x010019f3
                                0x01001a00
                                0x01001a09
                                0x01001a0f
                                0x01001a25
                                0x00000000
                                0x00000000
                                0x01001a27
                                0x01001a2d
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01001a2d
                                0x01001a32
                                0x01001a56
                                0x01001a68
                                0x01001a74
                                0x01001a7c
                                0x01001a7f
                                0x01001b0b
                                0x01001b21
                                0x01001acc
                                0x01001ad7
                                0x01001ae4
                                0x01001af1
                                0x01001af7
                                0x01001b39
                                0x01001b3e
                                0x01001b44
                                0x01001b46
                                0x01001b46
                                0x01001b59
                                0x01001b70
                                0x01001b79
                                0x01001b80
                                0x01001b86
                                0x00000000
                                0x01001b86
                                0x01001b04
                                0x01001b04
                                0x01001b26
                                0x00000000
                                0x01001b26
                                0x01001a8b
                                0x01001a98
                                0x01001a9a
                                0x01001a9c
                                0x01001a9f
                                0x01001aa7
                                0x00000000
                                0x00000000
                                0x01001ab9
                                0x01001ac7
                                0x01001ac7
                                0x00000000
                                0x01001ab9
                                0x01001a37
                                0x01001a3d
                                0x00000000

                                APIs
                                • RegCreateKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 010019E4
                                • wsprintfA.USER32 ref: 01001A09
                                • RegQueryValueExA.ADVAPI32(?,0100A2E0,00000000,00000000,00000000,?), ref: 01001A1D
                                • RegCloseKey.ADVAPI32(?), ref: 01001A37
                                • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001A56
                                • LoadLibraryA.KERNEL32(00000000,00000000,advpack.dll), ref: 01001A74
                                • GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 01001A8B
                                • FreeLibrary.KERNEL32(?), ref: 01001A9F
                                • GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 01001AB1
                                • lstrlenA.KERNEL32(0100AC44), ref: 01001AD7
                                • lstrlenA.KERNEL32(00000000), ref: 01001AE2
                                • LocalAlloc.KERNEL32(00000040,00000050), ref: 01001AEB
                                • GetModuleFileNameA.KERNEL32(00000000,00000104), ref: 01001B19
                                • RegCloseKey.ADVAPI32(?,00000000,000004B5,00000000,00000000,00000010,00000000), ref: 01001B26
                                • wsprintfA.USER32 ref: 01001B59
                                • lstrlenA.KERNEL32(00000000), ref: 01001B63
                                • RegSetValueExA.ADVAPI32(?,0100A2E0,00000000,00000001,00000000,00000001), ref: 01001B70
                                • RegCloseKey.ADVAPI32(?), ref: 01001B79
                                • LocalFree.KERNEL32(00000000), ref: 01001B80
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Closelstrlen$DirectoryFreeLibraryLocalSystemValuewsprintf$AddressAllocCreateFileLoadModuleNameProcQuery
                                • String ID: %s /D:%s$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d
                                • API String ID: 3084642846-242633136
                                • Opcode ID: c9262a911cf3084d63b0fa5f4be99a77ebbc8ce96a0a011a0b05c5970966fbed
                                • Instruction ID: bcd9c67c776e79ec80fa89b258506c9e143caafd4bb2848af9ab02cf1fab0281
                                • Opcode Fuzzy Hash: c9262a911cf3084d63b0fa5f4be99a77ebbc8ce96a0a011a0b05c5970966fbed
                                • Instruction Fuzzy Hash: 31514071A40218BBEB229BA5DD49EDE7BBCEB08700F004495F685E6085D7B9DA41CF90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01001C7F, Relevance: 19.6, APIs: 13, Instructions: 86stringfileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01001C7F(void* _a4) {
				char _v264;
				struct _WIN32_FIND_DATAA _v584;
				void* _t23;
				int _t30;
				CHAR* _t53;

				_t53 = _a4;
				if(_t53 == 0 ||  *_t53 == 0) {
					return _t23;
				} else {
					lstrcpyA( &_v264, _t53);
					lstrcatA( &_v264, "*");
					_t30 = FindFirstFileA( &_v264,  &_v584);
					_a4 = _t30;
					if(_t30 == 0xffffffff) {
						L10:
						return _t30;
					} else {
						goto L3;
					}
					do {
						L3:
						lstrcpyA( &_v264, _t53);
						if((_v584.dwFileAttributes & 0x00000010) == 0) {
							lstrcatA( &_v264,  &(_v584.cFileName));
							SetFileAttributesA( &_v264, 0x80);
							DeleteFileA( &_v264);
						} else {
							if(lstrcmpA( &(_v584.cFileName), ".") != 0 && lstrcmpA( &(_v584.cFileName), "..") != 0) {
								lstrcatA( &_v264,  &(_v584.cFileName));
								E01005B32( &_v264, 0x1001251);
								E01001C7F( &_v264);
							}
						}
					} while (FindNextFileA(_a4,  &_v584) != 0);
					FindClose(_a4);
					_t30 = RemoveDirectoryA(_t53);
					goto L10;
				}
			}








                                0x01001c89
                                0x01001c8e
                                0x01001da6
                                0x01001c9d
                                0x01001cad
                                0x01001cc1
                                0x01001cd1
                                0x01001cda
                                0x01001cdd
                                0x01001da2
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01001ce3
                                0x01001ce3
                                0x01001ceb
                                0x01001cfa
                                0x01001d59
                                0x01001d67
                                0x01001d74
                                0x01001cfc
                                0x01001d0a
                                0x01001d30
                                0x01001d3e
                                0x01001d4a
                                0x01001d4a
                                0x01001d0a
                                0x01001d8a
                                0x01001d95
                                0x01001d9c
                                0x00000000
                                0x01001d9c

                                APIs
                                • lstrcpyA.KERNEL32(?,00000000,00000001,0100ABB4,00000000), ref: 01001CAD
                                • lstrcatA.KERNEL32(?,0100128C), ref: 01001CC1
                                • FindFirstFileA.KERNEL32(?,?), ref: 01001CD1
                                • lstrcpyA.KERNEL32(?,00000000), ref: 01001CEB
                                • lstrcmpA.KERNEL32(?,01001288), ref: 01001D02
                                • lstrcmpA.KERNEL32(?,01001284), ref: 01001D18
                                • lstrcatA.KERNEL32(?,?), ref: 01001D30
                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                • lstrcatA.KERNEL32(?,?), ref: 01001D59
                                • SetFileAttributesA.KERNEL32(?,00000080), ref: 01001D67
                                • DeleteFileA.KERNEL32(?), ref: 01001D74
                                • FindNextFileA.KERNEL32(00000000,00000010), ref: 01001D84
                                • FindClose.KERNEL32(00000000), ref: 01001D95
                                • RemoveDirectoryA.KERNEL32(00000000), ref: 01001D9C
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: File$Findlstrcatlstrcpy$lstrcmp$AttributesCharCloseDeleteDirectoryFirstNextPrevRemovelstrlen
                                • String ID:
                                • API String ID: 2233361564-0
                                • Opcode ID: 678c5ee2d3b4477588ce13c604fb9acbca6998944e647f19a3d9bdee4b119596
                                • Instruction ID: a00f6dc85045b5a751000bc1c93d4bef5bd8a44fc60f5db9cfdca4d6f7f72306
                                • Opcode Fuzzy Hash: 678c5ee2d3b4477588ce13c604fb9acbca6998944e647f19a3d9bdee4b119596
                                • Instruction Fuzzy Hash: 0F3119B690415DABEF62EBB5DD88FCA7BBCAF14340F440592B6C5D2084DBB4D6848F60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01004560, Relevance: 10.6, APIs: 7, Instructions: 90processsynchronizationwindowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 83%
                                			E01004560(void* __edx, CHAR* _a4, long _a8) {
				struct _PROCESS_INFORMATION _v20;
				char _v532;
				void* __esi;
				void* _t40;
				signed int _t41;
				void* _t42;

				_t42 = __edx;
				_t40 = 1;
				if(_a4 == 0) {
					return 0;
				}
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if(CreateProcessA(0, _a4, 0, 0, 0, 0x20, 0, 0, _a8,  &_v20) == 0) {
					 *0x100aa5c = E01003547();
					FormatMessageA(0x1000, 0, GetLastError(), 0,  &_v532, 0x200, 0);
					E010038CC(0, 0x4c4, _a4,  &_v532, 0x10, 0);
					L11:
					_t40 = 0;
					L12:
					return _t40;
				}
				WaitForSingleObject(_v20.hProcess, 0xffffffff);
				_t34 = GetExitCodeProcess(_v20.hProcess,  &_a8);
				_t41 = _a8;
				if( *0x100b888 == 0) {
					_t34 =  *0x100b48c;
					if((1 & _t34) != 0 && (_t34 & 0x00000002) == 0) {
						_t34 = _t41 & 0xff000000;
						if((_t41 & 0xff000000) == 0xaa000000) {
							 *0x100b48c = _t41;
						}
					}
				}
				E010028FA(_t34, _t42, 0, _t41);
				CloseHandle(_v20.hThread);
				CloseHandle(_v20);
				if(( *0x100b495 & 0x00000004) == 0 || _a8 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}









                                0x01004560
                                0x0100456f
                                0x01004575
                                0x01004654
                                0x01004654
                                0x0100457f
                                0x01004580
                                0x01004581
                                0x01004582
                                0x0100459d
                                0x0100460f
                                0x0100462e
                                0x01004647
                                0x0100464c
                                0x0100464c
                                0x0100464e
                                0x00000000
                                0x01004650
                                0x010045a4
                                0x010045b1
                                0x010045bd
                                0x010045c0
                                0x010045c2
                                0x010045c9
                                0x010045d1
                                0x010045db
                                0x010045dd
                                0x010045dd
                                0x010045db
                                0x010045c9
                                0x010045e4
                                0x010045f2
                                0x010045f7
                                0x01004600
                                0x00000000
                                0x01004607
                                0x00000000
                                0x01004607

                                APIs
                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,?,?), ref: 01004595
                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 010045A4
                                • GetExitCodeProcess.KERNEL32 ref: 010045B1
                                • CloseHandle.KERNEL32(?,?), ref: 010045F2
                                • CloseHandle.KERNEL32(?), ref: 010045F7
                                • GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 01004621
                                • FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 0100462E
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
                                • String ID:
                                • API String ID: 3183975587-0
                                • Opcode ID: 521ea50d05393f7b441a9303c58d12ddde742c28ef66ee014f6124b9fdf35f91
                                • Instruction ID: 4dc6fc445a0a4644286cad31dd2cd9ca33170ca9f30bc41b6ca94f876d6a0a06
                                • Opcode Fuzzy Hash: 521ea50d05393f7b441a9303c58d12ddde742c28ef66ee014f6124b9fdf35f91
                                • Instruction Fuzzy Hash: 4521AD35501228BFEB239FA5CC48EEF7BA9FF09360F004025FB94D6095C6768644CBA5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010018B5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000028,?), ref: 010018C2
                                • OpenProcessToken.ADVAPI32(00000000), ref: 010018C9
                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 010018EB
                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0100190A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                • String ID: SeShutdownPrivilege
                                • API String ID: 2349140579-3733053543
                                • Opcode ID: 593663a4c8d54b802f0f1e7a054ef3afb4eab00d1d64c970485e8e945c1f4114
                                • Instruction ID: 05607d40d37e3d7cfa1acf5e7c24027e9414555ed0db78eb33ce689f5d9f9449
                                • Opcode Fuzzy Hash: 593663a4c8d54b802f0f1e7a054ef3afb4eab00d1d64c970485e8e945c1f4114
                                • Instruction Fuzzy Hash: 21014C71642225BAF7329BA28C0DFEF7EACEF06794F000410BA89E40C5D6B5D70496F5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01005288, Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 269stringlibraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 91%
                                			E01005288(void* __ecx, void* __edx) {
				void* __edi;
				signed int _t88;
				signed int _t89;
				signed int _t91;
				signed int _t101;
				signed int _t104;
				signed int _t109;
				signed int _t112;
				signed int _t114;
				signed char _t115;
				signed int _t117;
				signed int _t119;
				int _t121;
				void* _t122;
				signed int _t128;
				short _t132;
				signed char _t134;
				signed char _t135;
				void* _t138;
				signed int _t143;
				struct HINSTANCE__* _t146;
				void* _t151;
				void* _t153;
				void* _t154;

				_t138 = __edx;
				_t151 = _t153 - 0x78;
				_t154 = _t153 - 0x184;
				 *(_t151 + 0x70) = 0;
				 *(_t151 + 0x60) = 0;
				 *(_t151 + 0x5c) = 0;
				 *0x100aa5c = 0;
				if( *0x100b888 != 0) {
					L4:
					 *(_t151 + 0x6c) = 0;
					do {
						__eflags =  *0x100baa2;
						_t128 = 0x11;
						memset(_t151 - 8, 0, _t128 << 2);
						_t154 = _t154 + 0xc;
						 *(_t151 + 0x70) = 0;
						 *(_t151 - 8) = 0x44;
						if(__eflags != 0) {
							lstrcpyA(_t151 - 0x10c, 0x100baa2);
							_t143 = 1;
							__eflags = 1;
							L29:
							__eflags =  *(_t151 + 0x6c) - _t143;
							if( *(_t151 + 0x6c) != _t143) {
								L33:
								_t88 = E010022FF(_t151 - 0x10c, _t151 + 0x74, _t151 + 0x70);
								__eflags = _t88;
								if(_t88 == 0) {
									L27:
									_t89 = 0;
									L63:
									L64:
									return _t89;
								}
								__eflags =  *(_t151 + 0x5c);
								if( *(_t151 + 0x5c) != 0) {
									L39:
									__eflags =  *(_t151 + 0x70);
									if( *(_t151 + 0x70) == 0) {
										L57:
										_t91 = E01004560(_t138,  *(_t151 + 0x74), _t151 - 8);
										__eflags = _t91;
										if(_t91 == 0) {
											L70:
											LocalFree( *(_t151 + 0x74));
											goto L27;
										}
										goto L58;
									}
									L40:
									__eflags =  *0x100a2c0; // 0x1
									if(__eflags == 0) {
										E010038CC(0, 0x4c7, 0, 0, 0x10, 0);
										LocalFree( *(_t151 + 0x74));
										 *0x100aa5c = 0x8007042b;
										goto L27;
									}
									__eflags =  *(_t151 + 0x70);
									if( *(_t151 + 0x70) == 0) {
										goto L57;
									}
									__eflags =  *0x100b494 & 0x00000004;
									if(( *0x100b494 & 0x00000004) == 0) {
										goto L57;
									}
									_t146 = E0100370F("advpack.dll");
									__eflags = _t146;
									if(_t146 == 0) {
										E010038CC(0, 0x4c8, "advpack.dll", 0, 0x10, 0);
										L68:
										LocalFree( *(_t151 + 0x74));
										 *0x100aa5c = E01003547();
										goto L27;
									}
									_t101 = GetProcAddress(_t146, "DoInfInstall");
									__eflags = _t101;
									if(_t101 == 0) {
										E010038CC(0, 0x4c9, "DoInfInstall", 0, 0x10, 0);
										FreeLibrary(_t146);
										goto L68;
									}
									__eflags =  *0x100b890;
									 *(_t151 + 0x44) =  *(_t151 + 0x74);
									 *((intOrPtr*)(_t151 + 0x4c)) = _t151 - 0x10c;
									_t132 =  *0x100aa64; // 0x0
									 *((short*)(_t151 + 0x50)) = _t132;
									 *((intOrPtr*)(_t151 + 0x3c)) = 0;
									 *((intOrPtr*)(_t151 + 0x40)) = 0x100abb4;
									 *((intOrPtr*)(_t151 + 0x48)) = 0x100ac44;
									 *(_t151 + 0x54) =  *0x100b898 & 0x0000ffff;
									if( *0x100b890 != 0) {
										_t54 = _t151 + 0x56;
										 *_t54 =  *(_t151 + 0x56) | 0x00000001;
										__eflags =  *_t54;
									}
									_t134 =  *0x100b494;
									__eflags = _t134 & 0x00000008;
									if((_t134 & 0x00000008) != 0) {
										_t58 = _t151 + 0x56;
										 *_t58 =  *(_t151 + 0x56) | 0x00000002;
										__eflags =  *_t58;
									}
									__eflags = _t134 & 0x00000010;
									if((_t134 & 0x00000010) != 0) {
										_t62 = _t151 + 0x56;
										 *_t62 =  *(_t151 + 0x56) | 0x00000004;
										__eflags =  *_t62;
									}
									_t135 =  *0x100bba8;
									__eflags = _t135 & 0x00000040;
									if((_t135 & 0x00000040) != 0) {
										_t66 = _t151 + 0x56;
										 *_t66 =  *(_t151 + 0x56) | 0x00000008;
										__eflags =  *_t66;
									}
									__eflags = _t135;
									if(_t135 < 0) {
										_t68 = _t151 + 0x56;
										 *_t68 =  *(_t151 + 0x56) | 0x00000010;
										__eflags =  *_t68;
									}
									 *((intOrPtr*)(_t151 + 0x58)) =  *0x100b498;
									_t104 =  *_t101(_t151 + 0x3c);
									__eflags = _t104;
									 *0x100aa5c = _t104;
									_push(_t146);
									if(_t104 < 0) {
										FreeLibrary();
										goto L70;
									} else {
										FreeLibrary();
										goto L58;
									}
								}
								__eflags =  *0x100aa64 - _t143; // 0x0
								if(__eflags == 0) {
									goto L39;
								}
								__eflags =  *0x100b880;
								if( *0x100b880 == 0) {
									goto L39;
								}
								__eflags =  *(_t151 + 0x70);
								if( *(_t151 + 0x70) != 0) {
									goto L40;
								}
								 *(_t151 + 0x5c) = _t143;
								E0100198B();
								goto L39;
							}
							_t109 = E01002A34("POSTRUNPROGRAM", _t151 - 0x10c, 0x104);
							__eflags = _t109;
							if(_t109 == 0) {
								L26:
								E010038CC(0, 0x4b1, 0, 0, 0x10, 0);
								 *0x100aa5c = 0x80070714;
								goto L27;
							}
							__eflags =  *0x100baa2;
							if( *0x100baa2 != 0) {
								L60:
								__eflags =  *0x100a330; // 0x0
								if(__eflags != 0) {
									E01001B8B(_t143);
								}
								_t89 = _t143;
								goto L63;
							}
							_t112 = lstrcmpiA(_t151 - 0x10c, "<None>");
							__eflags = _t112;
							if(_t112 == 0) {
								goto L60;
							}
							goto L33;
						}
						_t114 = E01002A34("SHOWWINDOW", _t151 + 0x68, 4);
						__eflags = _t114;
						if(_t114 == 0) {
							goto L26;
						}
						__eflags = _t114 - 4;
						if(_t114 > 4) {
							goto L26;
						}
						_t143 = 1;
						__eflags =  *((intOrPtr*)(_t151 + 0x68)) - 1;
						if( *((intOrPtr*)(_t151 + 0x68)) != 1) {
							__eflags =  *((intOrPtr*)(_t151 + 0x68)) - 2;
							if( *((intOrPtr*)(_t151 + 0x68)) != 2) {
								__eflags =  *((intOrPtr*)(_t151 + 0x68)) - 3;
								if( *((intOrPtr*)(_t151 + 0x68)) != 3) {
									L15:
									__eflags =  *(_t151 + 0x6c);
									if( *(_t151 + 0x6c) != 0) {
										goto L29;
									}
									_t115 =  *0x100b898;
									__eflags = _t115;
									if(_t115 == 0) {
										L24:
										__eflags =  *(_t151 + 0x60);
										if( *(_t151 + 0x60) != 0) {
											goto L33;
										}
										_t117 = E01002A34("RUNPROGRAM", _t151 - 0x10c, 0x104);
										__eflags = _t117;
										if(_t117 != 0) {
											goto L29;
										}
										goto L26;
									}
									__eflags = _t115 & 0x00000001;
									if((_t115 & 0x00000001) == 0) {
										__eflags = _t115 & 0x00000002;
										if((_t115 & 0x00000002) != 0) {
											 *((intOrPtr*)(_t151 + 0x64)) = "USRQCMD";
										}
									} else {
										 *((intOrPtr*)(_t151 + 0x64)) = "ADMQCMD";
									}
									_t119 = E01002A34( *((intOrPtr*)(_t151 + 0x64)), _t151 - 0x10c, 0x104);
									__eflags = _t119;
									if(_t119 == 0) {
										goto L26;
									} else {
										_t121 = lstrcmpiA(_t151 - 0x10c, "<None>");
										__eflags = _t121;
										if(_t121 != 0) {
											 *(_t151 + 0x60) = _t143;
										}
										goto L24;
									}
								}
								 *((short*)(_t151 + 0x28)) = 3;
								L14:
								 *(_t151 + 0x24) = _t143;
								goto L15;
							}
							 *((short*)(_t151 + 0x28)) = 6;
							goto L14;
						}
						 *((short*)(_t151 + 0x28)) = 0;
						goto L14;
						L58:
						LocalFree( *(_t151 + 0x74));
						 *(_t151 + 0x6c) =  *(_t151 + 0x6c) + 1;
						__eflags =  *(_t151 + 0x6c) - 2;
					} while ( *(_t151 + 0x6c) < 2);
					_t143 = 1;
					__eflags = 1;
					goto L60;
				}
				_t122 = E01002A34("REBOOT", 0x100b48c, 4);
				if(_t122 == 0 || _t122 > 4) {
					E010038CC(0, 0x4b1, 0, 0, 0x10, 0);
					 *0x100aa5c = 0x80070714;
					_t89 = 0;
					goto L64;
				} else {
					goto L4;
				}
			}



























                                0x01005288
                                0x01005289
                                0x0100528d
                                0x0100529c
                                0x0100529f
                                0x010052a2
                                0x010052a5
                                0x010052ab
                                0x010052e8
                                0x010052f0
                                0x010052f3
                                0x010052f7
                                0x010052fd
                                0x01005301
                                0x01005301
                                0x01005303
                                0x01005306
                                0x0100530d
                                0x0100540c
                                0x01005414
                                0x01005414
                                0x01005415
                                0x01005415
                                0x01005418
                                0x0100545a
                                0x01005469
                                0x0100546e
                                0x01005470
                                0x010053f9
                                0x010053f9
                                0x010055b5
                                0x010055b7
                                0x010055bc
                                0x010055bc
                                0x01005472
                                0x01005475
                                0x01005495
                                0x01005495
                                0x01005498
                                0x0100557d
                                0x01005584
                                0x01005589
                                0x0100558b
                                0x0100562c
                                0x0100562f
                                0x00000000
                                0x0100562f
                                0x00000000
                                0x0100558b
                                0x0100549e
                                0x0100549e
                                0x010054a4
                                0x010055c8
                                0x010055d0
                                0x010055d2
                                0x00000000
                                0x010055d2
                                0x010054aa
                                0x010054ad
                                0x00000000
                                0x00000000
                                0x010054b3
                                0x010054ba
                                0x00000000
                                0x00000000
                                0x010054ca
                                0x010054cc
                                0x010054ce
                                0x010055f0
                                0x01005612
                                0x01005615
                                0x0100561c
                                0x00000000
                                0x0100561c
                                0x010054da
                                0x010054e0
                                0x010054e2
                                0x01005606
                                0x0100560c
                                0x00000000
                                0x0100560c
                                0x010054e8
                                0x010054f1
                                0x010054fa
                                0x010054fd
                                0x01005504
                                0x0100550f
                                0x01005512
                                0x01005519
                                0x01005520
                                0x01005523
                                0x01005525
                                0x01005525
                                0x01005525
                                0x01005525
                                0x01005529
                                0x0100552f
                                0x01005532
                                0x01005534
                                0x01005534
                                0x01005534
                                0x01005534
                                0x01005538
                                0x0100553b
                                0x0100553d
                                0x0100553d
                                0x0100553d
                                0x0100553d
                                0x01005541
                                0x01005547
                                0x0100554a
                                0x0100554c
                                0x0100554c
                                0x0100554c
                                0x0100554c
                                0x01005550
                                0x01005552
                                0x01005554
                                0x01005554
                                0x01005554
                                0x01005554
                                0x0100555e
                                0x01005565
                                0x01005567
                                0x01005569
                                0x0100556e
                                0x0100556f
                                0x01005626
                                0x00000000
                                0x01005575
                                0x01005575
                                0x00000000
                                0x01005575
                                0x0100556f
                                0x01005477
                                0x0100547e
                                0x00000000
                                0x00000000
                                0x01005480
                                0x01005486
                                0x00000000
                                0x00000000
                                0x01005488
                                0x0100548b
                                0x00000000
                                0x00000000
                                0x0100548d
                                0x01005490
                                0x00000000
                                0x01005490
                                0x0100542b
                                0x01005430
                                0x01005432
                                0x010053df
                                0x010053ea
                                0x010053ef
                                0x00000000
                                0x010053ef
                                0x01005434
                                0x0100543a
                                0x010055a6
                                0x010055a6
                                0x010055ac
                                0x010055ae
                                0x010055ae
                                0x010055b3
                                0x00000000
                                0x010055b3
                                0x0100544c
                                0x01005452
                                0x01005454
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01005454
                                0x0100531e
                                0x01005323
                                0x01005325
                                0x00000000
                                0x00000000
                                0x0100532b
                                0x0100532e
                                0x00000000
                                0x00000000
                                0x01005336
                                0x01005337
                                0x0100533a
                                0x01005342
                                0x01005346
                                0x01005350
                                0x01005354
                                0x0100535f
                                0x0100535f
                                0x01005362
                                0x00000000
                                0x00000000
                                0x01005368
                                0x0100536e
                                0x01005371
                                0x010053bc
                                0x010053bc
                                0x010053bf
                                0x00000000
                                0x00000000
                                0x010053d6
                                0x010053db
                                0x010053dd
                                0x00000000
                                0x00000000
                                0x00000000
                                0x010053dd
                                0x01005373
                                0x01005375
                                0x01005380
                                0x01005382
                                0x01005384
                                0x01005384
                                0x01005377
                                0x01005377
                                0x01005377
                                0x0100539a
                                0x0100539f
                                0x010053a1
                                0x00000000
                                0x010053a3
                                0x010053af
                                0x010053b5
                                0x010053b7
                                0x010053b9
                                0x010053b9
                                0x00000000
                                0x010053b7
                                0x010053a1
                                0x01005356
                                0x0100535c
                                0x0100535c
                                0x00000000
                                0x0100535c
                                0x01005348
                                0x00000000
                                0x01005348
                                0x0100533c
                                0x00000000
                                0x01005591
                                0x01005594
                                0x01005596
                                0x01005599
                                0x01005599
                                0x010055a5
                                0x010055a5
                                0x00000000
                                0x010055a5
                                0x010052b9
                                0x010052c0
                                0x010052d2
                                0x010052d7
                                0x010052e1
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • lstrcpyA.KERNEL32(?,0100BAA2), ref: 0100540C
                                • lstrcmpiA.KERNEL32(?,<None>,?,?,00000104,SHOWWINDOW,?,00000004), ref: 010053AF
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A4C
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A6C
                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A73
                                • lstrcmpiA.KERNEL32(?,<None>,POSTRUNPROGRAM,?,00000104), ref: 0100544C
                                • GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 010054DA
                                • FreeLibrary.KERNEL32(00000000), ref: 01005575
                                • LocalFree.KERNEL32(?), ref: 01005594
                                • LocalFree.KERNEL32(?,00000000,000004C7,00000000,00000000,00000010,00000000), ref: 010055D0
                                • FreeLibrary.KERNEL32(00000000,00000000,000004C9,DoInfInstall,00000000,00000010,00000000), ref: 0100560C
                                • LocalFree.KERNEL32(?,00000000,000004C8,advpack.dll,00000000,00000010,00000000), ref: 01005615
                                • FreeLibrary.KERNEL32(00000000), ref: 01005626
                                • LocalFree.KERNEL32(?), ref: 0100562F
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Free$Resource$Local$Library$Findlstrcmpi$AddressLoadLockProcSizeoflstrcpy
                                • String ID: <None>$ADMQCMD$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll
                                • API String ID: 770626793-3268567995
                                • Opcode ID: 17f9093c21898f5e7b253f3213c0357081469c345abc6d70ccaf60d6cd4c2e8d
                                • Instruction ID: 2f43a83221f47182914e3832709c3c8ca3f90824a361c088b79cbbea01e2dab8
                                • Opcode Fuzzy Hash: 17f9093c21898f5e7b253f3213c0357081469c345abc6d70ccaf60d6cd4c2e8d
                                • Instruction Fuzzy Hash: ACA1C070A003499BFF23DF65CC85AEE3BA9AB05305F00416AFAC5960D1DBB68984CF24
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010030A7, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 351stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E010030A7(CHAR* _a4) {
				signed int _v8;
				CHAR* _v265;
				char _v266;
				char _v267;
				char _v268;
				CHAR* _t67;
				CHAR* _t72;
				void* _t76;
				void* _t78;
				void* _t80;
				void* _t95;
				CHAR* _t103;
				CHAR* _t104;
				CHAR* _t105;
				void* _t112;
				CHAR* _t114;
				void* _t116;
				void* _t118;
				void* _t120;
				CHAR* _t122;
				void* _t123;
				CHAR* _t127;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t132;
				void* _t134;
				signed char _t138;
				char _t139;
				CHAR* _t140;
				CHAR* _t141;
				char _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				signed int _t148;
				signed int _t153;
				CHAR* _t155;
				CHAR* _t156;
				CHAR* _t157;
				CHAR** _t158;
				CHAR** _t159;
				void* _t160;

				_t67 = _a4;
				_t148 = 1;
				_v8 = 1;
				if(_t67 == 0 ||  *_t67 == 0) {
					return _t148;
				} else {
					_t141 = _t67;
					L3:
					while(_v8 != 0) {
						_t143 =  *_t72;
						if(_t143 == 0x20 || _t143 == 9 || _t143 == 0xd || _t143 == 0xa || _t143 == 0xb || _t143 == 0xc) {
							_t72 = CharNextA(_t72);
							continue;
						}
						if( *_t72 == 0) {
							break;
						}
						_t144 = 0;
						_t146 = 0;
						_t141 = _t72;
						_t153 = 0;
						do {
							if(_t146 != 0) {
								if(_t153 != 0) {
									break;
								}
								goto L23;
							}
							_t139 =  *_t141;
							if(_t139 == 0x20 || _t139 == 9 || _t139 == 0xd || _t139 == 0xa || _t139 == 0xb || _t139 == 0xc) {
								break;
							} else {
							}
							L23:
							_t138 =  *_t141;
							if(_t138 != 0x22) {
								 *(_t160 + _t144 - 0x108) = _t138;
								_t144 = _t144 + 1;
								_t141 =  &(_t141[1]);
							} else {
								_t4 =  &(_t141[1]); // 0x1
								_t140 = _t4;
								if( *_t140 == 0x22) {
									 *(_t160 + _t144 - 0x108) = 0x22;
									_t144 = _t144 + 1;
									_t141 =  &(_t141[2]);
								} else {
									if(_t146 != 0) {
										_t153 = _t148;
									} else {
										_t146 = _t148;
									}
									_t141 = _t140;
								}
							}
						} while ( *_t141 != 0);
						 *(_t160 + _t144 - 0x108) =  *(_t160 + _t144 - 0x108) & 0x00000000;
						if(_t146 == 0) {
							if(_t153 != 0) {
								L34:
								_v8 = _v8 & 0x00000000;
								break;
							}
							L40:
							if(_v268 == 0x2f || _v268 == 0x2d) {
								_t76 = CharUpperA(_v267) - 0x3f;
								if(_t76 == 0) {
									E0100189E();
									_t78 =  *0x100aa54; // 0x0
									if(_t78 != 0) {
										CloseHandle(_t78);
									}
									ExitProcess(0);
								}
								_t80 = _t76 - 4;
								if(_t80 == 0) {
									if(_v266 != 0) {
										if(_v266 != 0x3a) {
											L49:
											_v8 = _v8 & 0x00000000;
											L50:
											if( *_t141 != 0) {
												goto L3;
											}
											break;
										}
										_t155 = (0 | _v265 == 0x00000022) + 3;
										_t149 = _t160 + _t155 - 0x108;
										if(lstrlenA(_t160 + _t155 - 0x108) == 0 || E01005B00(_t149, 0x5b) != 0 && E01005B00(_t149, 0x5d) == 0 || E01005B00(_t149, 0x5d) != 0 && E01005B00(_t149, 0x5b) == 0) {
											L113:
											_v8 = _v8 & 0x00000000;
											goto L114;
										} else {
											_a4 = _t155;
											if(E0100302B(_t149,  &_a4) != 0) {
												lstrcpyA(0x100baa2, _t160 +  &(_a4[_t155]) - 0x108);
												L114:
												_t148 = 1;
												goto L50;
											}
											goto L113;
										}
									}
									 *0x100b884 = _t148;
									goto L50;
								}
								_t95 = _t80 - 1;
								if(_t95 == 0) {
									L96:
									if(_v266 != 0x3a) {
										goto L49;
									}
									_t156 = (0 | _v265 == 0x00000022) + 3;
									_t151 = _t160 + _t156 - 0x108;
									if(lstrlenA(_t160 + _t156 - 0x108) == 0) {
										goto L113;
									}
									_a4 = _t156;
									if(E0100302B(_t151,  &_a4) == 0) {
										goto L113;
									}
									_t103 = CharUpperA(_v267);
									_t104 = _a4;
									if(_t103 != 0x54) {
										_t105 =  &(_t104[_t156]);
										_t157 = 0x100b89a;
									} else {
										_t105 =  &(_t104[_t156]);
										_t157 = 0x100b99e;
									}
									lstrcpyA(_t157, _t160 + _t105 - 0x108);
									E01005B32(_t157, 0x1001251);
									if(E0100285F(_t157) != 0) {
										goto L114;
									} else {
										goto L103;
									}
								}
								_t112 = _t95 - 0xa;
								if(_t112 == 0) {
									if(_v266 != 0) {
										if(_v266 != 0x3a) {
											goto L49;
										}
										if(_v265 == 0) {
											goto L50;
										}
										_t158 =  &_v265;
										do {
											_t114 = CharUpperA( *_t158);
											_t158 =  &(_t158[0]);
											_t116 = _t114 - 0x45;
											if(_t116 == 0) {
												 *0x100b88c = _t148;
											} else {
												_t118 = _t116;
												if(_t118 == 0) {
													 *0x100b890 = _t148;
												} else {
													if(_t118 == 0xf) {
														 *0x100b894 = _t148;
													} else {
														_v8 = _v8 & 0x00000000;
													}
												}
											}
										} while ( *_t158 != 0);
										goto L50;
									}
									 *0x100b88c = _t148;
									goto L50;
								}
								_t145 = 3;
								_t120 = _t112 - _t145;
								if(_t120 == 0) {
									if(_v266 == 0) {
										L80:
										 *0x100b898 = 2;
										goto L50;
									}
									if(_v266 != 0x3a) {
										goto L49;
									}
									_t122 = CharUpperA(_v265);
									if(_t122 == 0x31) {
										goto L80;
									}
									if(_t122 == 0x41) {
										 *0x100b898 = _t148;
										goto L50;
									}
									if(_t122 != 0x55) {
										goto L49;
									}
									goto L80;
								}
								_t123 = _t120 - 1;
								if(_t123 == 0) {
									if(_v266 != 0) {
										if(_v266 != 0x3a) {
											if(lstrcmpiA("RegServer",  &_v267) == 0) {
												goto L50;
											}
											goto L49;
										}
										 *0x100b48c = _t148;
										if(_v265 == 0) {
											goto L50;
										}
										_t159 =  &_v265;
										do {
											_t127 = CharUpperA( *_t159);
											_t159 =  &(_t159[0]);
											_t129 = _t127 - 0x41;
											if(_t129 == 0) {
												 *0x100b48c =  *0x100b48c | 0x00000002;
												L70:
												 *0x100b888 = _t148;
												goto L71;
											}
											_t130 = _t129 - 3;
											if(_t130 == 0) {
												 *0x100bba8 =  *0x100bba8 | 0x00000040;
												goto L71;
											}
											_t131 = _t130 - 5;
											if(_t131 == 0) {
												 *0x100b48c =  *0x100b48c & 0xfffffffd;
												goto L70;
											}
											_t132 = _t131 - 5;
											if(_t132 == 0) {
												 *0x100b48c =  *0x100b48c & 0xfffffffe;
												goto L70;
											}
											_t134 = _t132;
											if(_t134 == 0) {
												 *0x100bba8 =  *0x100bba8 | 0x00000080;
												goto L71;
											}
											if(_t134 == 3) {
												 *0x100b48c =  *0x100b48c | 0x00000004;
												goto L70;
											}
											_v8 = _v8 & 0x00000000;
											L71:
										} while ( *_t159 != 0);
										goto L50;
									}
									 *0x100b48c = _t145;
									 *0x100b888 = _t148;
									goto L50;
								}
								if(_t123 == 0) {
									goto L96;
								}
								goto L49;
							} else {
								L103:
								return 0;
							}
						}
						if(_t153 != 0) {
							goto L40;
						}
						goto L34;
					}
					if( *0x100b88c != 0 &&  *0x100b99e == 0) {
						if(GetModuleFileNameA( *0x100b4a4, 0x100b99e, 0x104) == 0) {
							_v8 = _v8 & 0x00000000;
						} else {
							 *(E01005BE8(0x100b99e, 0x5c) + 1) =  *(_t71 + 1) & 0x00000000;
						}
					}
					return _v8;
				}
			}














































                                0x010030b0
                                0x010030b8
                                0x010030bb
                                0x010030be
                                0x00000000
                                0x010030cd
                                0x010030cd
                                0x00000000
                                0x010030cf
                                0x010030db
                                0x010030e0
                                0x010030fc
                                0x00000000
                                0x010030fc
                                0x01003107
                                0x00000000
                                0x00000000
                                0x01003109
                                0x0100310b
                                0x0100310d
                                0x0100310f
                                0x01003111
                                0x01003113
                                0x01003133
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01003133
                                0x01003115
                                0x01003119
                                0x00000000
                                0x00000000
                                0x0100312f
                                0x01003135
                                0x01003135
                                0x01003139
                                0x0100315e
                                0x01003165
                                0x01003166
                                0x0100313b
                                0x0100313b
                                0x0100313b
                                0x01003141
                                0x01003151
                                0x01003159
                                0x0100315b
                                0x01003143
                                0x01003145
                                0x0100314b
                                0x01003147
                                0x01003147
                                0x01003147
                                0x0100314d
                                0x0100314d
                                0x01003141
                                0x01003167
                                0x0100316c
                                0x01003176
                                0x010031cc
                                0x0100317c
                                0x0100317c
                                0x00000000
                                0x0100317c
                                0x010031ce
                                0x010031d5
                                0x010031f7
                                0x010031fa
                                0x01003518
                                0x0100351d
                                0x01003524
                                0x01003527
                                0x01003527
                                0x0100352f
                                0x0100352f
                                0x01003200
                                0x01003203
                                0x01003474
                                0x01003488
                                0x0100322f
                                0x0100322f
                                0x01003233
                                0x01003236
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0100323c
                                0x0100349d
                                0x0100349f
                                0x010034af
                                0x010034f2
                                0x010034f2
                                0x00000000
                                0x010034e1
                                0x010034e6
                                0x010034f0
                                0x01003510
                                0x010034f6
                                0x010034f8
                                0x00000000
                                0x010034f8
                                0x00000000
                                0x010034f0
                                0x010034af
                                0x01003476
                                0x00000000
                                0x01003476
                                0x01003209
                                0x0100320a
                                0x010033ce
                                0x010033d5
                                0x00000000
                                0x00000000
                                0x010033ea
                                0x010033ec
                                0x010033fc
                                0x00000000
                                0x00000000
                                0x01003407
                                0x01003411
                                0x00000000
                                0x00000000
                                0x0100341f
                                0x01003427
                                0x0100342a
                                0x01003435
                                0x01003437
                                0x0100342c
                                0x0100342c
                                0x0100342e
                                0x0100342e
                                0x01003445
                                0x01003451
                                0x01003460
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01003460
                                0x01003210
                                0x01003213
                                0x0100335f
                                0x01003373
                                0x00000000
                                0x00000000
                                0x01003380
                                0x00000000
                                0x00000000
                                0x01003386
                                0x0100338c
                                0x01003390
                                0x01003399
                                0x0100339a
                                0x0100339d
                                0x010033be
                                0x0100339f
                                0x010033a0
                                0x010033a1
                                0x010033b6
                                0x010033a3
                                0x010033a6
                                0x010033ae
                                0x010033a8
                                0x010033a8
                                0x010033a8
                                0x010033a6
                                0x010033a1
                                0x010033c4
                                0x00000000
                                0x010033c9
                                0x01003361
                                0x00000000
                                0x01003361
                                0x0100321b
                                0x0100321c
                                0x0100321e
                                0x01003315
                                0x0100333e
                                0x0100333e
                                0x00000000
                                0x0100333e
                                0x0100331e
                                0x00000000
                                0x00000000
                                0x0100332c
                                0x01003330
                                0x00000000
                                0x00000000
                                0x01003334
                                0x0100334c
                                0x00000000
                                0x0100334c
                                0x01003338
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01003338
                                0x01003224
                                0x01003225
                                0x01003248
                                0x0100325f
                                0x01003303
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01003309
                                0x0100326c
                                0x01003272
                                0x00000000
                                0x00000000
                                0x01003274
                                0x0100327a
                                0x0100327e
                                0x01003287
                                0x01003288
                                0x0100328b
                                0x010032d8
                                0x010032df
                                0x010032df
                                0x00000000
                                0x010032df
                                0x0100328d
                                0x01003290
                                0x010032cf
                                0x00000000
                                0x010032cf
                                0x01003292
                                0x01003295
                                0x010032c6
                                0x00000000
                                0x010032c6
                                0x01003297
                                0x0100329a
                                0x010032bd
                                0x00000000
                                0x010032bd
                                0x0100329d
                                0x0100329e
                                0x010032b4
                                0x00000000
                                0x010032b4
                                0x010032a3
                                0x010032ab
                                0x00000000
                                0x010032ab
                                0x010032a5
                                0x010032e5
                                0x010032e5
                                0x00000000
                                0x010032ea
                                0x0100324a
                                0x01003250
                                0x00000000
                                0x01003250
                                0x01003229
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01003466
                                0x01003466
                                0x00000000
                                0x01003466
                                0x010031d5
                                0x0100317a
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0100317a
                                0x01003187
                                0x010031b3
                                0x01003535
                                0x010031b9
                                0x010031c1
                                0x010031c1
                                0x010031b3
                                0x00000000
                                0x01003539

                                APIs
                                • CharNextA.USER32(00000000,00000001,0100ABB4,00000000), ref: 010030FC
                                • GetModuleFileNameA.KERNEL32(0100B99E,00000104,00000001,0100ABB4,00000000), ref: 010031AB
                                • CharUpperA.USER32(?), ref: 010031F2
                                • CharUpperA.USER32(-0000004F), ref: 0100327E
                                • lstrcmpiA.KERNEL32(RegServer,?), ref: 010032FB
                                • CharUpperA.USER32(?), ref: 0100332C
                                • CharUpperA.USER32(-0000004E), ref: 01003390
                                • lstrlenA.KERNEL32(0000002F), ref: 010033F4
                                • CharUpperA.USER32(?,0000002F,00000000), ref: 0100341F
                                • lstrcpyA.KERNEL32(0100B89A,0000002F), ref: 01003445
                                • lstrlenA.KERNEL32(0000002F), ref: 010034A7
                                • lstrcpyA.KERNEL32(0100BAA2,0000002F,0000002F,00000000,0000002F,0000005D,0000002F,0000005B), ref: 01003510
                                • CloseHandle.KERNEL32(00000000), ref: 01003527
                                • ExitProcess.KERNEL32 ref: 0100352F
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Char$Upper$lstrcpylstrlen$CloseExitFileHandleModuleNameNextProcesslstrcmpi
                                • String ID: "$-$:$RegServer
                                • API String ID: 497476604-653509682
                                • Opcode ID: 371de19490df7cb82253388f7ccfcefcc3d42cf60ba8daf27433a3a64da543f6
                                • Instruction ID: dd2cde4f62ecb0696e2bc8a39cc73c6255fd3d926b1c092d9355c5c2792a8576
                                • Opcode Fuzzy Hash: 371de19490df7cb82253388f7ccfcefcc3d42cf60ba8daf27433a3a64da543f6
                                • Instruction Fuzzy Hash: 74C1E075908694AEFB738B2C88493FA7FE4BB12341F4840D6E6C19E1D5CBB88685CB51
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010038CC, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 138stringmemorywindowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 97%
                                			E010038CC(struct HWND__* _a4, intOrPtr _a8, CHAR* _a12, CHAR* _a16, int _a20, signed int _a24) {
				char _v60;
				char _v572;
				void* __edi;
				int _t40;
				signed int _t46;
				int _t50;
				int _t54;
				int _t60;
				int _t61;
				signed int _t68;
				signed int _t72;
				void* _t79;
				CHAR* _t80;

				_t72 = 0xd;
				_t79 = "LoadString() Error.  Could not load string resource.";
				memcpy( &_v60, _t79, _t72 << 2);
				_t76 = _t79 + _t72 + _t72;
				asm("movsb");
				if(( *0x100b898 & 0x00000001) != 0) {
					return 1;
				}
				E01002AA6(_a8,  &_v572, 0x200);
				if(_v572 != 0) {
					if(_a16 == 0) {
						if(_a12 == 0) {
							_t40 = LocalAlloc(0x40, lstrlenA( &_v572) + 1);
							_t80 = _t40;
							if(_t80 == 0) {
								L7:
								return _t40 | 0xffffffff;
							}
							lstrcpyA(_t80,  &_v572);
							L16:
							MessageBeep(_a20);
							if(E01005D22(_t76) == 0 || E01005CD4( *0x100b4a4, 0x10, 1) == 0) {
								_t46 = 0;
							} else {
								_t46 = 0x180000;
							}
							_t50 = MessageBoxA(_a4, _t80, 0x100abb4, _t46 | _a20 | _a24 | 0x00010000);
							LocalFree(_t80);
							return _t50;
						}
						_t54 = lstrlenA(_a12);
						_t76 = _t54;
						_t23 = lstrlenA( &_v572) + 0x64; // 0x64
						_t40 = LocalAlloc(0x40, _t54 + _t23);
						_t80 = _t40;
						if(_t80 == 0) {
							goto L7;
						}
						wsprintfA(_t80,  &_v572, _a12);
						goto L16;
					}
					_t60 = lstrlenA(_a12);
					_t61 = lstrlenA(_a16);
					_t76 = _t60 + _t61;
					_t15 = lstrlenA( &_v572) + 0x64; // 0x64
					_t40 = LocalAlloc(0x40, _t60 + _t61 + _t15);
					_t80 = _t40;
					if(_t80 == 0) {
						goto L7;
					}
					wsprintfA(_t80,  &_v572, _a12, _a16);
					goto L16;
				}
				if(E01005D22(_t76) == 0 || E01005CD4( *0x100b4a4, 0x10, 1) == 0) {
					_t68 = 0;
				} else {
					_t68 = 0x180000;
				}
				_t40 = MessageBoxA(_a4,  &_v60, 0x100abb4, _t68 | 0x00010010);
				goto L7;
			}
















                                0x010038e0
                                0x010038e1
                                0x010038e9
                                0x010038e9
                                0x010038eb
                                0x010038ec
                                0x00000000
                                0x01003a73
                                0x01003901
                                0x0100390d
                                0x01003958
                                0x010039a7
                                0x010039fd
                                0x01003a03
                                0x01003a07
                                0x0100394c
                                0x00000000
                                0x0100394c
                                0x01003a15
                                0x01003a1b
                                0x01003a1e
                                0x01003a2b
                                0x01003a47
                                0x01003a40
                                0x01003a40
                                0x01003a40
                                0x01003a5e
                                0x01003a67
                                0x00000000
                                0x01003a6d
                                0x010039b2
                                0x010039b4
                                0x010039bf
                                0x010039c6
                                0x010039cc
                                0x010039d0
                                0x00000000
                                0x00000000
                                0x010039e1
                                0x00000000
                                0x010039e7
                                0x01003963
                                0x0100396a
                                0x0100396c
                                0x01003977
                                0x0100397e
                                0x01003984
                                0x01003988
                                0x00000000
                                0x00000000
                                0x01003998
                                0x00000000
                                0x0100399e
                                0x01003916
                                0x01003932
                                0x0100392b
                                0x0100392b
                                0x0100392b
                                0x01003946
                                0x00000000

                                APIs
                                  • Part of subcall function 01002AA6: LoadStringA.USER32 ref: 01002AC1
                                • MessageBoxA.USER32 ref: 01003946
                                • lstrlenA.KERNEL32(0000007F,?,?,00000200,00000001,0100ABB4), ref: 01003963
                                • lstrlenA.KERNEL32(00000000), ref: 0100396A
                                • lstrlenA.KERNEL32(00000000), ref: 01003975
                                • LocalAlloc.KERNEL32(00000040,00000064), ref: 0100397E
                                • wsprintfA.USER32 ref: 01003998
                                • lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,0100ABB4), ref: 010039B2
                                • lstrlenA.KERNEL32(00000000), ref: 010039BD
                                • LocalAlloc.KERNEL32(00000040,00000064), ref: 010039C6
                                • wsprintfA.USER32 ref: 010039E1
                                • lstrlenA.KERNEL32(00000000,?,?,00000200,00000001,0100ABB4), ref: 010039F3
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 010039FD
                                • lstrcpyA.KERNEL32(00000000,00000000), ref: 01003A15
                                • MessageBeep.USER32(?), ref: 01003A1E
                                • MessageBoxA.USER32 ref: 01003A5E
                                • LocalFree.KERNEL32(00000000), ref: 01003A67
                                  • Part of subcall function 01005D22: GetVersionExA.KERNEL32(?), ref: 01005D57
                                  • Part of subcall function 01005D22: GetSystemMetrics.USER32 ref: 01005D85
                                  • Part of subcall function 01005D22: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01005DA4
                                  • Part of subcall function 01005D22: RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?,?), ref: 01005DC5
                                  • Part of subcall function 01005D22: RegCloseKey.ADVAPI32(?), ref: 01005DD0
                                Strings
                                • LoadString() Error. Could not load string resource., xrefs: 010038E1
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: lstrlen$Local$AllocMessage$wsprintf$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersionlstrcpy
                                • String ID: LoadString() Error. Could not load string resource.
                                • API String ID: 374963636-1556763079
                                • Opcode ID: 29eaf20adb8414ecd2b4ec2a36024fe3784d745325a63702e793e7b321412cb4
                                • Instruction ID: 9f594f166ace6732594a8fb8e6c25f38449a5eba683ea2e31a4322fc80030977
                                • Opcode Fuzzy Hash: 29eaf20adb8414ecd2b4ec2a36024fe3784d745325a63702e793e7b321412cb4
                                • Instruction Fuzzy Hash: A6416631500259AFFB63AB64DC49FEA3AA8FF04350F040551FDC1DA195DBB5CA94CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010046D4, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 109libraryloaderstringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 19%
                                			E010046D4(char _a4, intOrPtr _a8, CHAR* _a12) {
				char* _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _v16;
				_Unknown_base(*)()* _v20;
				struct HINSTANCE__* _v24;
				CHAR* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v56;
				_Unknown_base(*)()* _t30;
				_Unknown_base(*)()* _t32;
				_Unknown_base(*)()* _t33;
				intOrPtr _t37;
				char* _t47;
				struct HINSTANCE__* _t51;
				CHAR* _t52;
				char _t60;
				char _t64;

				_t51 = LoadLibraryA("SHELL32.DLL");
				_v24 = _t51;
				if(_t51 == 0) {
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0x4c2);
					L15:
					_push(_a4);
					E010038CC();
					return 0;
				}
				_t30 = GetProcAddress(_t51, "SHBrowseForFolder");
				_v12 = _t30;
				if(_t30 == 0) {
					L13:
					FreeLibrary(_t51);
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0x4c1);
					goto L15;
				}
				_t32 = GetProcAddress(_t51, 0xc3);
				_v20 = _t32;
				if(_t32 == 0) {
					goto L13;
				}
				_t33 = GetProcAddress(_t51, "SHGetPathFromIDList");
				_v16 = _t33;
				if(_t33 == 0) {
					goto L13;
				}
				_t60 =  *0x100aa80; // 0x0
				if(_t60 == 0) {
					GetTempPathA(0x104, 0x100aa80);
					_t47 = CharPrevA(0x100aa80,  &(0x100aa80[lstrlenA(0x100aa80)]));
					_v8 = _t47;
					if( *_t47 == 0x5c &&  *(CharPrevA(0x100aa80, _t47)) != 0x3a) {
						 *_v8 = 0;
					}
				}
				_t52 = _a12;
				_v56 = _a4;
				_v44 = _a8;
				 *_t52 = 0;
				_v52 = 0;
				_v48 = 0;
				_v40 = 1;
				_v36 = E01002948;
				_v32 = 0x100aa80;
				_t37 = _v12( &_v56);
				_a4 = _t37;
				if(_t37 != 0) {
					_v16(_t37, 0x100aa80);
					_t64 =  *0x100aa80; // 0x0
					if(_t64 != 0) {
						lstrcpyA(_t52, 0x100aa80);
					}
					_v20(_a4);
				}
				FreeLibrary(_v24);
				return 0 |  *_t52 != 0x00000000;
			}
























                                0x010046e8
                                0x010046ee
                                0x010046f1
                                0x010047ee
                                0x010047ef
                                0x010047f1
                                0x010047f2
                                0x010047f3
                                0x010047f8
                                0x010047f8
                                0x010047fb
                                0x00000000
                                0x01004800
                                0x01004703
                                0x01004707
                                0x0100470a
                                0x010047db
                                0x010047dc
                                0x010047e2
                                0x010047e3
                                0x010047e5
                                0x010047e6
                                0x010047e7
                                0x00000000
                                0x010047e7
                                0x01004716
                                0x0100471a
                                0x0100471d
                                0x00000000
                                0x00000000
                                0x01004729
                                0x0100472d
                                0x01004730
                                0x00000000
                                0x00000000
                                0x01004736
                                0x01004741
                                0x01004749
                                0x01004760
                                0x01004765
                                0x01004768
                                0x01004776
                                0x01004776
                                0x01004768
                                0x0100477b
                                0x0100477e
                                0x01004784
                                0x0100478b
                                0x0100478d
                                0x01004790
                                0x01004793
                                0x0100479a
                                0x010047a1
                                0x010047a4
                                0x010047a9
                                0x010047ac
                                0x010047b0
                                0x010047b3
                                0x010047b9
                                0x010047bd
                                0x010047bd
                                0x010047c6
                                0x010047c6
                                0x010047cc
                                0x00000000

                                APIs
                                • LoadLibraryA.KERNEL32(SHELL32.DLL,0100A640,0100A338,?), ref: 010046E2
                                • GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 01004703
                                • GetProcAddress.KERNEL32(00000000,000000C3), ref: 01004716
                                • GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 01004729
                                • GetTempPathA.KERNEL32(00000104,0100AA80), ref: 01004749
                                • lstrlenA.KERNEL32(0100AA80), ref: 01004750
                                • CharPrevA.USER32(0100AA80,00000000), ref: 01004760
                                • CharPrevA.USER32(0100AA80,00000000), ref: 0100476C
                                • lstrcpyA.KERNEL32(?,0100AA80), ref: 010047BD
                                • FreeLibrary.KERNEL32(?), ref: 010047CC
                                • FreeLibrary.KERNEL32(00000000), ref: 010047DC
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressLibraryProc$CharFreePrev$LoadPathTemplstrcpylstrlen
                                • String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
                                • API String ID: 2439948570-1731843650
                                • Opcode ID: 3324b512f0aa79aaecc928bbb591f72aff6d5178d9e94c9ee451a4be34d2a9a1
                                • Instruction ID: 193eb6bc1a1b02d365b45401d2cfe27bf2cb542b23eb453a0d77d81c3b9a3dce
                                • Opcode Fuzzy Hash: 3324b512f0aa79aaecc928bbb591f72aff6d5178d9e94c9ee451a4be34d2a9a1
                                • Instruction Fuzzy Hash: 3F315EB1A01258BFEB139F69CC88DAE7FB8BF0A340F554069F688E6180C7758945CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01004C18, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 172synchronizationCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E01004C18(void* __eflags, struct HINSTANCE__* _a4, CHAR* _a8) {
				void* _v8;
				char _v268;
				void* __edi;
				void* __esi;
				int _t22;
				void* _t25;
				void* _t28;
				signed int _t32;
				struct HRSRC__* _t33;
				signed int _t35;
				intOrPtr _t36;
				signed int _t37;
				void* _t38;
				void* _t44;
				long _t45;
				void* _t46;

				 *0x100b4a4 = _a4;
				_t22 = memset(0x100aba0, 0, 0x23f << 2);
				_push(0x41);
				memset(0x100aa80, memset(0x100b880, _t22, 0xcb << 2), 0 << 2);
				_v8 = 0;
				 *0x100ae4c = 1;
				_t25 = E01002A34("TITLE", 0x100abb4, 0x7f);
				if(_t25 == 0 || _t25 > 0x80) {
					_push(0);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0x4b1);
					goto L31;
				} else {
					_t28 = CreateEventA(0, 1, 1, 0);
					 *0x100aa50 = _t28;
					SetEvent(_t28);
					if(E01002A34("EXTRACTOPT", 0x100b494, 4) == 0) {
						L5:
						E010038CC(0, 0x4b1, 0, 0, 0x10, 0);
						 *0x100aa5c = 0x80070714;
						L32:
						return 0;
					}
					if(( *0x100b494 & 0x000000c0) == 0) {
						L12:
						 *0x100aa60 = 0;
						_t32 = E010030A7(_a8);
						__eflags = _t32;
						if(_t32 != 0) {
							__eflags =  *0x100b89a;
							if( *0x100b89a == 0) {
								_t33 = FindResourceA(_a4, "VERCHECK", 0xa);
								__eflags = _t33;
								if(_t33 != 0) {
									_v8 = LoadResource(_a4, _t33);
								}
								__eflags =  *0x100a2bc; // 0x1
								if(__eflags != 0) {
									__imp__#17();
								}
								__eflags =  *0x100b884;
								if( *0x100b884 != 0) {
									L29:
									return 1;
								} else {
									_push(_v8);
									_t35 = E010041CD(0);
									__eflags = _t35;
									if(_t35 == 0) {
										goto L32;
									}
									_t36 =  *0x100aa64; // 0x0
									__eflags = _t36 - 1;
									if(_t36 == 1) {
										L25:
										__eflags =  *0x100b495 & 0x00000001;
										if(( *0x100b495 & 0x00000001) == 0) {
											goto L29;
										}
										__eflags =  *0x100b898 & 0x00000001;
										if(( *0x100b898 & 0x00000001) != 0) {
											goto L29;
										}
										_t37 = E0100168B(1, 0x100abb4);
										__eflags = _t37;
										if(_t37 != 0) {
											goto L29;
										}
										_t38 = E01004161( *0x100b4a4, 0x7d6, 0, E010017B1, 0x547, 0x83e);
										__eflags = _t38 - 0x83d;
										if(_t38 != 0x83d) {
											goto L32;
										}
										goto L29;
									}
									__eflags = _t36 - 2;
									if(_t36 == 2) {
										goto L25;
									}
									__eflags = _t36 - 3;
									if(_t36 != 3) {
										goto L29;
									}
									goto L25;
								}
							}
							E01001C7F(0x100b89a);
							goto L32;
						}
						_push(0);
						_push(0x10);
						_push(0);
						_push(0);
						_push(0x520);
						L31:
						_push(0);
						E010038CC();
						goto L32;
					}
					if(E01002A34("INSTANCECHECK",  &_v268, 0x104) != 0) {
						_t44 = CreateMutexA(0, 1,  &_v268);
						__eflags = _t44;
						 *0x100aa54 = _t44;
						if(_t44 == 0) {
							goto L12;
						}
						_t45 = GetLastError();
						__eflags = _t45 - 0xb7;
						if(_t45 != 0xb7) {
							goto L12;
						}
						__eflags =  *0x100b494 & 0x00000080;
						if(( *0x100b494 & 0x00000080) == 0) {
							_t46 = E010038CC(0, 0x524, 0x100abb4, 0, 0x20, 4);
							__eflags = _t46 - 6;
							if(_t46 == 6) {
								goto L12;
							}
							L11:
							CloseHandle( *0x100aa54);
							 *0x100aa5c = 0x800700b7;
							goto L32;
						}
						E010038CC(0, 0x54b, 0x100abb4, 0, 0x10, 0);
						goto L11;
					}
					goto L5;
				}
			}



















                                0x01004c27
                                0x01004c38
                                0x01004c3a
                                0x01004c4e
                                0x01004c62
                                0x01004c65
                                0x01004c6b
                                0x01004c72
                                0x01004e3d
                                0x01004e3e
                                0x01004e40
                                0x01004e41
                                0x01004e42
                                0x00000000
                                0x01004c83
                                0x01004c87
                                0x01004c8e
                                0x01004c93
                                0x01004cac
                                0x01004cd5
                                0x01004ce0
                                0x01004ce5
                                0x01004e4d
                                0x00000000
                                0x01004e4d
                                0x01004cb5
                                0x01004d65
                                0x01004d68
                                0x01004d6e
                                0x01004d73
                                0x01004d75
                                0x01004d86
                                0x01004d8c
                                0x01004da7
                                0x01004dad
                                0x01004daf
                                0x01004dbb
                                0x01004dbb
                                0x01004dbe
                                0x01004dc4
                                0x01004dc6
                                0x01004dc6
                                0x01004dcc
                                0x01004dd2
                                0x01004e39
                                0x00000000
                                0x01004dd4
                                0x01004dd4
                                0x01004dd7
                                0x01004ddc
                                0x01004dde
                                0x00000000
                                0x00000000
                                0x01004de0
                                0x01004de6
                                0x01004de9
                                0x01004df7
                                0x01004df7
                                0x01004dfe
                                0x00000000
                                0x00000000
                                0x01004e00
                                0x01004e07
                                0x00000000
                                0x00000000
                                0x01004e09
                                0x01004e0e
                                0x01004e10
                                0x00000000
                                0x00000000
                                0x01004e2d
                                0x01004e32
                                0x01004e37
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01004e37
                                0x01004deb
                                0x01004def
                                0x00000000
                                0x00000000
                                0x01004df1
                                0x01004df5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01004df5
                                0x01004dd2
                                0x01004d93
                                0x00000000
                                0x01004d93
                                0x01004d77
                                0x01004d78
                                0x01004d7a
                                0x01004d7b
                                0x01004d7c
                                0x01004e47
                                0x01004e47
                                0x01004e48
                                0x00000000
                                0x01004e48
                                0x01004cd3
                                0x01004cfd
                                0x01004d03
                                0x01004d05
                                0x01004d0a
                                0x00000000
                                0x00000000
                                0x01004d0c
                                0x01004d12
                                0x01004d17
                                0x00000000
                                0x00000000
                                0x01004d19
                                0x01004d20
                                0x01004d40
                                0x01004d45
                                0x01004d48
                                0x00000000
                                0x00000000
                                0x01004d4a
                                0x01004d50
                                0x01004d56
                                0x00000000
                                0x01004d56
                                0x01004d2d
                                0x00000000
                                0x01004d2d
                                0x00000000
                                0x01004cd3

                                APIs
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A4C
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A6C
                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A73
                                • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,TITLE,0100ABB4,0000007F,?,00000000), ref: 01004C87
                                • SetEvent.KERNEL32(00000000,?,00000000), ref: 01004C93
                                  • Part of subcall function 01002A34: FreeResource.KERNEL32(00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A97
                                • CreateMutexA.KERNEL32(00000000,00000001,?,INSTANCECHECK,?,00000104,EXTRACTOPT,0100B494,00000004,?,00000000), ref: 01004CFD
                                • GetLastError.KERNEL32(?,00000000), ref: 01004D0C
                                • FindResourceA.KERNEL32(00000000,VERCHECK,0000000A), ref: 01004DA7
                                • LoadResource.KERNEL32(00000000,00000000,?,00000000), ref: 01004DB5
                                • #17.COMCTL32(?,00000000), ref: 01004DC6
                                • CloseHandle.KERNEL32(00000000,00000524,0100ABB4,00000000,00000020,00000004,?,00000000), ref: 01004D50
                                  • Part of subcall function 010038CC: MessageBoxA.USER32 ref: 01003946
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$Find$CreateEventLoad$CloseErrorFreeHandleLastLockMessageMutexSizeof
                                • String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK
                                • API String ID: 612345255-2113404272
                                • Opcode ID: 6e61b948a8d2d4fbc5d951fd4a04286bee1605d2895dff06b8bbb81afb43d88a
                                • Instruction ID: 917ad5cb818e3c264ff7b4ff8797261597b45a6a0e97e5d7e7b17e1e85fa401a
                                • Opcode Fuzzy Hash: 6e61b948a8d2d4fbc5d951fd4a04286bee1605d2895dff06b8bbb81afb43d88a
                                • Instruction Fuzzy Hash: 7C5127B0644385BAF7336B289D89FAA3B9DEB55744F000465F7C5DA1C5CBB98E808728
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01005075, Relevance: 21.1, APIs: 14, Instructions: 126threadwindowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01005075(void* __ebx, void* __ecx, void* __edx, struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t11;
				void* _t14;
				void* _t15;
				void* _t19;
				void* _t28;
				void* _t30;
				void* _t44;
				struct HWND__* _t46;
				intOrPtr _t50;
				int _t52;

				_t44 = __edx;
				_t11 = _a8 - 0x10;
				if(_t11 == 0) {
					_t50 = 1;
					__eflags = 1;
					L20:
					 *0x100ac38 = _t50;
					L21:
					EndDialog(_a4, 0);
					L22:
					return _t50;
				}
				_t14 = _t11 - 0xf2;
				if(_t14 == 0) {
					_t50 = 1;
					__eflags = _a12 - 0x1b;
					if(_a12 != 0x1b) {
						goto L22;
					}
					goto L20;
				}
				_t15 = _t14 - 0xe;
				if(_t15 == 0) {
					_t46 = _a4;
					 *0x100aa4c = _t46;
					E01002969(_t44, _t46, GetDesktopWindow());
					_t52 = 0;
					__eflags =  *0x100a2bc - _t52; // 0x1
					if(__eflags != 0) {
						SendMessageA(GetDlgItem(_t46, 0x83b), 0x464, 0, 0xbb9);
						SendMessageA(GetDlgItem(_a4, 0x83b), 0x465, 0xffffffff, 0xffff0000);
						_t46 = _a4;
						_t52 = 0;
						__eflags = 0;
					}
					SetWindowTextA(_t46, 0x100abb4);
					_t19 = CreateThread(_t52, _t52, E010049DB, _t52, _t52, 0x100aa48);
					__eflags = _t19 - _t52;
					 *0x100a43c = _t19;
					if(_t19 == _t52) {
						E010038CC(_t46, 0x4b8, _t52, _t52, 0x10, _t52);
						EndDialog(_t46, _t52);
					}
					return 1;
				}
				_t28 = _t15 - 1;
				if(_t28 == 0) {
					_t50 = 1;
					__eflags = _a12 - 2;
					if(_a12 != 2) {
						goto L22;
					}
					ResetEvent( *0x100aa50);
					_t30 = E010038CC( *0x100aa4c, 0x4b2, 0x1001251, 0, 0x20, 4);
					__eflags = _t30 - 6;
					if(_t30 == 6) {
						L11:
						 *0x100ac38 = _t50;
						SetEvent( *0x100aa50);
						E0100288F( *0x100a43c);
						goto L21;
					}
					__eflags = _t30 - 1;
					if(_t30 == 1) {
						goto L11;
					}
					SetEvent( *0x100aa50);
					goto L22;
				}
				if(_t28 == 0xe90) {
					TerminateThread( *0x100a43c, 0);
					EndDialog(_a4, _a12);
					return 1;
				}
				return 0;
			}













                                0x01005075
                                0x0100507b
                                0x0100507f
                                0x010051f0
                                0x010051f0
                                0x010051f1
                                0x010051f1
                                0x010051f7
                                0x010051fc
                                0x01005202
                                0x00000000
                                0x01005202
                                0x01005085
                                0x0100508a
                                0x010051e5
                                0x010051e6
                                0x010051ea
                                0x00000000
                                0x00000000
                                0x00000000
                                0x010051ec
                                0x01005090
                                0x01005093
                                0x0100513d
                                0x01005140
                                0x0100514e
                                0x01005153
                                0x01005155
                                0x0100515b
                                0x0100517f
                                0x01005194
                                0x01005196
                                0x01005199
                                0x01005199
                                0x0100519b
                                0x010051a2
                                0x010051b6
                                0x010051bc
                                0x010051be
                                0x010051c3
                                0x010051d0
                                0x010051d7
                                0x010051d7
                                0x00000000
                                0x010051e0
                                0x01005099
                                0x0100509a
                                0x010050ce
                                0x010050cf
                                0x010050d3
                                0x00000000
                                0x00000000
                                0x010050df
                                0x010050fb
                                0x01005100
                                0x01005103
                                0x0100511a
                                0x01005120
                                0x01005126
                                0x01005132
                                0x00000000
                                0x01005132
                                0x01005105
                                0x01005107
                                0x00000000
                                0x00000000
                                0x0100510f
                                0x00000000
                                0x0100510f
                                0x010050a1
                                0x010050b2
                                0x010050be
                                0x00000000
                                0x010050c6
                                0x00000000

                                APIs
                                • TerminateThread.KERNEL32(00000000), ref: 010050B2
                                • EndDialog.USER32(?,?), ref: 010050BE
                                • ResetEvent.KERNEL32 ref: 010050DF
                                • SetEvent.KERNEL32(000004B2,01001251,00000000,00000020,00000004), ref: 0100510F
                                • GetDesktopWindow.USER32 ref: 01005146
                                • GetDlgItem.USER32 ref: 01005176
                                • SendMessageA.USER32(00000000,?,?,00000000), ref: 0100517F
                                • GetDlgItem.USER32 ref: 01005191
                                • SendMessageA.USER32(00000000,?,?,00000000), ref: 01005194
                                • SetWindowTextA.USER32(?,0100ABB4), ref: 010051A2
                                • CreateThread.KERNEL32(00000000,00000000,Function_000049DB,00000000,00000000,0100AA48), ref: 010051B6
                                • EndDialog.USER32(?,00000000), ref: 010051D7
                                • EndDialog.USER32(?,00000000), ref: 010051FC
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Dialog$EventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
                                • String ID:
                                • API String ID: 2636921890-0
                                • Opcode ID: 2e5909da755b8dd92093ec91b293cd0599467003ecf1b2f192f568b12a924e3b
                                • Instruction ID: 23f09e72cf5f3eaed0e006cdafc8c359d8237540093a3079cf3abfc6ea3c4f62
                                • Opcode Fuzzy Hash: 2e5909da755b8dd92093ec91b293cd0599467003ecf1b2f192f568b12a924e3b
                                • Instruction Fuzzy Hash: 0A415F31641225FBFB331B689C49EAA3EA8EB46B50F004011F6C5A64D9C77A9951CFD4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01002081, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 101registrystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 78%
                                			E01002081(CHAR* _a4, int _a8, void* _a12) {
				signed int _v8;
				int _v12;
				char _v272;
				signed char* _t29;
				CHAR* _t56;
				CHAR* _t59;
				CHAR* _t61;

				_t29 = _a4;
				_v8 = _v8 & 0x00000000;
				 *_t29 =  *_t29 & 0x00000000;
				_t59 = _a12;
				if( *_t59 != 0x23) {
					_push(_a8);
					_push(_t29);
					goto L14;
				} else {
					_t61 = _t59 + 1;
					_t56 = CharUpperA( *_t61);
					_t59 = CharNextA(CharNextA(_t61));
					if(_t56 == 0x53) {
						_push(_a8);
						_push(_a4);
						L14:
						GetSystemDirectoryA();
						goto L15;
					} else {
						if(_t56 == 0x57) {
							GetWindowsDirectoryA(_a4, _a8);
							goto L16;
						} else {
							_v12 = 0x104;
							lstrcpyA( &_v272, "Software\\Microsoft\\Windows\\CurrentVersion\\App Paths");
							E01005B32( &_v272, _t59);
							if(RegOpenKeyExA(0x80000002,  &_v272, 0, 0x20019,  &_a12) != 0) {
								L16:
								E01005B32(_a4, _t59);
							} else {
								if(RegQueryValueExA(_a12, 0x1001251, 0,  &_a8, _a4,  &_v12) == 0) {
									if(_a8 != 2 || ExpandEnvironmentStringsA(_a4,  &_v272, 0x104) == 0) {
										if(_a8 == 1) {
											goto L9;
										}
									} else {
										lstrcpyA(_a4,  &_v272);
										L9:
										_v8 = 1;
									}
								}
								RegCloseKey(_a12);
								L15:
								if(_v8 == 0) {
									goto L16;
								}
							}
						}
					}
				}
				return 1;
			}










                                0x0100208a
                                0x0100208d
                                0x01002091
                                0x01002097
                                0x0100209d
                                0x01002194
                                0x01002197
                                0x00000000
                                0x010020a3
                                0x010020a3
                                0x010020b5
                                0x010020bf
                                0x010020c1
                                0x0100218c
                                0x0100218f
                                0x01002198
                                0x01002198
                                0x00000000
                                0x010020c7
                                0x010020ca
                                0x01002184
                                0x00000000
                                0x010020d0
                                0x010020e7
                                0x010020ea
                                0x010020f4
                                0x01002118
                                0x010021a4
                                0x010021a8
                                0x0100211e
                                0x0100213b
                                0x01002141
                                0x0100216a
                                0x00000000
                                0x00000000
                                0x01002158
                                0x01002162
                                0x0100216c
                                0x0100216c
                                0x0100216c
                                0x01002141
                                0x01002176
                                0x0100219e
                                0x010021a2
                                0x00000000
                                0x00000000
                                0x010021a2
                                0x01002118
                                0x010020ca
                                0x010020c1
                                0x010021b4

                                APIs
                                • CharUpperA.USER32(?,00000001,?,00000000), ref: 010020A8
                                • CharNextA.USER32(?), ref: 010020B7
                                • CharNextA.USER32(00000000), ref: 010020BA
                                • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000000), ref: 01002110
                                • RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?), ref: 01002133
                                • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0100214E
                                • lstrcpyA.KERNEL32(?,?), ref: 01002162
                                • RegCloseKey.ADVAPI32(?), ref: 01002176
                                • lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010020EA
                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                • GetWindowsDirectoryA.KERNEL32(?,?), ref: 01002184
                                • GetSystemDirectoryA.KERNEL32(?,?), ref: 01002198
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 010020D6
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Char$lstrcpy$DirectoryNext$CloseEnvironmentExpandOpenPrevQueryStringsSystemUpperValueWindowslstrlen
                                • String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
                                • API String ID: 347548745-2428544900
                                • Opcode ID: a6771fd5372bea0d88a9c6ef6506abc8c0f7b881c05286ce2042d5bdc15aa5be
                                • Instruction ID: d6a3e7514927295ec277a6c60e19e56b03ab3a9e12423da05e88d21a123d547c
                                • Opcode Fuzzy Hash: a6771fd5372bea0d88a9c6ef6506abc8c0f7b881c05286ce2042d5bdc15aa5be
                                • Instruction Fuzzy Hash: E0314A79900248BFEF228F64CC48FEE7BBDAF15350F008095FA84A6090D7B5DA958F90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01004E56, Relevance: 19.7, APIs: 13, Instructions: 183windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E01004E56(void* __ecx, void* __edx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				int _t25;
				int _t26;
				int _t28;
				long _t29;
				int _t31;
				int _t32;
				void* _t34;
				int _t35;
				int _t36;
				int _t39;
				int _t40;
				int _t41;
				int _t46;
				struct HWND__* _t47;
				struct HWND__* _t49;
				void* _t50;
				void* _t51;
				int _t54;
				struct HWND__* _t58;

				_t51 = __edx;
				_t50 = __ecx;
				_t11 = _a8 - 0x10;
				if(_t11 == 0) {
					_push(0);
					L32:
					_push(_a4);
					L33:
					EndDialog();
					L34:
					__eflags = 1;
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t58 = _a4;
					E01002969(_t51, _t58, _t16);
					SetWindowTextA(_t58, 0x100abb4);
					SendDlgItemMessageA(_t58, 0x835, 0xc5, 0x103, 0);
					_t46 = 1;
					__eflags =  *0x100aa64 - _t46; // 0x0
					if(__eflags == 0) {
						EnableWindow(GetDlgItem(_t58, 0x836), 0);
					}
					L26:
					return _t46;
				}
				if(_t15 != 1) {
					return 0;
				}
				_t25 = _a12 - 1;
				__eflags = _t25;
				if(_t25 == 0) {
					_t47 = _a4;
					_t26 = GetDlgItemTextA(_t47, 0x835, 0x100ac44, 0x104);
					__eflags = _t26;
					if(_t26 == 0) {
						L27:
						__eflags = 0;
						_push(0);
						_push(0x10);
						_push(0);
						_push(0);
						_push(0x4bf);
						L28:
						_push(_t47);
						E010038CC();
						goto L34;
					}
					_t28 = E0100285F(0x100ac44);
					__eflags = _t28;
					if(_t28 == 0) {
						goto L27;
					}
					_t29 = GetFileAttributesA(0x100ac44);
					_t54 = 0;
					__eflags = _t29 - 0xffffffff;
					if(_t29 != 0xffffffff) {
						L19:
						E01005B32(0x100ac44, 0x1001251);
						_t31 = E01003E60(_t50, 0x100ac44);
						__eflags = _t31;
						if(_t31 != 0) {
							_t46 = 1;
							__eflags =  *0x100ac44 - 0x5c;
							if( *0x100ac44 != 0x5c) {
								L23:
								_t54 = _t46;
								L24:
								_t32 = L01003F0D(_t50, 0x100ac44, _t54, _t46);
								__eflags = _t32;
								if(_t32 != 0) {
									EndDialog(_a4, _t46);
								}
								goto L26;
							}
							__eflags =  *0x100ac45 - 0x5c;
							if( *0x100ac45 == 0x5c) {
								goto L24;
							}
							goto L23;
						}
						_push(_t54);
						_push(0x10);
						_push(_t54);
						_push(_t54);
						_push(0x4be);
						goto L28;
					}
					_t34 = E010038CC(_t47, 0x54a, 0x100ac44, 0, 0x20, 4);
					__eflags = _t34 - 6;
					if(_t34 != 6) {
						goto L34;
					}
					_t35 = CreateDirectoryA(0x100ac44, 0);
					__eflags = _t35;
					if(_t35 != 0) {
						goto L19;
					}
					_push(0);
					_push(0x10);
					_push(0);
					_push(0x100ac44);
					_push(0x4cb);
					goto L28;
				}
				_t36 = _t25 - 1;
				__eflags = _t36;
				if(_t36 == 0) {
					EndDialog(_a4, 0);
					 *0x100aa5c = 0x800704c7;
					goto L34;
				}
				__eflags = _t36 != 0x834;
				if(_t36 != 0x834) {
					goto L34;
				}
				_t39 = LoadStringA( *0x100b4a4, 0x3e8, 0x100a640, 0x200);
				__eflags = _t39;
				if(_t39 != 0) {
					_t49 = _a4;
					_t40 = E010046D4(_t49, 0x100a640, 0x100a338);
					__eflags = _t40;
					if(_t40 == 0) {
						goto L34;
					}
					_t41 = SetDlgItemTextA(_t49, 0x835, 0x100a338);
					__eflags = _t41;
					if(_t41 != 0) {
						goto L34;
					}
					E010038CC(_t49, 0x4c0, 0, 0, 0x10, 0);
					_push(0);
					_push(_t49);
					goto L33;
				}
				E010038CC(_a4, 0x4b1, 0, 0, 0x10, 0);
				_push(0);
				goto L32;
			}

























                                0x01004e56
                                0x01004e56
                                0x01004e5c
                                0x01004e62
                                0x01005060
                                0x01005062
                                0x01005062
                                0x01005065
                                0x01005065
                                0x0100506b
                                0x0100506d
                                0x00000000
                                0x0100506d
                                0x01004e68
                                0x01004e6d
                                0x01005009
                                0x0100500f
                                0x01005014
                                0x0100501f
                                0x01005038
                                0x01005040
                                0x01005041
                                0x01005048
                                0x01005058
                                0x01005058
                                0x01004ff1
                                0x00000000
                                0x01004ff1
                                0x01004e74
                                0x00000000
                                0x01004e76
                                0x01004e80
                                0x01004e80
                                0x01004e81
                                0x01004f33
                                0x01004f47
                                0x01004f4d
                                0x01004f4f
                                0x01004ff5
                                0x01004ff5
                                0x01004ff7
                                0x01004ff8
                                0x01004ffa
                                0x01004ffb
                                0x01004ffc
                                0x01005001
                                0x01005001
                                0x01005002
                                0x00000000
                                0x01005002
                                0x01004f56
                                0x01004f5b
                                0x01004f5d
                                0x00000000
                                0x00000000
                                0x01004f64
                                0x01004f6a
                                0x01004f6c
                                0x01004f6f
                                0x01004fa3
                                0x01004fa9
                                0x01004faf
                                0x01004fb4
                                0x01004fb6
                                0x01004fc6
                                0x01004fc7
                                0x01004fce
                                0x01004fd9
                                0x01004fd9
                                0x01004fdb
                                0x01004fde
                                0x01004fe3
                                0x01004fe5
                                0x01004feb
                                0x01004feb
                                0x00000000
                                0x01004fe5
                                0x01004fd0
                                0x01004fd7
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01004fd7
                                0x01004fb8
                                0x01004fb9
                                0x01004fbb
                                0x01004fbc
                                0x01004fbd
                                0x00000000
                                0x01004fbd
                                0x01004f7d
                                0x01004f82
                                0x01004f85
                                0x00000000
                                0x00000000
                                0x01004f8d
                                0x01004f93
                                0x01004f95
                                0x00000000
                                0x00000000
                                0x01004f97
                                0x01004f98
                                0x01004f9a
                                0x01004f9b
                                0x01004f9c
                                0x00000000
                                0x01004f9c
                                0x01004e87
                                0x01004e87
                                0x01004e88
                                0x01004f1e
                                0x01004f24
                                0x00000000
                                0x01004f24
                                0x01004e8e
                                0x01004e93
                                0x00000000
                                0x00000000
                                0x01004eaf
                                0x01004eb5
                                0x01004eb7
                                0x01004ed3
                                0x01004ede
                                0x01004ee3
                                0x01004ee5
                                0x00000000
                                0x00000000
                                0x01004ef2
                                0x01004ef8
                                0x01004efa
                                0x00000000
                                0x00000000
                                0x01004f0d
                                0x01004f12
                                0x01004f13
                                0x00000000
                                0x01004f13
                                0x01004ec8
                                0x01004ecd
                                0x00000000

                                APIs
                                • LoadStringA.USER32 ref: 01004EAF
                                • GetDesktopWindow.USER32 ref: 01005009
                                • SetWindowTextA.USER32(?,0100ABB4), ref: 0100501F
                                • SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 01005038
                                • GetDlgItem.USER32 ref: 01005051
                                • EnableWindow.USER32(00000000), ref: 01005058
                                • EndDialog.USER32(?,00000000), ref: 01005065
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
                                • String ID:
                                • API String ID: 2418873061-0
                                • Opcode ID: f1730fde4d3bffa84a36410eb086b31dc671c2f2b28c450211cc3434ac266f9e
                                • Instruction ID: 5d03767cd6d44e1ff7b95dfa45677d46a9542d139ef34e3ffbaad0eb8858980f
                                • Opcode Fuzzy Hash: f1730fde4d3bffa84a36410eb086b31dc671c2f2b28c450211cc3434ac266f9e
                                • Instruction Fuzzy Hash: EF519070241745BAF6735B668C4CFAF2EACEB86B45F004018B7C5EA0C5DAB9C611C7B8
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01003566, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 68%
                                			E01003566(intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v40;
				struct HRSRC__* _t26;
				void* _t34;
				struct HINSTANCE__* _t41;
				CHAR* _t42;
				intOrPtr* _t44;
				void* _t46;
				void* _t47;

				_t41 = 0;
				_v12 = 1;
				_v8 = 0;
				wsprintfA( &_v40, "UPDFILE%lu", 0);
				_t47 = _t46 + 0xc;
				_t26 = FindResourceA(0,  &_v40, 0xa);
				if(_t26 != 0) {
					while(1) {
						_t44 = LockResource(LoadResource(_t41, _t26));
						if(_t44 == _t41) {
							break;
						}
						_v20 =  *_t44;
						_t7 = _t44 + 8; // 0x8
						_t42 = _t7;
						_v16 =  *((intOrPtr*)(_t44 + 4));
						_t34 = _a4(_v20, _v16, _t42,  &(( &(_t42[1]))[lstrlenA(_t42)]));
						_push(_t44);
						if(_t34 == 0) {
							_v12 = _v12 & 0x00000000;
							FreeResource(??);
						} else {
							FreeResource();
							_v8 = _v8 + 1;
							wsprintfA( &_v40, "UPDFILE%lu", _v8);
							_t47 = _t47 + 0xc;
							_t26 = FindResourceA(0,  &_v40, 0xa);
							if(_t26 != 0) {
								_t41 = 0;
								continue;
							} else {
							}
						}
						L9:
						goto L10;
					}
					 *0x100aa5c = 0x80070714;
					_v12 = _t41;
					goto L9;
				}
				L10:
				return _v12;
			}















                                0x01003574
                                0x01003580
                                0x01003587
                                0x0100358a
                                0x0100358c
                                0x01003596
                                0x0100359e
                                0x010035a9
                                0x010035b8
                                0x010035bc
                                0x00000000
                                0x00000000
                                0x010035c0
                                0x010035c6
                                0x010035c6
                                0x010035ca
                                0x010035df
                                0x010035e4
                                0x010035e5
                                0x01003624
                                0x01003628
                                0x010035e7
                                0x010035e7
                                0x010035ed
                                0x010035fc
                                0x010035fe
                                0x01003609
                                0x01003611
                                0x010035a7
                                0x00000000
                                0x00000000
                                0x01003613
                                0x01003611
                                0x0100362e
                                0x00000000
                                0x0100362e
                                0x01003615
                                0x0100361f
                                0x00000000
                                0x0100361f
                                0x0100362f
                                0x01003635

                                APIs
                                • wsprintfA.USER32 ref: 0100358A
                                • FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003596
                                • LoadResource.KERNEL32(00000000,00000000,00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035AB
                                • LockResource.KERNEL32(00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035B2
                                • lstrlenA.KERNEL32(00000008,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035CD
                                • FreeResource.KERNEL32(00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 010035E7
                                • wsprintfA.USER32 ref: 010035FC
                                • FindResourceA.KERNEL32(00000000,?,0000000A), ref: 01003609
                                • FreeResource.KERNEL32(00000000,?,?,?,?,01005A22,00000000,01005ACB,?,?,01005ACB), ref: 01003628
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$FindFreewsprintf$LoadLocklstrlen
                                • String ID: UPDFILE%lu
                                • API String ID: 3821519360-2329316264
                                • Opcode ID: cefe3b29808c0de11ca19ee608c6f983850b7a9791d33d4cc506cee2b882d878
                                • Instruction ID: 67bd43b507032c87e08e44f5702343a162528d16cb23afe419e5d1f44a4bfc8c
                                • Opcode Fuzzy Hash: cefe3b29808c0de11ca19ee608c6f983850b7a9791d33d4cc506cee2b882d878
                                • Instruction Fuzzy Hash: C8215171A00209AFDB12DFD5DC88AEEBBF8FB48701F108055F585E6144D776D6008B61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01002F7A, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63filestringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01002F7A(CHAR* _a8, CHAR* _a12) {
				char _v252;
				char _v260;
				struct _SECURITY_ATTRIBUTES* _t21;
				CHAR* _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				char* _t25;

				_t25 =  &_v260;
				_t22 = _a8;
				_t21 = 0;
				_t23 = 0;
				while(1) {
					wsprintfA( &_v260, "IXP%03d.TMP", _t21);
					_t25 =  &(_t25[0xc]);
					_t21 =  &(_t21->nLength);
					lstrcpyA(_t22, _a12);
					E01005B32(_t22,  &_v252);
					RemoveDirectoryA(_t22);
					if(GetFileAttributesA(_t22) == 0xffffffff) {
						break;
					}
					if(_t21 < 0x190) {
						continue;
					}
					L3:
					if(GetTempFileNameA(_a12, "IXP", 0, _t22) != 0) {
						_t23 = 1;
						DeleteFileA(_t22);
						CreateDirectoryA(_t22, 0);
					}
					L5:
					return _t23;
				}
				_t23 = 0;
				if(CreateDirectoryA(_t22, 0) == 0) {
					goto L3;
				}
				 *0x100b880 = 1;
				_t23 = 1;
				goto L5;
			}









                                0x01002f7a
                                0x01002f83
                                0x01002f8b
                                0x01002f8d
                                0x01002f8f
                                0x01002f9a
                                0x01002fa0
                                0x01002faa
                                0x01002fac
                                0x01002fb8
                                0x01002fbe
                                0x01002fd4
                                0x00000000
                                0x00000000
                                0x01002fdc
                                0x00000000
                                0x00000000
                                0x01002fde
                                0x01002ff5
                                0x01002ffa
                                0x01002ffb
                                0x01003004
                                0x01003004
                                0x01003008
                                0x01003012
                                0x01003012
                                0x01003015
                                0x0100301d
                                0x00000000
                                0x00000000
                                0x01003022
                                0x01003027
                                0x00000000

                                APIs
                                • wsprintfA.USER32 ref: 01002F9A
                                • lstrcpyA.KERNEL32(?,?), ref: 01002FAC
                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                • RemoveDirectoryA.KERNEL32(?,?,?), ref: 01002FBE
                                • GetFileAttributesA.KERNEL32(?), ref: 01002FC5
                                • GetTempFileNameA.KERNEL32(?,IXP,00000000,?), ref: 01002FED
                                • DeleteFileA.KERNEL32(?), ref: 01002FFB
                                • CreateDirectoryA.KERNEL32(?,00000000), ref: 01003004
                                • CreateDirectoryA.KERNEL32(?,00000000), ref: 01003019
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: DirectoryFile$Createlstrcpy$AttributesCharDeleteNamePrevRemoveTemplstrlenwsprintf
                                • String ID: IXP$IXP%03d.TMP
                                • API String ID: 3224660439-3932986939
                                • Opcode ID: cc23fafd31c200b07fe8fdd91d20a1ba6cd3f4739df2429ec796210adebc7534
                                • Instruction ID: e7c67a7043ec5c6bac1d4f2c1b8a734ea561e127a1ee01801807ea9209cd36ee
                                • Opcode Fuzzy Hash: cc23fafd31c200b07fe8fdd91d20a1ba6cd3f4739df2429ec796210adebc7534
                                • Instruction Fuzzy Hash: A311E1312092496FE373AB65EC48FEB3BACEF46351F000129F6C5D1084DEBA950587A6
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0100168B, Relevance: 16.6, APIs: 11, Instructions: 107memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0100168B(void* __edi, void* __esi) {
				char _v8;
				long _v12;
				void* _v16;
				void* _v20;
				char _v23;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				struct _SID_IDENTIFIER_AUTHORITY _v28;
				int _t25;
				long _t46;
				void** _t50;
				void* _t52;

				_t25 =  *0x100a1f4; // 0x2
				_t46 = 0;
				_v28.Value = 0;
				_v27 = 0;
				_v26 = 0;
				_v25 = 0;
				_v24 = 0;
				_v23 = 5;
				_v8 = 0;
				if(_t25 != 2) {
					L21:
					return _t25;
				}
				if(E010015F6( &_v8) != 0) {
					if(_v8 != 0) {
						 *0x100a1f4 = 1;
					}
					L20:
					return _v8;
				}
				_t25 = OpenProcessToken(GetCurrentProcess(), 8,  &_v16);
				if(_t25 == 0) {
					goto L21;
				}
				if(GetTokenInformation(_v16, 2, 0, 0,  &_v12) != 0 || GetLastError() != 0x7a) {
					L17:
					CloseHandle(_v16);
					goto L20;
				} else {
					_t52 = LocalAlloc(0, _v12);
					if(_t52 == 0) {
						L16:
						goto L17;
					}
					if(GetTokenInformation(_v16, 2, _t52, _v12,  &_v12) == 0 || AllocateAndInitializeSid( &_v28, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v20) == 0) {
						L15:
						LocalFree(_t52);
						goto L16;
					} else {
						if( *_t52 <= 0) {
							L14:
							FreeSid(_v20);
							goto L15;
						}
						_t18 = _t52 + 4; // 0x4
						_t50 = _t18;
						while(EqualSid( *_t50, _v20) == 0) {
							_t46 = _t46 + 1;
							_t50 =  &(_t50[2]);
							if(_t46 <  *_t52) {
								continue;
							}
							goto L14;
						}
						 *0x100a1f4 = 1;
						_v8 = 1;
						goto L14;
					}
				}
			}

















                                0x01001691
                                0x01001697
                                0x0100169c
                                0x0100169f
                                0x010016a2
                                0x010016a5
                                0x010016a8
                                0x010016ab
                                0x010016af
                                0x010016b2
                                0x010017b0
                                0x010017b0
                                0x010017b0
                                0x010016c3
                                0x0100179f
                                0x010017a1
                                0x010017a1
                                0x010017ab
                                0x00000000
                                0x010017ab
                                0x010016d6
                                0x010016de
                                0x00000000
                                0x00000000
                                0x010016fa
                                0x01001790
                                0x01001793
                                0x00000000
                                0x0100170f
                                0x0100171a
                                0x0100171e
                                0x0100178f
                                0x00000000
                                0x0100178f
                                0x01001731
                                0x01001788
                                0x01001789
                                0x00000000
                                0x01001754
                                0x01001756
                                0x0100177f
                                0x01001782
                                0x00000000
                                0x01001782
                                0x01001758
                                0x01001758
                                0x0100175b
                                0x0100176a
                                0x0100176b
                                0x01001770
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01001772
                                0x01001777
                                0x0100177c
                                0x00000000
                                0x0100177c
                                0x01001731

                                APIs
                                  • Part of subcall function 010015F6: LoadLibraryA.KERNEL32(advapi32.dll,00000000,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100161A
                                  • Part of subcall function 010015F6: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0100162E
                                  • Part of subcall function 010015F6: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0100ABB4,?,?,010016C1), ref: 0100165E
                                  • Part of subcall function 010015F6: FreeSid.ADVAPI32(00000000,?,?,010016C1), ref: 01001672
                                  • Part of subcall function 010015F6: FreeLibrary.KERNEL32(010016C1,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100167C
                                • GetCurrentProcess.KERNEL32(00000008,?,?,00000000,?,01004E0E,?,?,00000000), ref: 010016CF
                                • OpenProcessToken.ADVAPI32(00000000,?,01004E0E,?,?,00000000), ref: 010016D6
                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,00000000,00000001,?,01004E0E,?,?,00000000), ref: 010016F6
                                • GetLastError.KERNEL32(?,01004E0E,?,?,00000000), ref: 01001700
                                • LocalAlloc.KERNEL32(00000000,00000000,0100ABB4,?,01004E0E,?,?,00000000), ref: 01001714
                                • GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,00000000,?,01004E0E,?,?,00000000), ref: 0100172D
                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01004E0E,?,?,00000000), ref: 0100174A
                                • EqualSid.ADVAPI32(00000004,?,?,01004E0E,?,?,00000000), ref: 01001760
                                • FreeSid.ADVAPI32(?,?,01004E0E,?,?,00000000), ref: 01001782
                                • LocalFree.KERNEL32(00000000,?,01004E0E,?,?,00000000), ref: 01001789
                                • CloseHandle.KERNEL32(?,?,01004E0E,?,?,00000000), ref: 01001793
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
                                • String ID:
                                • API String ID: 2168512254-0
                                • Opcode ID: bb5fe4861fc728833115231643eac192e69f4f778fcc582930cb2832bc57f699
                                • Instruction ID: fa5215c0b5e6886bf03ae5b40989aa8fe66889e67d1830d7472693dfac7b44e0
                                • Opcode Fuzzy Hash: bb5fe4861fc728833115231643eac192e69f4f778fcc582930cb2832bc57f699
                                • Instruction Fuzzy Hash: A7315E71A00249EFEB23DBA49988EEE7BB9FF04340F5004A5F6C5E2085D775D644CB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010021FB, Relevance: 16.6, APIs: 11, Instructions: 90stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E010021FB(CHAR* _a4, CHAR* _a8) {
				char _v260;
				char _v263;
				char _v267;
				void* _t13;
				char _t17;
				int _t18;
				char* _t37;
				CHAR* _t42;
				CHAR* _t43;
				char* _t47;

				_t47 =  &_v260;
				_t43 = _a4;
				_t42 = _a8;
				 *_t42 =  *_t42 & 0x00000000;
				if(_t43 == 0 ||  *_t43 == 0) {
					return _t13;
				} else {
					GetModuleFileNameA( *0x100b4a4,  &_v260, 0x104);
					_t17 =  *_t43;
					if(_t17 == 0) {
						L17:
						 *_t42 =  *_t42 & 0x00000000;
						return _t17;
					}
					do {
						_t18 = IsDBCSLeadByte(_t17);
						 *_t42 =  *_t43;
						if(_t18 != 0) {
							_t42[1] = _t43[1];
						}
						if( *_t43 != 0x23) {
							L14:
							_t42 = CharNextA(_t42);
						} else {
							_t43 = CharNextA(_t43);
							if(CharUpperA( *_t43) != 0x44) {
								if(CharUpperA( *_t43) != 0x45) {
									if( *_t43 != 0x23) {
										goto L15;
									}
									goto L14;
								}
								L12:
								lstrcpyA(_t42,  &_v263);
								_t42 =  &(_t42[lstrlenA( &_v263)]);
								goto L15;
							}
							E01005B71( &_v263);
							_t37 = CharPrevA( &_v267,  &(_t47[lstrlenA( &_v267) + 0x10]));
							if(_t37 != 0 &&  *_t37 == 0x5c) {
								 *_t37 =  *_t37 & 0x00000000;
							}
							goto L12;
						}
						L15:
						_t43 = CharNextA(_t43);
						_t17 =  *_t43;
					} while (_t17 != 0);
					goto L17;
				}
			}













                                0x010021fb
                                0x01002202
                                0x0100220a
                                0x01002211
                                0x01002216
                                0x010022fc
                                0x01002225
                                0x01002235
                                0x0100223d
                                0x01002241
                                0x010022f1
                                0x010022f1
                                0x00000000
                                0x010022f1
                                0x01002255
                                0x01002256
                                0x01002260
                                0x01002262
                                0x01002267
                                0x01002267
                                0x0100226d
                                0x010022db
                                0x010022de
                                0x0100226f
                                0x01002272
                                0x01002280
                                0x010022bd
                                0x010022d9
                                0x00000000
                                0x00000000
                                0x00000000
                                0x010022d9
                                0x010022bf
                                0x010022c5
                                0x010022d2
                                0x00000000
                                0x010022d2
                                0x01002287
                                0x0100229d
                                0x010022a5
                                0x010022ac
                                0x010022ac
                                0x00000000
                                0x010022a5
                                0x010022e0
                                0x010022e3
                                0x010022e5
                                0x010022e7
                                0x00000000
                                0x010022f0

                                APIs
                                • GetModuleFileNameA.KERNEL32(00000104,00000104), ref: 01002235
                                • IsDBCSLeadByte.KERNEL32(00000000), ref: 01002256
                                • CharNextA.USER32(?), ref: 01002270
                                • CharUpperA.USER32(00000000), ref: 01002278
                                • lstrlenA.KERNEL32(?,?), ref: 01002291
                                • CharPrevA.USER32(?,?), ref: 0100229D
                                • CharUpperA.USER32(00000000), ref: 010022B5
                                • lstrcpyA.KERNEL32(?,?), ref: 010022C5
                                • lstrlenA.KERNEL32(?), ref: 010022D0
                                • CharNextA.USER32(?), ref: 010022DC
                                • CharNextA.USER32(?), ref: 010022E1
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Char$Next$Upperlstrlen$ByteFileLeadModuleNamePrevlstrcpy
                                • String ID:
                                • API String ID: 2740425872-0
                                • Opcode ID: 6f55dd0f941396175fb476c6ce2b428a4e45a6200b6cc63fadfff151ab2f4b34
                                • Instruction ID: c065ed5666d739eb8cb46574119231d274ae865d8c51cf87fce0dafe64722b0d
                                • Opcode Fuzzy Hash: 6f55dd0f941396175fb476c6ce2b428a4e45a6200b6cc63fadfff151ab2f4b34
                                • Instruction Fuzzy Hash: B631B1714083816FE773DFB88848BAABBEC6F4A700F58489AE5D0D3182D779D445CB66
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01004B1A, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 83stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E01004B1A(void* __ecx, CHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				struct _SYSTEM_INFO _v40;
				char _v300;
				signed int _t27;
				void* _t29;
				void* _t30;
				void* _t33;
				CHAR* _t34;

				_t33 = __ecx;
				if(_a8 == 0) {
					_t34 = 0x100ac44;
					lstrcpyA(0x100ac44, _a4);
					L14:
					if(E01003E60(_t33, _t34) != 0) {
						L17:
						if(L01003F0D(_t33, _t34, _a12, 0) == 0) {
							if( *0x100b880 != 0) {
								 *0x100b880 = 0;
								RemoveDirectoryA(_t34);
							}
							L22:
							return 0;
						}
						 *0x100aa5c = 0;
						return 1;
					}
					if(CreateDirectoryA(_t34, 0) == 0) {
						 *0x100aa5c = E01003547();
						goto L22;
					}
					 *0x100b880 = 1;
					goto L17;
				}
				if(E01002F7A(_a4,  &_v300) == 0) {
					goto L22;
				}
				_t34 = 0x100ac44;
				lstrcpyA(0x100ac44,  &_v300);
				if(( *0x100b494 & 0x00000020) == 0) {
					L12:
					E01005B32(_t34, 0x1001251);
					goto L14;
				}
				GetSystemInfo( &_v40);
				_t27 = _v40.dwOemId & 0x0000ffff;
				if(_t27 == 0) {
					_push("i386");
					L11:
					_push(_t34);
					E01005B32();
					goto L12;
				}
				_t29 = _t27 - 1;
				if(_t29 == 0) {
					_push("mips");
					goto L11;
				}
				_t30 = _t29 - 1;
				if(_t30 == 0) {
					_push("alpha");
					goto L11;
				}
				if(_t30 != 1) {
					goto L12;
				}
				_push("ppc");
				goto L11;
			}










                                0x01004b1a
                                0x01004b2a
                                0x01004baa
                                0x01004bb0
                                0x01004bb6
                                0x01004bbe
                                0x01004bd6
                                0x01004be2
                                0x01004c01
                                0x01004c04
                                0x01004c0a
                                0x01004c0a
                                0x01004c10
                                0x00000000
                                0x01004c10
                                0x01004be6
                                0x00000000
                                0x01004bec
                                0x01004bca
                                0x01004bf4
                                0x00000000
                                0x01004bf4
                                0x01004bcc
                                0x00000000
                                0x01004bcc
                                0x01004b3d
                                0x00000000
                                0x00000000
                                0x01004b4a
                                0x01004b50
                                0x01004b5d
                                0x01004b9a
                                0x01004ba0
                                0x00000000
                                0x01004ba0
                                0x01004b63
                                0x01004b6d
                                0x01004b6f
                                0x01004b8f
                                0x01004b94
                                0x01004b94
                                0x01004b95
                                0x00000000
                                0x01004b95
                                0x01004b71
                                0x01004b72
                                0x01004b88
                                0x00000000
                                0x01004b88
                                0x01004b74
                                0x01004b75
                                0x01004b81
                                0x00000000
                                0x01004b81
                                0x01004b78
                                0x00000000
                                0x00000000
                                0x01004b7a
                                0x00000000

                                APIs
                                • lstrcpyA.KERNEL32(0100AC44,?), ref: 01004B50
                                • GetSystemInfo.KERNEL32(?), ref: 01004B63
                                • lstrcpyA.KERNEL32(0100AC44,?), ref: 01004BB0
                                • CreateDirectoryA.KERNEL32(0100AC44,00000000,0100AC44), ref: 01004BC2
                                  • Part of subcall function 01002F7A: wsprintfA.USER32 ref: 01002F9A
                                  • Part of subcall function 01002F7A: lstrcpyA.KERNEL32(?,?), ref: 01002FAC
                                  • Part of subcall function 01002F7A: RemoveDirectoryA.KERNEL32(?,?,?), ref: 01002FBE
                                  • Part of subcall function 01002F7A: GetFileAttributesA.KERNEL32(?), ref: 01002FC5
                                  • Part of subcall function 01002F7A: GetTempFileNameA.KERNEL32(?,IXP,00000000,?), ref: 01002FED
                                  • Part of subcall function 01002F7A: DeleteFileA.KERNEL32(?), ref: 01002FFB
                                  • Part of subcall function 01002F7A: CreateDirectoryA.KERNEL32(?,00000000), ref: 01003004
                                • RemoveDirectoryA.KERNEL32(0100AC44,0100AC44,?,00000000,0100AC44), ref: 01004C0A
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Directory$Filelstrcpy$CreateRemove$AttributesDeleteInfoNameSystemTempwsprintf
                                • String ID: alpha$i386$mips$ppc
                                • API String ID: 2618030033-1048730182
                                • Opcode ID: bb6fa139a9d4eb89316008f6ae5badacb9f3ca1d83b0c6dff6bdeefac54afca9
                                • Instruction ID: 863f2b1f4f4a5febeb1d47ca0d15cb2489539e343ca057a3309e34f4a0df478a
                                • Opcode Fuzzy Hash: bb6fa139a9d4eb89316008f6ae5badacb9f3ca1d83b0c6dff6bdeefac54afca9
                                • Instruction Fuzzy Hash: 5421A131505B19ABFB639F699C44FEA3ADCAB05385F4000A9F7C5E10C4DB39C941CB69
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01001B8B, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 75registrystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E01001B8B(void* __edi) {
				void* _v8;
				int _v12;
				void _v271;
				char _v272;
				char _v840;
				long _t17;
				int _t21;
				signed int _t37;
				char _t49;

				_t49 =  *0x100a2e0; // 0x0
				if(_t49 != 0) {
					_t17 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x2001f,  &_v8);
					if(_t17 == 0) {
						_v12 = 0x238;
						_t21 = RegQueryValueExA(_v8, 0x100a2e0, 0, 0,  &_v840,  &_v12);
						if(_t21 == 0) {
							_t37 = 0x40;
							_v272 = 0;
							memset( &_v271, _t21, _t37 << 2);
							asm("stosw");
							asm("stosb");
							if(GetSystemDirectoryA( &_v272, 0x104) != 0) {
								E01005B32( &_v272, 0x1001251);
							}
							wsprintfA( &_v840, "rundll32.exe %sadvpack.dll,DelNodeRunDLL32 \"%s\"",  &_v272, 0x100ac44);
							RegSetValueExA(_v8, 0x100a2e0, 0, 1,  &_v840, lstrlenA( &_v840) + 1);
						}
						return RegCloseKey(_v8);
					}
				}
				return _t17;
			}












                                0x01001b97
                                0x01001b9d
                                0x01001bb7
                                0x01001bbf
                                0x01001bdc
                                0x01001be3
                                0x01001beb
                                0x01001bf4
                                0x01001bf5
                                0x01001c01
                                0x01001c03
                                0x01001c05
                                0x01001c1b
                                0x01001c29
                                0x01001c29
                                0x01001c46
                                0x01001c6c
                                0x01001c6c
                                0x00000000
                                0x01001c7b
                                0x01001bbf
                                0x01001c7e

                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?), ref: 01001BB7
                                • RegQueryValueExA.ADVAPI32(?,0100A2E0,00000000,00000000,?,?), ref: 01001BE3
                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 01001C12
                                • wsprintfA.USER32 ref: 01001C46
                                • lstrlenA.KERNEL32(?), ref: 01001C56
                                • RegSetValueExA.ADVAPI32(?,0100A2E0,00000000,00000001,?,00000001), ref: 01001C6C
                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                • RegCloseKey.ADVAPI32(?), ref: 01001C75
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 01001BAD
                                • rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 01001C40
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Valuelstrlen$CharCloseDirectoryOpenPrevQuerySystemlstrcpywsprintf
                                • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
                                • API String ID: 11565330-2368451976
                                • Opcode ID: 5599e54c7d9c30600de5d0d1969bc1e94db08515ae13c163f555adafc5244e2b
                                • Instruction ID: 2fb7fcdbff80cae6b570ff950ba8ccadd0e573114065fe0f363dccfd66d38777
                                • Opcode Fuzzy Hash: 5599e54c7d9c30600de5d0d1969bc1e94db08515ae13c163f555adafc5244e2b
                                • Instruction Fuzzy Hash: 25215375A4021CBBEB22DBA5DD49FDABB7CEB08740F0000A5F689E6081D7B5DB448F60
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01003E60, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65stringmemoryfileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01003E60(void* __ecx, CHAR* _a4) {
				void* _t11;
				signed char _t13;
				CHAR* _t18;
				void* _t21;
				void* _t23;

				_t18 = _a4;
				_t23 = LocalAlloc(0x40, lstrlenA(_t18) + 0x14);
				if(_t23 != 0) {
					lstrcpyA(_t23, _t18);
					E01005B32(_t23, "TMP4351$.TMP");
					_t21 = CreateFileA(_t23, 0x40000000, 0, 0, 1, 0x4000080, 0);
					LocalFree(_t23);
					if(_t21 == 0xffffffff) {
						L6:
						 *0x100aa5c = E01003547();
						_t11 = 0;
						L7:
						return _t11;
					}
					CloseHandle(_t21);
					_t13 = GetFileAttributesA(_t18);
					if(_t13 == 0xffffffff || (_t13 & 0x00000010) == 0) {
						goto L6;
					} else {
						 *0x100aa5c = 0;
						_t11 = 1;
						goto L7;
					}
				}
				E010038CC(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x100aa5c = E01003547();
				return 0;
			}








                                0x01003e61
                                0x01003e7a
                                0x01003e80
                                0x01003ea3
                                0x01003eaf
                                0x01003ecb
                                0x01003ecd
                                0x01003ed6
                                0x01003efa
                                0x01003eff
                                0x01003f04
                                0x01003f06
                                0x00000000
                                0x01003f06
                                0x01003ed9
                                0x01003ee0
                                0x01003ee9
                                0x00000000
                                0x01003eef
                                0x01003ef1
                                0x01003ef7
                                0x00000000
                                0x01003ef7
                                0x01003ee9
                                0x01003e8d
                                0x01003e97
                                0x00000000

                                APIs
                                • lstrlenA.KERNEL32(?,0100AC44,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003E68
                                • LocalAlloc.KERNEL32(00000040,-00000014,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003E74
                                • lstrcpyA.KERNEL32(00000000,?,00000000,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003EA3
                                • CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000001,04000080,00000000,00000000,TMP4351$.TMP,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003EC4
                                • LocalFree.KERNEL32(00000000,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003ECD
                                • CloseHandle.KERNEL32(00000000,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003ED9
                                • GetFileAttributesA.KERNEL32(?,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003EE0
                                  • Part of subcall function 010038CC: MessageBoxA.USER32 ref: 01003946
                                  • Part of subcall function 01003547: GetLastError.KERNEL32(00000000,01003EFF,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 0100354E
                                  • Part of subcall function 01003547: GetLastError.KERNEL32(?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003554
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorFileLastLocal$AllocAttributesCloseCreateFreeHandleMessagelstrcpylstrlen
                                • String ID: TMP4351$.TMP
                                • API String ID: 3688570051-2619824408
                                • Opcode ID: 65b40ac1ab692f5017578da60dbe46ab5691c919ccf888b23b9f00993cbe7770
                                • Instruction ID: 07e8854d2f4717a7fcec1bdd87890a29ac9275318df03397e391de66aed45773
                                • Opcode Fuzzy Hash: 65b40ac1ab692f5017578da60dbe46ab5691c919ccf888b23b9f00993cbe7770
                                • Instruction Fuzzy Hash: 9A11A5726016447FE223AF799C49F9F3E5CEB06369F014514F2D6E90C5C7BA94418B74
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010049DB, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 58%
                                			E010049DB(void* __ecx, void* __eflags) {
				void* _t4;
				struct HWND__* _t5;
				signed int _t6;
				intOrPtr _t8;
				signed int _t9;
				void* _t11;
				signed int _t17;
				signed int _t23;
				int _t29;

				_t4 = E01002E6F(__ecx, __eflags);
				if(_t4 != 0) {
					_t5 =  *0x100aa4c; // 0x0
					__eflags = _t5;
					if(__eflags != 0) {
						ShowWindow(GetDlgItem(_t5, 0x842), 0);
						ShowWindow(GetDlgItem( *0x100aa4c, 0x841), 5);
					}
					_t6 = E01003C60(__eflags,  *0x100aba0);
					__eflags = _t6;
					if(_t6 != 0) {
						_t23 = E01005EBF(E01002E03, E01002E10, E01003B9B, E01002B9D, E01002C23, E01002CB2, E01002D05, 1, 0x100aba8);
						__eflags = _t23;
						if(_t23 == 0) {
							L9:
							_t8 =  *0x100aba8; // 0x0
							_push(0);
							_push(0x10);
							_push(0);
							_t9 = _t8 + 0x514;
							__eflags = _t9;
							_push(0);
							_push(_t9);
							goto L10;
						} else {
							_t29 = E01006E88(_t23, "*MEMCAB", 0x1001251, 0, E01004888, 0, 0x100aba0);
							__eflags = _t29;
							if(_t29 != 0) {
								_t17 = E010069C2(_t23);
								__eflags = _t17;
								if(_t17 == 0) {
									goto L9;
								}
							}
						}
					} else {
						_push(0);
						_push(0x10);
						_push(0);
						_push(0);
						_push(0x4ba);
						L10:
						_push( *0x100aa4c);
						E010038CC();
						_t29 = 0;
						__eflags = 0;
					}
					_t11 =  *0x100aba0; // 0x0
					__eflags = _t11;
					if(_t11 != 0) {
						FreeResource(_t11);
						 *0x100aba0 = 0;
					}
					__eflags = _t29;
					if(_t29 == 0) {
						__eflags =  *0x100ac38; // 0x0
						if(__eflags == 0) {
							E010038CC(0, 0x4f8, 0, 0, 0x10, 0);
						}
					}
					__eflags =  *0x100b898 & 0x00000001;
					if(( *0x100b898 & 0x00000001) == 0) {
						__eflags =  *0x100b494 & 0x00000001;
						if(( *0x100b494 & 0x00000001) == 0) {
							SendMessageA( *0x100aa4c, 0xfa1, _t29, 0);
						}
					}
					return _t29;
				} else {
					return _t4;
				}
			}












                                0x010049db
                                0x010049e2
                                0x010049e5
                                0x010049ee
                                0x010049f1
                                0x01004a09
                                0x01004a1b
                                0x01004a1b
                                0x01004a23
                                0x01004a28
                                0x01004a2a
                                0x01004a67
                                0x01004a6c
                                0x01004a6e
                                0x01004aa0
                                0x01004aa0
                                0x01004aa5
                                0x01004aa6
                                0x01004aa8
                                0x01004aa9
                                0x01004aa9
                                0x01004aae
                                0x01004aaf
                                0x00000000
                                0x01004a70
                                0x01004a8c
                                0x01004a91
                                0x01004a93
                                0x01004a96
                                0x01004a9b
                                0x01004a9e
                                0x00000000
                                0x00000000
                                0x01004a9e
                                0x01004a93
                                0x01004a2c
                                0x01004a2c
                                0x01004a2d
                                0x01004a2f
                                0x01004a30
                                0x01004a31
                                0x01004ab0
                                0x01004ab0
                                0x01004ab6
                                0x01004abb
                                0x01004abb
                                0x01004abb
                                0x01004abd
                                0x01004ac2
                                0x01004ac4
                                0x01004ac7
                                0x01004acd
                                0x01004acd
                                0x01004ad3
                                0x01004ad5
                                0x01004ad7
                                0x01004add
                                0x01004aea
                                0x01004aea
                                0x01004add
                                0x01004aef
                                0x01004af6
                                0x01004af8
                                0x01004aff
                                0x01004b0e
                                0x01004b0e
                                0x01004aff
                                0x01004b19
                                0x010049e4
                                0x010049e4
                                0x010049e4

                                APIs
                                  • Part of subcall function 01002E6F: FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 01002E89
                                  • Part of subcall function 01002E6F: LoadResource.KERNEL32(00000000,00000000), ref: 01002E92
                                  • Part of subcall function 01002E6F: LockResource.KERNEL32(00000000), ref: 01002E99
                                • GetDlgItem.USER32 ref: 01004A00
                                • ShowWindow.USER32(00000000), ref: 01004A09
                                • GetDlgItem.USER32 ref: 01004A18
                                • ShowWindow.USER32(00000000), ref: 01004A1B
                                • FreeResource.KERNEL32(00000000,-00000514,00000000,00000000,00000010,00000000), ref: 01004AC7
                                • SendMessageA.USER32(00000FA1,00000000,00000000,-00000514), ref: 01004B0E
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$ItemShowWindow$FindFreeLoadLockMessageSend
                                • String ID: *MEMCAB
                                • API String ID: 3694369891-3211172518
                                • Opcode ID: c58f8bc2a7f7b26109adb1d35207193ebaf4e78ef12d8e4ecae876ef37705db9
                                • Instruction ID: 5c6169ab3c9c94f66ae9421972872bc9d1b968acd00de396031396c823d54b5c
                                • Opcode Fuzzy Hash: c58f8bc2a7f7b26109adb1d35207193ebaf4e78ef12d8e4ecae876ef37705db9
                                • Instruction Fuzzy Hash: 3E31EA313813117AF63367579C89F972D8DDB56B65F400454F7C8E60C6C6FA889087A9
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0100579B, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99COMMON
                                Download Yara Rule
                                C-Code - Quality: 92%
                                			E0100579B(int __ebx) {
				CHAR* _t24;
				signed char _t35;
				void* _t42;
				void* _t50;
				int _t56;
				void* _t59;
				intOrPtr* _t60;
				void* _t62;
				void* _t64;

				L0:
				while(1) {
					L0:
					_t56 = __ebx;
					if(__ebx != 3) {
						goto L5;
					}
					L4:
					if(GetFileAttributesA(_t64 - 0x104) != 0xffffffff) {
						L11:
						if(L01003F0D(_t59, _t64 - 0x104, 3, 0) != 0 || E01001F6E(_t59, _t64 - 0x104) == 0 && L01003F0D(_t59, _t64 - 0x104, 1, 0) != 0) {
							L14:
							if(E01001F6E(_t59, _t64 - 0x104) != 0) {
								GetWindowsDirectoryA(_t64 - 0x104, 0x104);
							}
							E01005B32(_t64 - 0x104, "msdownld.tmp");
							_t35 = E01001F4B(_t64 - 0x104);
							if(_t35 != 0) {
								L18:
								SetFileAttributesA(_t64 - 0x104, 2);
								 *_t60(_t62, _t64 - 0x104);
								if(E01004B1A(_t59, _t62, 1, 0) != 0) {
									L22:
									_t42 = 1;
								} else {
									goto L19;
								}
							} else {
								L17:
								 *(_t64 - 0x104) =  *(_t64 - 0x104) + 1;
								 *(_t64 - 0x101) =  *(_t64 - 0x101) & _t35;
								goto L19;
							}
						} else {
							L10:
							 *(_t64 - 0x104) =  *(_t64 - 0x104) + 1;
							while(1) {
								L19:
								_t24 = _t64 - 0x104;
								if( *(_t64 - 0x104) <= 0x5a) {
									break;
								}
								L20:
								GetWindowsDirectoryA(_t24, 0x104);
								if(L01003F0D(_t59, _t64 - 0x104, 3, 4) != 0) {
									L2:
									lstrcpyA(_t64 - 0x104, "A:\\");
									continue;
								} else {
									L21:
									L1:
									_t42 = 0;
								}
								goto L23;
							}
							L3:
							_t56 = GetDriveTypeA(_t24);
							if(_t56 == 6) {
								goto L4;
							} else {
								continue;
							}
						}
					} else {
						goto L5;
					}
					L23:
					return _t42;
					L24:
					L5:
					if(_t56 != 2 ||  *(_t64 - 0x104) == 0x41 ||  *(_t64 - 0x104) == 0x42) {
						goto L10;
					} else {
						L8:
						_t50 = E01005E13(_t64 - 0x104);
						if(_t50 == 0 || _t50 < 0x19000) {
							goto L10;
						} else {
							goto L11;
						}
					}
					goto L23;
				}
			}












                                0x0100579b
                                0x0100579b
                                0x0100579b
                                0x0100579b
                                0x0100579e
                                0x00000000
                                0x00000000
                                0x010057a0
                                0x010057b0
                                0x010057eb
                                0x010057fe
                                0x01005823
                                0x01005831
                                0x0100583f
                                0x0100583f
                                0x01005851
                                0x0100585d
                                0x01005864
                                0x01005874
                                0x0100587d
                                0x0100588b
                                0x01005898
                                0x010058d6
                                0x010058d8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01005866
                                0x01005866
                                0x01005866
                                0x0100586c
                                0x00000000
                                0x0100586c
                                0x010057e0
                                0x010057e0
                                0x010057e0
                                0x0100589a
                                0x0100589a
                                0x010058a1
                                0x010058a7
                                0x00000000
                                0x00000000
                                0x010058ad
                                0x010058b3
                                0x010058cb
                                0x0100577a
                                0x01005786
                                0x00000000
                                0x010058d1
                                0x010058d1
                                0x01005681
                                0x01005681
                                0x01005681
                                0x00000000
                                0x010058cb
                                0x0100578d
                                0x01005794
                                0x01005799
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01005799
                                0x00000000
                                0x00000000
                                0x00000000
                                0x010058f9
                                0x010058fd
                                0x00000000
                                0x010057b2
                                0x010057b5
                                0x00000000
                                0x010057c9
                                0x010057c9
                                0x010057d0
                                0x010057d7
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x010057d7
                                0x00000000
                                0x010057b5

                                APIs
                                • GetFileAttributesA.KERNEL32(0000005A,?,00000000), ref: 010057A7
                                • GetWindowsDirectoryA.KERNEL32(00000042,00000104,00000042,00000003,00000000,00000042), ref: 0100583F
                                • SetFileAttributesA.KERNEL32(00000042,00000002,00000042,msdownld.tmp,00000042,00000003,00000000,00000042), ref: 0100587D
                                  • Part of subcall function 01004B1A: lstrcpyA.KERNEL32(0100AC44,?), ref: 01004B50
                                  • Part of subcall function 01004B1A: GetSystemInfo.KERNEL32(?), ref: 01004B63
                                  • Part of subcall function 01004B1A: CreateDirectoryA.KERNEL32(0100AC44,00000000,0100AC44), ref: 01004BC2
                                • GetWindowsDirectoryA.KERNEL32(0000005A,00000104), ref: 010058B3
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Directory$AttributesFileWindows$CreateInfoSystemlstrcpy
                                • String ID: B$Z$msdownld.tmp
                                • API String ID: 1876221500-3054996981
                                • Opcode ID: 7707a8d811fa85d4d1a40ddce200e3e2d92dda0b09d098ef354e786c39503367
                                • Instruction ID: 21d62fbbcb87b0322eff64c107e8eaea6025d7da01d66a5ab74c5d2ba58e6748
                                • Opcode Fuzzy Hash: 7707a8d811fa85d4d1a40ddce200e3e2d92dda0b09d098ef354e786c39503367
                                • Instruction Fuzzy Hash: 8A3120B5A00259AAFF23D6B49D89BE966AC6B24344F4404E1E7C9E20C1E7F4DAC48F10
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010015F6, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 58librarymemoryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E010015F6(intOrPtr* _a4) {
				void* _v8;
				long _v12;
				struct HINSTANCE__* _v16;
				char _v19;
				char _v20;
				char _v21;
				char _v22;
				char _v23;
				struct _SID_IDENTIFIER_AUTHORITY _v24;
				struct HINSTANCE__* _t17;
				intOrPtr* _t28;
				intOrPtr* _t31;

				_v12 = 0;
				_v24.Value = 0;
				_v23 = 0;
				_v22 = 0;
				_v21 = 0;
				_v20 = 0;
				_v19 = 5;
				_t17 = LoadLibraryA("advapi32.dll");
				_v16 = _t17;
				if(_t17 != 0) {
					_t28 = GetProcAddress(_t17, "CheckTokenMembership");
					if(_t28 != 0) {
						_t31 = _a4;
						_v12 = 1;
						 *_t31 = 0;
						if(AllocateAndInitializeSid( &_v24, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v8) != 0) {
							 *_t28(0, _v8, _t31);
							FreeSid(_v8);
						}
					}
					FreeLibrary(_v16);
				}
				return _v12;
			}















                                0x01001604
                                0x01001607
                                0x0100160a
                                0x0100160d
                                0x01001610
                                0x01001613
                                0x01001616
                                0x0100161a
                                0x01001622
                                0x01001625
                                0x01001634
                                0x01001638
                                0x0100163b
                                0x01001655
                                0x0100165c
                                0x01001666
                                0x0100166d
                                0x01001672
                                0x01001672
                                0x01001678
                                0x0100167c
                                0x01001682
                                0x01001688

                                APIs
                                • LoadLibraryA.KERNEL32(advapi32.dll,00000000,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100161A
                                • GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0100162E
                                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,0100ABB4,?,?,010016C1), ref: 0100165E
                                • FreeSid.ADVAPI32(00000000,?,?,010016C1), ref: 01001672
                                • FreeLibrary.KERNEL32(010016C1,?,?,010016C1,?,00000000,?,01004E0E,?,?,00000000), ref: 0100167C
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FreeLibrary$AddressAllocateInitializeLoadProc
                                • String ID: CheckTokenMembership$advapi32.dll
                                • API String ID: 4204503880-1888249752
                                • Opcode ID: 05aef74ab9c6aad8ac387d91b692b6fb9c51c55194fb5577f0a734ca75a63f4d
                                • Instruction ID: 7c54915b23e232019903c0576df7497f5bb26148f144bc74401e3466b5a6cae1
                                • Opcode Fuzzy Hash: 05aef74ab9c6aad8ac387d91b692b6fb9c51c55194fb5577f0a734ca75a63f4d
                                • Instruction Fuzzy Hash: 87117071944289FBDB12DFA99C48ADEBFB8EF18344F540099F181A3181C6758A04CB65
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01002691, Relevance: 12.1, APIs: 8, Instructions: 123memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01002691(intOrPtr _a4, char* _a8, int _a12, intOrPtr* _a16) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				int _v24;
				int _v28;
				int _v32;
				void* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				long _t66;
				void* _t68;
				void* _t75;
				void* _t80;
				void* _t82;
				intOrPtr _t83;
				intOrPtr* _t86;
				void* _t87;
				intOrPtr _t89;
				intOrPtr _t91;
				intOrPtr* _t94;
				void* _t95;

				_t80 = 0;
				_t89 = _a4;
				_v8 = 0;
				_v20 = 0;
				_v12 = 0;
				if( *((intOrPtr*)(_t89 + 0x7c)) <= 0) {
					L21:
					_v20 = 1;
				} else {
					_v16 = 0;
					while(1) {
						_t10 =  *((intOrPtr*)(_t89 + 0x80)) + 0x84; // 0xc0
						_t94 = _v16 + _t89 + _t10;
						if(E01002081(_a8, _a12,  *((intOrPtr*)(_t94 + 0x38)) + _t89 + 0x84) == 0) {
							goto L22;
						}
						_t66 = GetFileVersionInfoSizeA(_a8,  &_v28);
						_v24 = _t66;
						if(_t66 == _t80) {
							if( *_t94 == _t80 &&  *((intOrPtr*)(_t94 + 4)) == _t80) {
								goto L20;
							}
						} else {
							_t68 = GlobalAlloc(0x42, _t66);
							_v8 = _t68;
							if(_t68 != _t80) {
								_t82 = GlobalLock(_t68);
								if(_t82 != 0) {
									if(GetFileVersionInfoA(_a8, _v28, _v24, _t82) == 0 || VerQueryValueA(_t82, "\\",  &_v36,  &_v32) == 0 || _v32 == 0) {
										L17:
										GlobalUnlock(_v8);
										L20:
										_v12 = _v12 + 1;
										_v16 = _v16 + 0x3c;
										if(_v12 <  *((intOrPtr*)(_t89 + 0x7c))) {
											_t80 = 0;
											continue;
										} else {
											goto L21;
										}
									} else {
										_t75 = _v36;
										_t91 =  *((intOrPtr*)(_t75 + 0xc));
										_t83 =  *((intOrPtr*)(_t75 + 8));
										_t29 = _t94 + 0x10; // 0xd0
										_t86 = _t29;
										_t87 = 0;
										do {
											 *((intOrPtr*)(_t95 + _t87 - 0x28)) = E010021D4(_t83, _t91,  *((intOrPtr*)(_t86 - 0x10)),  *((intOrPtr*)(_t86 - 0xc)));
											 *((intOrPtr*)(_t95 + _t87 - 0x30)) = E010021D4(_t83, _t91,  *((intOrPtr*)(_t86 - 4)),  *_t86);
											_t87 = _t87 + 4;
											_t86 = _t86 + 0x18;
										} while (_t87 < 8);
										if(_v44 < 0 || _v52 > 0) {
											if(_v40 < 0 || _v48 > 0) {
												GlobalUnlock(_v8);
											} else {
												goto L16;
											}
										} else {
											L16:
											_t89 = _a4;
											goto L17;
										}
									}
								}
							}
						}
						goto L22;
					}
				}
				L22:
				 *_a16 = _v12;
				if(_v8 != 0) {
					GlobalFree(_v8);
				}
				return _v20;
			}



























                                0x01002699
                                0x0100269c
                                0x010026a2
                                0x010026a5
                                0x010026a8
                                0x010026ab
                                0x010027d0
                                0x010027d0
                                0x010026b1
                                0x010026b1
                                0x010026b8
                                0x010026c3
                                0x010026c3
                                0x010026e2
                                0x00000000
                                0x00000000
                                0x010026ef
                                0x010026f6
                                0x010026f9
                                0x010027b6
                                0x00000000
                                0x00000000
                                0x010026ff
                                0x01002702
                                0x0100270a
                                0x0100270d
                                0x0100271a
                                0x0100271e
                                0x01002735
                                0x010027a9
                                0x010027ac
                                0x010027bd
                                0x010027bd
                                0x010027c3
                                0x010027ca
                                0x010026b6
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01002754
                                0x01002754
                                0x01002757
                                0x0100275a
                                0x0100275d
                                0x0100275d
                                0x01002760
                                0x01002762
                                0x01002771
                                0x0100277f
                                0x01002783
                                0x01002786
                                0x01002789
                                0x01002792
                                0x0100279e
                                0x010027fb
                                0x00000000
                                0x00000000
                                0x00000000
                                0x010027a6
                                0x010027a6
                                0x010027a6
                                0x00000000
                                0x010027a6
                                0x01002792
                                0x01002735
                                0x0100271e
                                0x0100270d
                                0x00000000
                                0x010026f9
                                0x010026b8
                                0x010027d7
                                0x010027e3
                                0x010027e6
                                0x010027eb
                                0x010027eb
                                0x010027f5

                                APIs
                                • GlobalFree.KERNEL32 ref: 010027EB
                                  • Part of subcall function 01002081: CharUpperA.USER32(?,00000001,?,00000000), ref: 010020A8
                                  • Part of subcall function 01002081: CharNextA.USER32(?), ref: 010020B7
                                  • Part of subcall function 01002081: CharNextA.USER32(00000000), ref: 010020BA
                                  • Part of subcall function 01002081: lstrcpyA.KERNEL32(?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 010020EA
                                  • Part of subcall function 01002081: RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,00000000), ref: 01002110
                                  • Part of subcall function 01002081: RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?), ref: 01002133
                                  • Part of subcall function 01002081: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 0100214E
                                  • Part of subcall function 01002081: lstrcpyA.KERNEL32(?,?), ref: 01002162
                                  • Part of subcall function 01002081: RegCloseKey.ADVAPI32(?), ref: 01002176
                                • GetFileVersionInfoSizeA.VERSION(?,?,?,00000001,?,?,?,?,00000104,?,?,?,?,?,?,?), ref: 010026EF
                                • GlobalAlloc.KERNEL32(00000042,00000000,0000003C,?,0000003C,00000001,?,?,?,?,00000001,?,?,?,?,00000104), ref: 01002702
                                • GlobalLock.KERNEL32 ref: 01002714
                                • GetFileVersionInfoA.VERSION(0000003C,?,?,00000000), ref: 0100272E
                                • VerQueryValueA.VERSION(00000000,0100132C,0000003C,0000003C,0000003C,?,?,00000000), ref: 01002745
                                • GlobalUnlock.KERNEL32(00000000,0000003C,?,?,00000000), ref: 010027AC
                                • GlobalUnlock.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 010027FB
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Global$Char$FileInfoNextQueryUnlockValueVersionlstrcpy$AllocCloseEnvironmentExpandFreeLockOpenSizeStringsUpper
                                • String ID:
                                • API String ID: 2416581039-0
                                • Opcode ID: d36b2cbb2bcf2f010609546f27dacd5adc000b5a5f889186ab3a9f49350142b4
                                • Instruction ID: 715b562a5a0b13aa3d3becab1fee66edbba7586ed49f21780c7e5d38fec6c3f0
                                • Opcode Fuzzy Hash: d36b2cbb2bcf2f010609546f27dacd5adc000b5a5f889186ab3a9f49350142b4
                                • Instruction Fuzzy Hash: 1B41717090020AEFEF12DF94CD88AEDBBF5FF44304F144069EA85A6591C7759980CF50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01002ACD, Relevance: 12.0, APIs: 8, Instructions: 42stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01002ACD(CHAR* _a4, intOrPtr _a8, CHAR* _a12, CHAR* _a16) {
				int _t18;
				CHAR* _t31;

				_t18 = lstrlenA(_a12);
				_t4 = lstrlenA(_a16) + 1; // 0x1
				if(_t18 + _t4 < _a8) {
					_t31 = _a4;
					lstrcpyA(_t31, _a12);
					if( *((char*)(lstrlenA(_t31) + _t31 - 1)) != 0x5c &&  *((char*)(lstrlenA(_t31) + _t31 - 1)) != 0x2f) {
						_t31[lstrlenA(_t31)] = 0x5c;
						( &(_t31[1]))[lstrlenA(_t31)] =  *(_t28 +  &(_t31[1])) & 0x00000000;
					}
					lstrcatA(_t31, _a16);
					return 1;
				}
				return 0;
			}





                                0x01002adb
                                0x01002ae4
                                0x01002aeb
                                0x01002af4
                                0x01002af8
                                0x01002b06
                                0x01002b16
                                0x01002b1c
                                0x01002b1c
                                0x01002b25
                                0x00000000
                                0x01002b2d
                                0x00000000

                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: lstrlen$lstrcatlstrcpy
                                • String ID:
                                • API String ID: 2414487701-0
                                • Opcode ID: 7294cccf960f3f366eb54c5e099d3ec04d4912deaa84471d2f8e17bbbdc9ee5a
                                • Instruction ID: 5cb71324bf1073ba797ff75ade76f469c3bffa4559f515a1268d3d36d40ed6b7
                                • Opcode Fuzzy Hash: 7294cccf960f3f366eb54c5e099d3ec04d4912deaa84471d2f8e17bbbdc9ee5a
                                • Instruction Fuzzy Hash: 2701D63140829ABEEB23DF64DC48EAF3FE9DF4A310F044469F98492052CB75E0159BA1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01002969, Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                Download Yara Rule
                                C-Code - Quality: 91%
                                			E01002969(void* __edx, struct HWND__* _a4, struct HDC__* _a8) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				struct tagRECT _v32;
				struct tagRECT _v48;
				struct HDC__* _t35;
				intOrPtr _t42;
				int _t47;
				void* _t51;
				int _t54;
				void* _t55;
				intOrPtr _t56;
				struct HWND__* _t61;
				void* _t63;

				_t55 = __edx;
				GetWindowRect(_a4,  &_v48);
				_t63 = _v48.right - _v48.left;
				_t51 = _v48.bottom - _v48.top;
				GetWindowRect(_a8,  &_v32);
				_v12 = _v32.bottom - _v32.top;
				_t35 = GetDC(_a4);
				_a8 = _t35;
				_v8 = GetDeviceCaps(_t35, 8);
				_v16 = GetDeviceCaps(_a8, 0xa);
				ReleaseDC(_a4, _a8);
				asm("cdq");
				_t54 = (_v32.right - _v32.left - _t63 - _t55 >> 1) + _v32.left;
				_t61 = 0;
				if(_t54 >= 0) {
					_t42 = _v8;
					_t55 = _t54 + _t63;
					if(_t55 > _t42) {
						_t54 = _t42 - _t63;
					}
				} else {
					_t54 = 0;
				}
				asm("cdq");
				_t47 = (_v12 - _t51 - _t55 >> 1) + _v32.top;
				if(_t47 >= 0) {
					_t56 = _v16;
					if(_t47 + _t51 > _t56) {
						_t47 = _t56 - _t51;
					}
				} else {
					_t47 = 0;
				}
				return SetWindowPos(_a4, _t61, _t54, _t47, _t61, _t61, 5);
			}

















                                0x01002969
                                0x0100297f
                                0x01002987
                                0x0100298a
                                0x01002994
                                0x010029a5
                                0x010029a8
                                0x010029b1
                                0x010029bf
                                0x010029cb
                                0x010029d1
                                0x010029db
                                0x010029e2
                                0x010029e7
                                0x010029e8
                                0x010029ee
                                0x010029f1
                                0x010029f6
                                0x010029fa
                                0x010029fa
                                0x010029ea
                                0x010029ea
                                0x010029ea
                                0x01002a01
                                0x01002a06
                                0x01002a09
                                0x01002a0f
                                0x01002a17
                                0x01002a1b
                                0x01002a1b
                                0x01002a0b
                                0x01002a0b
                                0x01002a0b
                                0x01002a31

                                APIs
                                • GetWindowRect.USER32 ref: 0100297F
                                • GetWindowRect.USER32 ref: 01002994
                                • GetDC.USER32(?), ref: 010029A8
                                • GetDeviceCaps.GDI32(00000000,00000008), ref: 010029B4
                                • GetDeviceCaps.GDI32(010017FA,0000000A), ref: 010029C2
                                • ReleaseDC.USER32 ref: 010029D1
                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 01002A27
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$CapsDeviceRect$Release
                                • String ID:
                                • API String ID: 2212493051-0
                                • Opcode ID: e5b264a83dd9e846005674263491b2207fbfe43a598662fe0941c5ab6264e4cb
                                • Instruction ID: 4c28801afd84217de1cb5c416d2791a7d42eb7b966f216dd91684d3200acc53b
                                • Opcode Fuzzy Hash: e5b264a83dd9e846005674263491b2207fbfe43a598662fe0941c5ab6264e4cb
                                • Instruction Fuzzy Hash: 0B215932A0010AAFDF12CFBCCD899EEBBB9EB88310F008125F941E7254D735A9458B50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01003D9A, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 76memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01003D9A(void* __eflags) {
				void* _t7;
				void* _t20;

				_t17 = "UPROMPT";
				_t1 = E01002A34("UPROMPT", 0, 0) + 1; // 0x1
				_t20 = LocalAlloc(0x40, _t1);
				if(_t20 != 0) {
					if(E01002A34(_t17, _t20, _t18) != 0) {
						if(lstrcmpA(_t20, "<None>") != 0) {
							_t7 = E010038CC(0, 0x3e9, _t20, 0, 0x20, 4);
							LocalFree(_t20);
							if(_t7 != 6) {
								 *0x100aa5c = 0x800704c7;
								L10:
								return 0;
							}
							 *0x100aa5c = 0;
							L6:
							return 1;
						}
						LocalFree(_t20);
						goto L6;
					}
					E010038CC(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree(_t20);
					 *0x100aa5c = 0x80070714;
					goto L10;
				}
				E010038CC(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x100aa5c = E01003547();
				goto L10;
			}





                                0x01003da2
                                0x01003daf
                                0x01003dbb
                                0x01003dbf
                                0x01003de7
                                0x01003e1a
                                0x01003e34
                                0x01003e3c
                                0x01003e45
                                0x01003e4f
                                0x01003e59
                                0x00000000
                                0x01003e59
                                0x01003e47
                                0x01003e23
                                0x00000000
                                0x01003e25
                                0x01003e1d
                                0x00000000
                                0x01003e1d
                                0x01003df4
                                0x01003dfa
                                0x01003e00
                                0x00000000
                                0x01003e00
                                0x01003dcc
                                0x01003dd6
                                0x00000000

                                APIs
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A4C
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A6C
                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A73
                                • LocalAlloc.KERNEL32(00000040,00000001,UPROMPT,00000000,00000000), ref: 01003DB5
                                • LocalFree.KERNEL32(00000000,00000000,000004B1,00000000,00000000,00000010,00000000,UPROMPT,00000000,00000000), ref: 01003DFA
                                  • Part of subcall function 010038CC: MessageBoxA.USER32 ref: 01003946
                                  • Part of subcall function 01003547: GetLastError.KERNEL32(00000000,01003EFF,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 0100354E
                                  • Part of subcall function 01003547: GetLastError.KERNEL32(?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003554
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$ErrorFindLastLocal$AllocFreeLoadLockMessageSizeof
                                • String ID: <None>$UPROMPT
                                • API String ID: 226386726-2980973527
                                • Opcode ID: 52b95ada8aad3936e4575546471fca0f05d1e9e9538044224c9f25b47f298f61
                                • Instruction ID: fcd82f8eb2d96e34fe2045f7d831227921619ed0845e22903694ad8dcf9b4982
                                • Opcode Fuzzy Hash: 52b95ada8aad3936e4575546471fca0f05d1e9e9538044224c9f25b47f298f61
                                • Instruction Fuzzy Hash: F01190B164178ABFF2236B329C48F9B3B5CEB0A798F014114F6C29D0C6D7BAA4004B74
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01004481, Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01004481(void* __ecx, void* __eflags) {
				void* _t4;
				void* _t10;

				_t19 = "LICENSE";
				_t1 = E01002A34("LICENSE", 0, 0) + 1; // 0x1
				_t4 = LocalAlloc(0x40, _t1);
				 *0x100b49c = _t4;
				if(_t4 != 0) {
					if(E01002A34(_t19, _t4, _t20) != 0) {
						if(lstrcmpA( *0x100b49c, "<None>") == 0) {
							LocalFree( *0x100b49c);
							L9:
							 *0x100aa5c = 0;
							return 1;
						}
						_t10 = E01004161( *0x100b4a4, 0x7d1, 0, E01003773, 0, 0);
						LocalFree( *0x100b49c);
						if(_t10 != 0) {
							goto L9;
						}
						 *0x100aa5c = 0x800704c7;
						L7:
						return 0;
					}
					E010038CC(0, 0x4b1, 0, 0, 0x10, 0);
					LocalFree( *0x100b49c);
					 *0x100aa5c = 0x80070714;
					goto L7;
				}
				E010038CC(0, 0x4b5, 0, 0, 0x10, 0);
				 *0x100aa5c = E01003547();
				goto L7;
			}





                                0x01004488
                                0x01004495
                                0x0100449b
                                0x010044a3
                                0x010044a8
                                0x010044d0
                                0x0100450d
                                0x0100454d
                                0x01004553
                                0x01004555
                                0x00000000
                                0x0100455b
                                0x01004522
                                0x0100452f
                                0x01004537
                                0x00000000
                                0x00000000
                                0x01004539
                                0x01004543
                                0x00000000
                                0x01004543
                                0x010044dd
                                0x010044e8
                                0x010044ee
                                0x00000000
                                0x010044ee
                                0x010044b5
                                0x010044bf
                                0x00000000

                                APIs
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A4C
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A6C
                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A73
                                • LocalAlloc.KERNEL32(00000040,00000001,LICENSE,00000000,00000000), ref: 0100449B
                                • LocalFree.KERNEL32(00000000,000004B1,00000000,00000000,00000010,00000000,LICENSE,00000000,00000000), ref: 010044E8
                                  • Part of subcall function 010038CC: MessageBoxA.USER32 ref: 01003946
                                  • Part of subcall function 01003547: GetLastError.KERNEL32(00000000,01003EFF,?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 0100354E
                                  • Part of subcall function 01003547: GetLastError.KERNEL32(?,?,01004FB4,0100AC44,0100AC44,01001251), ref: 01003554
                                • LocalFree.KERNEL32 ref: 0100454D
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$Local$ErrorFindFreeLast$AllocLoadLockMessageSizeof
                                • String ID: <None>$LICENSE
                                • API String ID: 3899723493-383193767
                                • Opcode ID: dd1cdc213aed7aaa174bd606b5daadfe53713abf20a886b48616d53c42c16c22
                                • Instruction ID: 6e0dad04b0308800c6e7bb6f83685405a54a227f071ddc6dc43be68e18665347
                                • Opcode Fuzzy Hash: dd1cdc213aed7aaa174bd606b5daadfe53713abf20a886b48616d53c42c16c22
                                • Instruction Fuzzy Hash: 791172B4600245BEF7236F21ACC4D7B366DE704399F018024B6C5D94C9DBBB8D408B34
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01005D22, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01005D22(void* __edi) {
				signed int _t22;
				long _t31;
				void* _t39;
				void* _t41;

				_t39 = _t41 - 0x78;
				 *(_t39 + 0x74) =  *(_t39 + 0x74) & 0x00000000;
				 *(_t39 + 0x6c) = 0xc;
				if( *0x100a2cc == 0xfffffffe) {
					 *0x100a2cc =  *0x100a2cc & 0x00000000;
					 *(_t39 - 0x38) = 0x94;
					if(GetVersionExA(_t39 - 0x38) != 0 &&  *((intOrPtr*)(_t39 - 0x28)) == 1 &&  *((intOrPtr*)(_t39 - 0x34)) == 4 &&  *((intOrPtr*)(_t39 - 0x30)) < 0xa && GetSystemMetrics(0x4a) != 0 && RegOpenKeyExA(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x20019, _t39 + 0x70) == 0) {
						_t31 = RegQueryValueExA( *(_t39 + 0x70), 0x1001251, 0, _t39 + 0x68, _t39 + 0x5c, _t39 + 0x6c);
						RegCloseKey( *(_t39 + 0x70));
						if(_t31 == 0 && E01005C1C(_t39 + 0x5c, _t39 + 0x74) != 0) {
							 *(_t39 + 0x74) =  *(_t39 + 0x74) & 0x000003ff;
							if( *(_t39 + 0x74) == 1 ||  *(_t39 + 0x74) == 0xd) {
								 *0x100a2cc = 1;
							}
						}
					}
				}
				_t22 =  *0x100a2cc; // 0xfffffffe
				return _t22;
			}







                                0x01005d23
                                0x01005d2d
                                0x01005d38
                                0x01005d3f
                                0x01005d45
                                0x01005d50
                                0x01005d5f
                                0x01005dc5
                                0x01005dd0
                                0x01005dd9
                                0x01005dec
                                0x01005df7
                                0x01005dff
                                0x01005dff
                                0x01005df7
                                0x01005dd9
                                0x01005d5f
                                0x01005e09
                                0x01005e12

                                APIs
                                • GetVersionExA.KERNEL32(?), ref: 01005D57
                                • GetSystemMetrics.USER32 ref: 01005D85
                                • RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 01005DA4
                                • RegQueryValueExA.ADVAPI32(?,01001251,00000000,?,?,?,?), ref: 01005DC5
                                • RegCloseKey.ADVAPI32(?), ref: 01005DD0
                                  • Part of subcall function 01005C1C: CharNextA.USER32(?,00000000,01005DE8,?,?), ref: 01005C55
                                Strings
                                • Control Panel\Desktop\ResourceLocale, xrefs: 01005D9A
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
                                • String ID: Control Panel\Desktop\ResourceLocale
                                • API String ID: 3346862599-1109908249
                                • Opcode ID: 431f45f9673300b689da86ba081f87beb83a14b1989b5a4117b9124139db4642
                                • Instruction ID: 083c54a924ab9761291a410baedf6ac57de624089c224ea8294de35afb17b59e
                                • Opcode Fuzzy Hash: 431f45f9673300b689da86ba081f87beb83a14b1989b5a4117b9124139db4642
                                • Instruction Fuzzy Hash: 17212571640248DBEB36CFA9DC48B9D37E8AB04715F105129F991D20C3E7BAC488CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01003773, Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 86%
                                			E01003773(void* __edx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _t8;
				void* _t11;
				void* _t15;
				struct HWND__* _t16;
				void* _t26;
				struct HWND__* _t28;

				_t26 = __edx;
				_t8 = _a8 - 0xf;
				if(_t8 == 0) {
					if( *0x100aa58 == 0) {
						 *0x100a840 = SendDlgItemMessageA(_a4, 0x834, 0xb1, 0xffffffff, 0);
						 *0x100aa58 = 1;
					}
					L13:
					return 0;
				}
				_t11 = _t8 - 1;
				if(_t11 == 0) {
					L7:
					_push(0);
					L8:
					EndDialog(_a4, ??);
					L9:
					return 1;
				}
				_t15 = _t11 - 0x100;
				if(_t15 == 0) {
					_t16 = GetDesktopWindow();
					_t28 = _a4;
					E01002969(_t26, _t28, _t16);
					SetDlgItemTextA(_t28, 0x834,  *0x100b49c);
					SetWindowTextA(_t28, 0x100abb4);
					SetForegroundWindow(_t28);
					E01002803(GetDlgItem(_t28, 0x834), E01002827);
					return 1;
				}
				if(_t15 != 1) {
					goto L13;
				}
				if(_a12 != 6) {
					if(_a12 != 7) {
						goto L9;
					}
					goto L7;
				}
				_push(1);
				goto L8;
			}









                                0x01003773
                                0x01003779
                                0x0100377c
                                0x0100380f
                                0x01003828
                                0x0100382d
                                0x0100382d
                                0x01003837
                                0x00000000
                                0x01003837
                                0x01003782
                                0x01003783
                                0x010037a3
                                0x010037a3
                                0x010037a5
                                0x010037a8
                                0x010037ae
                                0x00000000
                                0x010037b0
                                0x01003785
                                0x0100378a
                                0x010037b8
                                0x010037be
                                0x010037c3
                                0x010037d5
                                0x010037e1
                                0x010037e8
                                0x010037fc
                                0x00000000
                                0x01003805
                                0x0100378d
                                0x00000000
                                0x00000000
                                0x01003797
                                0x010037a1
                                0x00000000
                                0x00000000
                                0x00000000
                                0x010037a1
                                0x01003799
                                0x00000000

                                APIs
                                • EndDialog.USER32(?,00000000), ref: 010037A8
                                • GetDesktopWindow.USER32 ref: 010037B8
                                • SetDlgItemTextA.USER32 ref: 010037D5
                                • SetWindowTextA.USER32(?,0100ABB4), ref: 010037E1
                                • SetForegroundWindow.USER32(?), ref: 010037E8
                                • GetDlgItem.USER32 ref: 010037F5
                                • SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 01003822
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: ItemWindow$Text$DesktopDialogForegroundMessageSend
                                • String ID:
                                • API String ID: 3995847246-0
                                • Opcode ID: 0416d64abb4ccf835619947f66294db8555aab5d7019f45f1413da29fbb76d96
                                • Instruction ID: 01c3b69a9c1d9b51098dd75da9e10fd26e27e0a568cfd527d8e7b98c3a4c5e06
                                • Opcode Fuzzy Hash: 0416d64abb4ccf835619947f66294db8555aab5d7019f45f1413da29fbb76d96
                                • Instruction Fuzzy Hash: DB116A35144305AFFB735F68DC4CBAA3AA4FB4AB61F000165F5D9991C4C7BA8281D791
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01001DDF, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01001DDF() {
				char _v264;
				long _t16;
				int _t18;

				_t16 = 0;
				if(GetWindowsDirectoryA( &_v264, 0x104) != 0) {
					E01005B32( &_v264, "wininit.ini");
					WritePrivateProfileStringA(0, 0, 0,  &_v264);
					_t18 = _lopen( &_v264, 0x40);
					if(_t18 != 0xffffffff) {
						_t16 = _llseek(_t18, 0, 2);
						_lclose(_t18);
					}
				}
				return _t16;
			}






                                0x01001df5
                                0x01001dff
                                0x01001e0e
                                0x01001e1d
                                0x01001e32
                                0x01001e37
                                0x01001e44
                                0x01001e46
                                0x01001e46
                                0x01001e4c
                                0x01001e51

                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 01001DF7
                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                • WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 01001E1D
                                • _lopen.KERNEL32 ref: 01001E2C
                                • _llseek.KERNEL32(00000000,00000000,00000002), ref: 01001E3D
                                • _lclose.KERNEL32(00000000), ref: 01001E46
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CharDirectoryPrevPrivateProfileStringWindowsWrite_lclose_llseek_lopenlstrcpylstrlen
                                • String ID: wininit.ini
                                • API String ID: 1211533111-4206010578
                                • Opcode ID: f92e39143841338b23a30a7285bd343bbb73fc4a946f94324873422716c0777d
                                • Instruction ID: b7b4abcde96b08424be1b8ef761040528c423947c2d44bd333b95f446d3817fe
                                • Opcode Fuzzy Hash: f92e39143841338b23a30a7285bd343bbb73fc4a946f94324873422716c0777d
                                • Instruction Fuzzy Hash: BCF0AFB6600194A7E732E7799D8CEEB3ABCAB85710F000095B7D9E30C0D6B8C9458B70
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01002EAF, Relevance: 9.1, APIs: 6, Instructions: 60filestringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01002EAF(void* __ebx, void* __ecx) {
				char _v260;
				void* _t7;
				void* _t20;
				void* _t21;
				void* _t22;

				_t20 = __ecx;
				_t22 =  *0x100ac40; // 0x0
				_t21 = _t22;
				if(_t22 != 0) {
					do {
						if( *0x100b884 == 0 &&  *0x100b490 == 0) {
							SetFileAttributesA( *_t22, 0x80);
							DeleteFileA( *_t22);
						}
						_t22 =  *(_t22 + 4);
						LocalFree( *_t21);
						_t7 = LocalFree(_t21);
						_t21 = _t22;
					} while (_t22 != 0);
				}
				if( *0x100b880 != 0 &&  *0x100b884 == 0 &&  *0x100b490 == 0) {
					lstrcpyA( &_v260, 0x100ac44);
					if(( *0x100b494 & 0x00000020) != 0) {
						E01005B71( &_v260);
					}
					SetCurrentDirectoryA("..");
					_t7 = E01001C7F( &_v260);
				}
				if( *0x100aa64 != 1 &&  *0x100b880 != 0) {
					_t7 = E01001946(_t20);
				}
				 *0x100b880 = 0;
				return _t7;
			}








                                0x01002eaf
                                0x01002eb7
                                0x01002ec2
                                0x01002ec4
                                0x01002ecd
                                0x01002ed3
                                0x01002ee4
                                0x01002eec
                                0x01002eec
                                0x01002ef4
                                0x01002ef7
                                0x01002efa
                                0x01002efe
                                0x01002efe
                                0x01002f02
                                0x01002f09
                                0x01002f25
                                0x01002f32
                                0x01002f39
                                0x01002f39
                                0x01002f43
                                0x01002f4e
                                0x01002f4e
                                0x01002f5b
                                0x01002f65
                                0x01002f65
                                0x01002f6c
                                0x01002f79

                                APIs
                                • SetFileAttributesA.KERNEL32(00000000,00000080), ref: 01002EE4
                                • DeleteFileA.KERNEL32(00000000), ref: 01002EEC
                                • LocalFree.KERNEL32(00000000), ref: 01002EF7
                                • LocalFree.KERNEL32(00000000), ref: 01002EFA
                                • lstrcpyA.KERNEL32(0100AC44,0100AC44), ref: 01002F25
                                • SetCurrentDirectoryA.KERNEL32(01001284), ref: 01002F43
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: FileFreeLocal$AttributesCurrentDeleteDirectorylstrcpy
                                • String ID:
                                • API String ID: 2574644873-0
                                • Opcode ID: 93e692ac1587df938e33032a71ea2a0dccc3e90e8b89d3b20b57e192b1dc1fa6
                                • Instruction ID: 960ce29c7a69c0d0d6bd76a451a08647df6ffba3f75ce7ea97df57adcc28d351
                                • Opcode Fuzzy Hash: 93e692ac1587df938e33032a71ea2a0dccc3e90e8b89d3b20b57e192b1dc1fa6
                                • Instruction Fuzzy Hash: DB11E27A500259DFFB73EF58E94C96577E8FB04340F45406EE2C052198CBBB9548CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01002A34, Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01002A34(CHAR* _a4, void* _a8, intOrPtr _a12) {
				void* _t13;
				void* _t14;
				signed int _t17;
				signed int _t18;
				signed int _t19;
				void* _t32;

				_t17 = SizeofResource(0, FindResourceA(0, _a4, 0xa));
				if(_t17 > _a12 || _a8 == 0) {
					L6:
					return _t17;
				} else {
					if(_t17 == 0) {
						L4:
						return 0;
					}
					_t13 = LockResource(LoadResource(0, FindResourceA(0, _a4, 0xa)));
					if(_t13 != 0) {
						_t18 = _t17;
						_t19 = _t18 >> 2;
						_t32 = _t13;
						_t14 = memcpy(_a8, _t32, _t19 << 2);
						memcpy(_t32 + _t19 + _t19, _t32, _t18 & 0x00000003);
						FreeResource(_t14);
						goto L6;
					}
					goto L4;
				}
			}









                                0x01002a52
                                0x01002a57
                                0x01002a9d
                                0x00000000
                                0x01002a5e
                                0x01002a60
                                0x01002a7d
                                0x00000000
                                0x01002a7d
                                0x01002a73
                                0x01002a7b
                                0x01002a84
                                0x01002a88
                                0x01002a8b
                                0x01002a8d
                                0x01002a95
                                0x01002a97
                                0x00000000
                                0x01002a97
                                0x00000000
                                0x01002a7b

                                APIs
                                • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                • SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A4C
                                • FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                • LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A6C
                                • LockResource.KERNEL32(00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A73
                                • FreeResource.KERNEL32(00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A97
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$Find$FreeLoadLockSizeof
                                • String ID:
                                • API String ID: 468261009-0
                                • Opcode ID: 60513ed6fa868ebe5019eda0ed49016e3eb50df202396a8709f0f5900e5d54f2
                                • Instruction ID: b81af5958d1d79e739a71e668ea852868a10399b4e191fd1668772ccbe63b742
                                • Opcode Fuzzy Hash: 60513ed6fa868ebe5019eda0ed49016e3eb50df202396a8709f0f5900e5d54f2
                                • Instruction Fuzzy Hash: D301D631700148BBEB339B66AC88D7F7BADFB8A791F044019F986C7144CA768880DB61
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0100383D, Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0100383D(struct HWND__* _a4, intOrPtr _a8, int _a12) {
				void* _t7;
				void* _t11;
				struct HWND__* _t12;
				int _t18;
				void* _t22;
				struct HWND__* _t23;

				_t7 = _a8 - 0x10;
				if(_t7 == 0) {
					EndDialog(_a4, 2);
					L11:
					return 1;
				}
				_t11 = _t7 - 0x100;
				if(_t11 == 0) {
					_t12 = GetDesktopWindow();
					_t23 = _a4;
					E01002969(_t22, _t23, _t12);
					SetWindowTextA(_t23, 0x100abb4);
					SetDlgItemTextA(_t23, 0x838,  *0x100ae64);
					SetForegroundWindow(_t23);
					goto L11;
				}
				if(_t11 == 1) {
					_t18 = _a12;
					if(_t18 < 6) {
						goto L11;
					}
					if(_t18 <= 7) {
						L8:
						EndDialog(_a4, _t18);
						return 1;
					}
					if(_t18 != 0x839) {
						goto L11;
					}
					 *0x100ac3c = 1;
					goto L8;
				}
				return 0;
			}









                                0x01003843
                                0x01003847
                                0x010038be
                                0x010038c4
                                0x00000000
                                0x010038c6
                                0x01003849
                                0x0100384e
                                0x01003882
                                0x01003888
                                0x0100388d
                                0x01003898
                                0x010038aa
                                0x010038b1
                                0x00000000
                                0x010038b1
                                0x01003851
                                0x01003857
                                0x0100385d
                                0x00000000
                                0x00000000
                                0x01003865
                                0x01003874
                                0x01003878
                                0x00000000
                                0x0100387e
                                0x0100386c
                                0x00000000
                                0x00000000
                                0x0100386e
                                0x00000000
                                0x0100386e
                                0x00000000

                                APIs
                                • EndDialog.USER32(?,?), ref: 01003878
                                • GetDesktopWindow.USER32 ref: 01003882
                                • SetWindowTextA.USER32(?,0100ABB4), ref: 01003898
                                • SetDlgItemTextA.USER32 ref: 010038AA
                                • SetForegroundWindow.USER32(?), ref: 010038B1
                                • EndDialog.USER32(?,00000002), ref: 010038BE
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Window$DialogText$DesktopForegroundItem
                                • String ID:
                                • API String ID: 852535152-0
                                • Opcode ID: 75a087d82200ebd705203d3342fd985e8dff23fa491e07dc86cdd8fdf240c47c
                                • Instruction ID: 5c13e9e4d6d24029a2895105e5d04483bb2c3333f3e538078e74f50813a3fb26
                                • Opcode Fuzzy Hash: 75a087d82200ebd705203d3342fd985e8dff23fa491e07dc86cdd8fdf240c47c
                                • Instruction Fuzzy Hash: 7E017C31510214AFFB675BA8D8089ED7B94FB05741F004891FAC2DA0C5CB7ACB41CBE0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01004657, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 57memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A4C
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A6C
                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A73
                                • LocalAlloc.KERNEL32(00000040,00000001,FINISHMSG,00000000,00000000), ref: 01004672
                                • LocalFree.KERNEL32(00000000), ref: 010046C9
                                  • Part of subcall function 010038CC: MessageBoxA.USER32 ref: 01003946
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$FindLocal$AllocFreeLoadLockMessageSizeof
                                • String ID: <None>$FINISHMSG
                                • API String ID: 1166655539-3091758298
                                • Opcode ID: 9fc84565805aa23d4fd31d628d8c3b998d3dee3f2991ba92e449fc6c41aa1772
                                • Instruction ID: c5b0bc608187105c25715251356598fe5d23ec77e1943fddc57e6d3d47a5b5c3
                                • Opcode Fuzzy Hash: 9fc84565805aa23d4fd31d628d8c3b998d3dee3f2991ba92e449fc6c41aa1772
                                • Instruction Fuzzy Hash: 5CF06D71241219BBF22366239C49F9B3E4CDB4A7D9F020151BBC5A50C2EAAAF400417D
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01005B71, Relevance: 7.5, APIs: 5, Instructions: 44stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 71%
                                			E01005B71(char* _a4) {
				char* _t10;
				CHAR* _t11;
				void* _t12;

				_t10 = _a4;
				_t12 = 0;
				_push(CharPrevA(_t10,  &(_t10[lstrlenA(_t10)])));
				while(1) {
					_t11 = CharPrevA(_t10, ??);
					if(_t11 <= _t10) {
						break;
					}
					if( *_t11 == 0x5c) {
						L5:
						if(_t11 == _t10 ||  *(CharPrevA(_t10, _t11)) == 0x3a) {
							_t11 = CharNextA(_t11);
						}
						 *_t11 =  *_t11 & 0x00000000;
						_t12 = 1;
					} else {
						_push(_t11);
						continue;
					}
					L9:
					return _t12;
				}
				if( *_t11 == 0x5c) {
					goto L5;
				}
				goto L9;
			}






                                0x01005b75
                                0x01005b7a
                                0x01005b8e
                                0x01005b97
                                0x01005b9a
                                0x01005b9e
                                0x00000000
                                0x00000000
                                0x01005b94
                                0x01005ba5
                                0x01005ba7
                                0x01005bb9
                                0x01005bb9
                                0x01005bbb
                                0x01005bc0
                                0x01005b96
                                0x01005b96
                                0x00000000
                                0x01005b96
                                0x01005bc3
                                0x01005bc7
                                0x01005bc7
                                0x01005ba3
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • lstrlenA.KERNEL32(?,?,00000000,000093E2,00008EF4,0100228C,?), ref: 01005B7C
                                • CharPrevA.USER32(?,00000000), ref: 01005B8C
                                • CharPrevA.USER32(?,00000000), ref: 01005B98
                                • CharPrevA.USER32(?,00000000), ref: 01005BAB
                                • CharNextA.USER32(00000000), ref: 01005BB3
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Char$Prev$Nextlstrlen
                                • String ID:
                                • API String ID: 295585802-0
                                • Opcode ID: 4b52c76db2cf62ff621c8a08fa6ba7fb40a7dbd169611f4951299f618a72bbfa
                                • Instruction ID: 9baf6fa903052a509665a9fab5b6fb85594512577d769c7e3968725e671f5898
                                • Opcode Fuzzy Hash: 4b52c76db2cf62ff621c8a08fa6ba7fb40a7dbd169611f4951299f618a72bbfa
                                • Instruction Fuzzy Hash: 0DF0F672505A542EF7331A2D8C88E7BBFDCDB872A1F040189F6C092081DAA95C408E72
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 010017B1, Relevance: 7.5, APIs: 5, Instructions: 40windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E010017B1(struct HWND__* _a4, intOrPtr _a8, int _a12, int _a16) {
				char _v516;
				void* _t14;
				void* _t27;

				_t14 = _a8 - 0x110;
				if(_t14 == 0) {
					E01002969(_t27, _a4, GetDesktopWindow());
					_v516 = _v516 & 0x00000000;
					LoadStringA( *0x100b4a4, _a16,  &_v516, 0x200);
					SetDlgItemTextA(_a4, 0x83f,  &_v516);
					MessageBeep(0xffffffff);
					L7:
					return 1;
				}
				if(_t14 == 1) {
					if(_a12 < 0x83d || _a12 > 0x83e) {
						goto L2;
					} else {
						EndDialog(_a4, _a12);
						goto L7;
					}
				}
				L2:
				return 0;
			}






                                0x010017bd
                                0x010017c2
                                0x010017f5
                                0x010017fa
                                0x01001816
                                0x0100182b
                                0x01001833
                                0x01001839
                                0x00000000
                                0x0100183b
                                0x010017c5
                                0x010017d2
                                0x00000000
                                0x010017dd
                                0x010017e3
                                0x00000000
                                0x010017e3
                                0x010017d2
                                0x010017c7
                                0x00000000

                                APIs
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
                                • String ID:
                                • API String ID: 1273765764-0
                                • Opcode ID: 52c35957c5d6308ac9e5b8dfae4ee701d5fa30329f22752cf5df4afad45c4fb5
                                • Instruction ID: dbb55cd7090eff77bfa65d7c4eba401a97cfafb7d2c079e3b47d5aa362050595
                                • Opcode Fuzzy Hash: 52c35957c5d6308ac9e5b8dfae4ee701d5fa30329f22752cf5df4afad45c4fb5
                                • Instruction Fuzzy Hash: D601283140024AABFB265FA4DC4CAEA3AB8BB04745F044564BAA9950E5CBB9CB51CB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0100574A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43stringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 92%
                                			E0100574A() {
				intOrPtr* __edi;
				void* __esi;
				void* _t25;
				void* _t27;
				void* _t28;
				void* _t30;

				if(E01004B1A(_t27, _t30, _t28, 3) != 0 || E01001F6E(__ecx, __esi) == 0 && E01004B1A(__ecx, __esi, __edi, __edi) != 0) {
					_t25 = _t28;
				} else {
					__edi = lstrcpyA;
					do {
						__ebp - 0x104 = lstrcpyA(__ebp - 0x104, "A:\\");
						while(1) {
							__eax = __ebp - 0x104;
							if( *(__ebp - 0x104) > 0x5a) {
								goto L25;
							}
							__ebx = __eax;
							if(__ebx == 6 || __ebx == 3) {
								__eax = __ebp - 0x104;
								if(GetFileAttributesA(__ebp - 0x104) != 0xffffffff) {
									goto L16;
								} else {
									goto L10;
								}
							} else {
								L10:
								if(__ebx != 2 ||  *(__ebp - 0x104) == 0x41 ||  *(__ebp - 0x104) == 0x42) {
									L15:
									 *(__ebp - 0x104) =  *(__ebp - 0x104) + 1;
									continue;
								} else {
									__eax = __ebp - 0x104;
									__eax = E01005E13(__ebp - 0x104);
									if(__eax == 0 || __eax < 0x19000) {
										goto L15;
									} else {
										L16:
										__ebx = 0;
										__eax = __ebp - 0x104;
										if(L01003F0D(__ecx, __ebp - 0x104, 3, 0) != 0) {
											L19:
											__eax = __ebp - 0x104;
											if(E01001F6E(__ecx, __ebp - 0x104) != 0) {
												__ebp - 0x104 = GetWindowsDirectoryA(__ebp - 0x104, 0x104);
											}
											__ebp - 0x104 = E01005B32(__ebp - 0x104, "msdownld.tmp");
											__eax = __ebp - 0x104;
											if(E01001F4B(__ebp - 0x104) != 0) {
												__ebp - 0x104 = SetFileAttributesA(__ebp - 0x104, 2);
												__eax = __ebp - 0x104;
												__eax =  *__edi(__esi, __ebp - 0x104);
												if(E01004B1A(__ecx, __esi, 1, __ebx) != 0) {
													0 = 1;
												} else {
													continue;
												}
											} else {
												 *(__ebp - 0x104) =  *(__ebp - 0x104) + 1;
												 *(__ebp - 0x101) =  *(__ebp - 0x101) & __al;
												continue;
											}
										} else {
											__eax = __ebp - 0x104;
											if(E01001F6E(__ecx, __ebp - 0x104) != 0) {
												goto L15;
											} else {
												__eax = __ebp - 0x104;
												if(L01003F0D(__ecx, __ebp - 0x104, 1, 0) == 0) {
													goto L15;
												} else {
													goto L19;
												}
											}
										}
									}
								}
							}
							goto L28;
						}
						L25:
						__eax = __ebp - 0x104;
					} while (L01003F0D(__ecx, __ebp - 0x104, 3, 4) != 0);
					_t25 = 0;
				}
				L28:
				return _t25;
			}









                                0x01005755
                                0x0100576d
                                0x01005774
                                0x01005774
                                0x0100577a
                                0x01005786
                                0x0100589a
                                0x010058a1
                                0x010058a7
                                0x00000000
                                0x00000000
                                0x01005794
                                0x01005799
                                0x010057a0
                                0x010057b0
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x010057b2
                                0x010057b2
                                0x010057b5
                                0x010057e0
                                0x010057e0
                                0x00000000
                                0x010057c9
                                0x010057c9
                                0x010057d0
                                0x010057d7
                                0x00000000
                                0x010057eb
                                0x010057eb
                                0x010057eb
                                0x010057f0
                                0x010057fe
                                0x01005823
                                0x01005823
                                0x01005831
                                0x0100583f
                                0x0100583f
                                0x01005851
                                0x01005856
                                0x01005864
                                0x0100587d
                                0x01005883
                                0x0100588b
                                0x01005898
                                0x010058d8
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01005866
                                0x01005866
                                0x0100586c
                                0x00000000
                                0x0100586c
                                0x01005800
                                0x01005800
                                0x0100580e
                                0x00000000
                                0x01005810
                                0x01005813
                                0x01005821
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x01005821
                                0x0100580e
                                0x010057fe
                                0x010057d7
                                0x010057b5
                                0x00000000
                                0x01005799
                                0x010058ad
                                0x010058bd
                                0x010058c9
                                0x01005681
                                0x01005681
                                0x010058f9
                                0x010058fd

                                APIs
                                  • Part of subcall function 01004B1A: lstrcpyA.KERNEL32(0100AC44,?), ref: 01004B50
                                  • Part of subcall function 01004B1A: GetSystemInfo.KERNEL32(?), ref: 01004B63
                                  • Part of subcall function 01004B1A: CreateDirectoryA.KERNEL32(0100AC44,00000000,0100AC44), ref: 01004BC2
                                  • Part of subcall function 01001F6E: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 01001F83
                                • lstrcpyA.KERNEL32(?,A:\,?,00000000), ref: 01005786
                                • GetWindowsDirectoryA.KERNEL32(0000005A,00000104), ref: 010058B3
                                  • Part of subcall function 01004B1A: lstrcpyA.KERNEL32(0100AC44,?), ref: 01004BB0
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Directorylstrcpy$Windows$CreateInfoSystem
                                • String ID: A:\$Z
                                • API String ID: 2744348198-601297081
                                • Opcode ID: bd97c582a19bf4a8aac0ed33a7449fd41b5764a0179647c976067643fc9636de
                                • Instruction ID: bd84d2b7fd027f326ef7c85c95c79e266c19ac364aec338efe15e5d965e41be0
                                • Opcode Fuzzy Hash: bd97c582a19bf4a8aac0ed33a7449fd41b5764a0179647c976067643fc9636de
                                • Instruction Fuzzy Hash: 2FF09671744655E6FF33A665AD84FEE26AC6B95744F0000A1F7C4F50C1E6F4D2418F15
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01002E6F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01002E6F(void* __ecx, void* __eflags) {
				void* _t6;
				CHAR* _t11;

				_t11 = "CABINET";
				 *0x100aba4 = E01002A34(_t11, 0, 0);
				_t6 = LockResource(LoadResource(0, FindResourceA(0, _t11, 0xa)));
				 *0x100aba0 = _t6;
				return 0 | _t6 != 0x00000000;
			}





                                0x01002e74
                                0x01002e84
                                0x01002e99
                                0x01002ea6
                                0x01002eae

                                APIs
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A48
                                  • Part of subcall function 01002A34: SizeofResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A4C
                                  • Part of subcall function 01002A34: FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 01002A68
                                  • Part of subcall function 01002A34: LoadResource.KERNEL32(00000000,00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A6C
                                  • Part of subcall function 01002A34: LockResource.KERNEL32(00000000,?,01004C70,TITLE,0100ABB4,0000007F,?,00000000), ref: 01002A73
                                • FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 01002E89
                                • LoadResource.KERNEL32(00000000,00000000), ref: 01002E92
                                • LockResource.KERNEL32(00000000), ref: 01002E99
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$Find$LoadLock$Sizeof
                                • String ID: CABINET
                                • API String ID: 1933721802-1940454314
                                • Opcode ID: fee46d4037bcf492714a1928356b3615369b2f8f05e7677fcc6bc0c80cc05536
                                • Instruction ID: f41c840c6a8244764c1701102c9fef1f774684e0028f7af970c8500be1e35917
                                • Opcode Fuzzy Hash: fee46d4037bcf492714a1928356b3615369b2f8f05e7677fcc6bc0c80cc05536
                                • Instruction Fuzzy Hash: 3EE08C71B42310ABE326ABB1AC1DB8B3A58AB19751F000416F286DA0C4CBBA84008791
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01001946, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21registryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01001946(void* __ecx) {
				void* _v8;
				long _t4;

				if( *0x100a2e0 != 0) {
					_t4 = RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0x20006,  &_v8);
					if(_t4 == 0) {
						RegDeleteValueA(_v8, 0x100a2e0);
						return RegCloseKey(_v8);
					}
				}
				return _t4;
			}





                                0x01001951
                                0x01001968
                                0x01001970
                                0x0100197a
                                0x00000000
                                0x01001983
                                0x01001970
                                0x0100198a

                                APIs
                                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,?), ref: 01001968
                                • RegDeleteValueA.ADVAPI32(?,0100A2E0), ref: 0100197A
                                • RegCloseKey.ADVAPI32(?), ref: 01001983
                                Strings
                                • Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 0100195E
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: CloseDeleteOpenValue
                                • String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce
                                • API String ID: 849931509-2045179639
                                • Opcode ID: 458768e2f170180f9e320fe5dbc18e42d63c941c0fb649dab67b6fa9c1c2255c
                                • Instruction ID: ccbb5ff6748fd46fc05444b67dc659029424084cb7ec84c162ec529ad60e6887
                                • Opcode Fuzzy Hash: 458768e2f170180f9e320fe5dbc18e42d63c941c0fb649dab67b6fa9c1c2255c
                                • Instruction Fuzzy Hash: D3E04F30740358FBF733CB959D0EF697AACA700788F100058F2C1A1095D7F6D5009714
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01003A7A, Relevance: 6.3, APIs: 5, Instructions: 51memorystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E01003A7A(CHAR* _a4) {
				CHAR* _t7;
				void* _t9;
				void* _t18;

				_t18 = LocalAlloc(0x40, 8);
				if(_t18 != 0) {
					_t7 = LocalAlloc(0x40, lstrlenA(_a4) + 1);
					 *_t18 = _t7;
					if(_t7 != 0) {
						lstrcpyA(_t7, _a4);
						_t9 =  *0x100ac40; // 0x0
						 *(_t18 + 4) = _t9;
						 *0x100ac40 = _t18;
						return 1;
					}
					E010038CC( *0x100aa4c, 0x4b5, 0, 0, 0x10, 0);
					LocalFree(_t18);
					L4:
					return 0;
				}
				E010038CC( *0x100aa4c, 0x4b5, 0, 0, 0x10, 0);
				goto L4;
			}






                                0x01003a89
                                0x01003a8f
                                0x01003ab6
                                0x01003aba
                                0x01003abc
                                0x01003ae3
                                0x01003ae9
                                0x01003aee
                                0x01003af3
                                0x00000000
                                0x01003af9
                                0x01003ace
                                0x01003ad4
                                0x01003ada
                                0x00000000
                                0x01003ada
                                0x01003aa1
                                0x00000000

                                APIs
                                • LocalAlloc.KERNEL32(00000040,00000008), ref: 01003A87
                                • lstrlenA.KERNEL32(?), ref: 01003AAC
                                • LocalAlloc.KERNEL32(00000040,00000001), ref: 01003AB6
                                • LocalFree.KERNEL32(00000000,000004B5,00000000,00000000,00000010,00000000), ref: 01003AD4
                                  • Part of subcall function 010038CC: MessageBoxA.USER32 ref: 01003946
                                • lstrcpyA.KERNEL32(00000000,?), ref: 01003AE3
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Local$Alloc$FreeMessagelstrcpylstrlen
                                • String ID:
                                • API String ID: 3247521446-0
                                • Opcode ID: 1c252e24ed27c8a3c89f68d47637d6c558a56de84ee84e0859bd78fbfeca7fcd
                                • Instruction ID: be99e61ba3297938531ad782b9381de073ce5d9bd08aee7874bfad80a1221b46
                                • Opcode Fuzzy Hash: 1c252e24ed27c8a3c89f68d47637d6c558a56de84ee84e0859bd78fbfeca7fcd
                                • Instruction Fuzzy Hash: FB015EB1740305AFE3239F649C85E6A76ACFB55755F014425F3C5A6084D6BA88508B24
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0100366A, Relevance: 6.1, APIs: 4, Instructions: 54filestringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0100366A(long _a4, intOrPtr _a12, void* _a16) {
				struct _OVERLAPPED* _v8;
				long _v12;
				char _v272;
				long _t25;
				void* _t27;

				_v8 = 1;
				_v12 = 0;
				lstrcpyA( &_v272, 0x100ac44);
				E01005B32( &_v272, _a12);
				_t27 = CreateFileA( &_v272, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t27 != 0xffffffff) {
					_t25 = _a4;
					if(WriteFile(_t27, _a16, _t25,  &_v12, 0) == 0 || _t25 != _v12) {
						 *0x100aa5c = 0x80070052;
						_v8 = 0;
					}
					CloseHandle(_t27);
				} else {
					 *0x100aa5c = 0x80070052;
					_v8 = 0;
				}
				return _v8;
			}








                                0x01003683
                                0x0100368a
                                0x0100368d
                                0x0100369d
                                0x010036be
                                0x010036c3
                                0x010036d5
                                0x010036ea
                                0x010036f1
                                0x010036fb
                                0x010036fb
                                0x010036ff
                                0x010036c5
                                0x010036c5
                                0x010036cf
                                0x010036cf
                                0x0100370c

                                APIs
                                • lstrcpyA.KERNEL32(?,0100AC44), ref: 0100368D
                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?), ref: 010036B8
                                • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 010036E2
                                • CloseHandle.KERNEL32(00000000), ref: 010036FF
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Filelstrcpy$CharCloseCreateHandlePrevWritelstrlen
                                • String ID:
                                • API String ID: 3080743287-0
                                • Opcode ID: f3c43e67ddf95b47fdb9e484ccd9ecd1a78d65d94e8c236f23dda56cc12f1390
                                • Instruction ID: 19b174ac764301658f5366c9defac34423b59d1cd1d6115009132bdfdfa86dce
                                • Opcode Fuzzy Hash: f3c43e67ddf95b47fdb9e484ccd9ecd1a78d65d94e8c236f23dda56cc12f1390
                                • Instruction Fuzzy Hash: 48114F71900218EBDB22DF55DC88EDE7F7CFB49760F108155F58596184C7B59A84CFA0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0100288F, Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0100288F(void* _a4) {
				struct HWND__* _v8;
				struct tagMSG _v36;
				int _t10;

				_v8 = 0;
				while(1) {
					_t10 = MsgWaitForMultipleObjects(1,  &_a4, 0, 0xffffffff, 0xff);
					if(_t10 == 0) {
						break;
					}
					if(PeekMessageA( &_v36, 0, 0, 0, 1) == 0) {
						continue;
					} else {
						do {
							if(_v36.message != 0x12) {
								DispatchMessageA( &_v36);
							} else {
								_v8 = 1;
							}
							_t10 = PeekMessageA( &_v36, 0, 0, 0, 1);
						} while (_t10 != 0);
						if(_v8 == 0) {
							continue;
						}
					}
					break;
				}
				return _t10;
			}






                                0x010028a2
                                0x010028a6
                                0x010028b3
                                0x010028bb
                                0x00000000
                                0x00000000
                                0x010028c9
                                0x00000000
                                0x010028cb
                                0x010028cb
                                0x010028cf
                                0x010028da
                                0x010028d1
                                0x010028d1
                                0x010028d1
                                0x010028e8
                                0x010028ea
                                0x010028f1
                                0x00000000
                                0x00000000
                                0x010028f1
                                0x00000000
                                0x010028c9
                                0x010028f7

                                APIs
                                • MsgWaitForMultipleObjects.USER32 ref: 010028B3
                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028C5
                                • DispatchMessageA.USER32 ref: 010028DA
                                • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 010028E8
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Message$Peek$DispatchMultipleObjectsWait
                                • String ID:
                                • API String ID: 2776232527-0
                                • Opcode ID: a56fe23e79c58ba78c4517e1b38a4719a0d3d39021dba4458620cccc97c02652
                                • Instruction ID: 9019c9b4a7aa9e97d921e157395a9add37c16d99774a71cba0f29cd9f7e0b4b7
                                • Opcode Fuzzy Hash: a56fe23e79c58ba78c4517e1b38a4719a0d3d39021dba4458620cccc97c02652
                                • Instruction Fuzzy Hash: E1012176D01219BABF218A999D48CEB7ABCEA85654F14016ABA41E2084E634D600C771
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 01004161, Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                Download Yara Rule
                                C-Code - Quality: 77%
                                			E01004161(struct HINSTANCE__* _a4, CHAR* _a8, struct HWND__* _a12, _Unknown_base(*)()* _a16, intOrPtr _a20, int _a24) {
				struct HRSRC__* _t8;
				void* _t15;
				struct HINSTANCE__* _t16;
				int _t17;

				_t16 = _a4;
				_t8 = FindResourceA(_t16, _a8, 5);
				if(_t8 == 0) {
					L6:
					E010038CC(0, 0x4fb, 0, 0, 0x10, 0);
					_t17 = _a24;
				} else {
					_t15 = LoadResource(_t16, _t8);
					if(_t15 == 0) {
						goto L6;
					} else {
						if(_a20 != 0) {
							_push(_a20);
						} else {
							_push(0);
						}
						_t17 = DialogBoxIndirectParamA(_t16, _t15, _a12, _a16);
						FreeResource(_t15);
						if(_t17 == 0xffffffff) {
							goto L6;
						}
					}
				}
				return _t17;
			}







                                0x01004166
                                0x01004170
                                0x0100417a
                                0x010041b1
                                0x010041bc
                                0x010041c1
                                0x0100417c
                                0x01004184
                                0x01004188
                                0x00000000
                                0x0100418a
                                0x0100418d
                                0x01004192
                                0x0100418f
                                0x0100418f
                                0x0100418f
                                0x010041a4
                                0x010041a6
                                0x010041af
                                0x00000000
                                0x00000000
                                0x010041af
                                0x01004188
                                0x010041ca

                                APIs
                                • FindResourceA.KERNEL32(00000000,?,00000005), ref: 01004170
                                • LoadResource.KERNEL32(00000000,00000000,?,01004E32,000007D6,00000000,010017B1,00000547,0000083E,?,?,00000000), ref: 0100417E
                                • DialogBoxIndirectParamA.USER32 ref: 0100419D
                                • FreeResource.KERNEL32(00000000,?,01004E32,000007D6,00000000,010017B1,00000547,0000083E,?,?,00000000), ref: 010041A6
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: Resource$DialogFindFreeIndirectLoadParam
                                • String ID:
                                • API String ID: 1214682469-0
                                • Opcode ID: e997d8be0718b2931c3f9f962151c7850337d5e5bb85679e49a3f60c032731a3
                                • Instruction ID: 90e970f1d2589a349edb739379ec95ef873ddad6063cdbf399ebe6a889d0bac2
                                • Opcode Fuzzy Hash: e997d8be0718b2931c3f9f962151c7850337d5e5bb85679e49a3f60c032731a3
                                • Instruction Fuzzy Hash: 21018172300219BFEB235FA9AC88DEF7AADEB553A4F014465FB81A6080C7758C5087E4
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0100370F, Relevance: 6.0, APIs: 4, Instructions: 28librarystringCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0100370F(CHAR* _a4) {
				char _v264;
				signed char _t14;

				lstrcpyA( &_v264, 0x100ac44);
				E01005B32( &_v264, _a4);
				_t14 = GetFileAttributesA( &_v264);
				if(_t14 == 0xffffffff || (_t14 & 0x00000010) != 0) {
					return LoadLibraryA(_a4);
				} else {
					return LoadLibraryExA( &_v264, 0, 8);
				}
			}





                                0x01003724
                                0x01003734
                                0x01003740
                                0x01003749
                                0x00000000
                                0x0100374f
                                0x00000000
                                0x0100375a

                                APIs
                                • lstrcpyA.KERNEL32(?,0100AC44), ref: 01003724
                                  • Part of subcall function 01005B32: lstrlenA.KERNEL32(01003456,0000002F,0100B89A,01003456,0100B89A,01001251), ref: 01005B39
                                  • Part of subcall function 01005B32: CharPrevA.USER32(01003456,00000000), ref: 01005B49
                                  • Part of subcall function 01005B32: lstrcpyA.KERNEL32(00000000,?), ref: 01005B66
                                • GetFileAttributesA.KERNEL32(?,?,?), ref: 01003740
                                • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0100375A
                                • LoadLibraryA.KERNEL32(?), ref: 01003765
                                Memory Dump Source
                                • Source File: 00000005.00000002.666611502.0000000001001000.00000020.00020000.sdmp, Offset: 01000000, based on PE: true
                                • Associated: 00000005.00000002.666593301.0000000001000000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666683739.000000000100A000.00000008.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666708561.000000000100C000.00000002.00020000.sdmp Download File
                                • Associated: 00000005.00000002.666767404.0000000001013000.00000002.00020000.sdmp Download File
                                Similarity
                                • API ID: LibraryLoadlstrcpy$AttributesCharFilePrevlstrlen
                                • String ID:
                                • API String ID: 4003292530-0
                                • Opcode ID: 2a1abe798eeda10e1ecd94666a9ff7b2e6d0c61b8320ab0a73d9c68e693d9404
                                • Instruction ID: 9f94e3723cca4d266b99732e7a80262a7a37e234bfc11ab39ee7921fbbd2d32f
                                • Opcode Fuzzy Hash: 2a1abe798eeda10e1ecd94666a9ff7b2e6d0c61b8320ab0a73d9c68e693d9404
                                • Instruction Fuzzy Hash: E8F05EB4900608AFEB22AB64DE89EC97B68BB14305F404590F2C9E50C0D7B9E6898F50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Analysis Process: synchredible.exe PID: 7140 Parent PID: 6932 synchredible.exeCOMMON

                                Executed Functions

                                Function 00553582, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00553582(char _a4) {
				intOrPtr _v8;
				void* _t5;

				_t1 =  &_a4; // 0x562761
				_v8 = 0;
				_t5 = E0055D501( *_t1); // executed
				return _t5;
			}





                                0x00553588
                                0x0055358b
                                0x00553595
                                0x0055359c

                                APIs
                                • _free.LIBCMT ref: 00553595
                                  • Part of subcall function 0055D501: RtlFreeHeap.NTDLL(00000000,00000000,?,00559290), ref: 0055D517
                                  • Part of subcall function 0055D501: GetLastError.KERNEL32(?,?,00559290), ref: 0055D529
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorFreeHeapLast_free
                                • String ID: a'V
                                • API String ID: 1353095263-4003020449
                                • Opcode ID: 791e719d15d0e18bc717c4a9d0df73e002dc8a298672f0b032592ad6a0eaea14
                                • Instruction ID: a63a365440c9121119cc30cf061ee89fb7e8d9453ef458161946fb3777ec05c7
                                • Opcode Fuzzy Hash: 791e719d15d0e18bc717c4a9d0df73e002dc8a298672f0b032592ad6a0eaea14
                                • Instruction Fuzzy Hash: CCC08C32000208BBCB009B41C80AE4E7FB8EB80368F200044F80057240DAB2FF049690
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0055EAC5, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0055EAC5(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x5fa0a0, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00559818();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0054E7E1(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E00558650(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}







                                0x0055eacb
                                0x0055ead0
                                0x0055eade
                                0x0055eade
                                0x0055eae4
                                0x0055eae6
                                0x0055eae6
                                0x0055eafd
                                0x0055eb06
                                0x0055eb0e
                                0x00000000
                                0x00000000
                                0x0055eaee
                                0x0055eaf0
                                0x0055eb12
                                0x0055eb17
                                0x0055eb1d
                                0x00000000
                                0x0055eb1d
                                0x0055eaf9
                                0x0055eafb
                                0x00000000
                                0x00000000
                                0x0055eafb
                                0x00000000
                                0x0055eafd
                                0x0055ead6
                                0x0055eadc
                                0x00000000
                                0x00000000
                                0x00000000

                                APIs
                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0055DD3D,00000001,00000364,00000006,000000FF,?,?,0054E7E6,0055D527,?,?,00559290), ref: 0055EB06
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: b7d227a28879b9232e530f943a48a5b05eb139598b0c17ef8595298e7d361d11
                                • Instruction ID: 24a28c47be685795264c4590880efe85fe5b29ed4247e858de33be1627e7028c
                                • Opcode Fuzzy Hash: b7d227a28879b9232e530f943a48a5b05eb139598b0c17ef8595298e7d361d11
                                • Instruction Fuzzy Hash: 27F0BE316012256BDF2D5F32DC2BB6A3F49BF81773F148523BC19A6191CA30DE08A2E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0055D53B, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0055D53B(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0054E7E1(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x5fa0a0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00559818();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E00558650(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}





                                0x0055d541
                                0x0055d547
                                0x0055d579
                                0x0055d57e
                                0x0055d584
                                0x00000000
                                0x0055d584
                                0x0055d54b
                                0x0055d54d
                                0x0055d54d
                                0x0055d564
                                0x0055d56d
                                0x0055d575
                                0x00000000
                                0x00000000
                                0x0055d555
                                0x0055d557
                                0x00000000
                                0x00000000
                                0x0055d560
                                0x0055d562
                                0x00000000
                                0x00000000
                                0x0055d562
                                0x00000000

                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,0055E854,00001000,00000000,?,00000000,?,00557C40,00000000,00000000,00000000,00000000,?), ref: 0055D56D
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: c7f58fded1daf466656f6ec1ef2d2fe246cfd89e719df18f363ca81d2c6d12cd
                                • Instruction ID: 77479f27214760e9b121627e22d4f552f86ded39091d0660ba3deb64dc39eba7
                                • Opcode Fuzzy Hash: c7f58fded1daf466656f6ec1ef2d2fe246cfd89e719df18f363ca81d2c6d12cd
                                • Instruction Fuzzy Hash: 2CE0E577501212AAD73126659C2976A3F68BB413F6F200113FC0592090EB10CC0CD5F5
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Non-executed Functions

                                Function 0054E26C, Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                Download Yara Rule
                                C-Code - Quality: 74%
                                			E0054E26C(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t70;
				signed int _t72;
				signed int _t74;

				_t70 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t72 = _t74;
				_t40 = E005EA214; // 0x21f212cc
				_t41 = _t40 ^ _t72;
				_v8 = _t40 ^ _t72;
				_push(__edi);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00496BDD(_t41);
					_pop(_t62);
				}
				E00548E00(_t67,  &_v804, 0, 0x50);
				E00548E00(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t70;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E00496BDD(_t57);
				}
				return E004958E2(_v8 ^ _t72);
			}





































                                0x0054e26c
                                0x0054e26c
                                0x0054e26c
                                0x0054e26c
                                0x0054e26f
                                0x0054e277
                                0x0054e27c
                                0x0054e27e
                                0x0054e285
                                0x0054e286
                                0x0054e288
                                0x0054e28b
                                0x0054e290
                                0x0054e290
                                0x0054e29c
                                0x0054e2af
                                0x0054e2bd
                                0x0054e2c3
                                0x0054e2c9
                                0x0054e2cf
                                0x0054e2d5
                                0x0054e2db
                                0x0054e2e1
                                0x0054e2e7
                                0x0054e2ed
                                0x0054e2f3
                                0x0054e2fa
                                0x0054e301
                                0x0054e308
                                0x0054e30f
                                0x0054e316
                                0x0054e31d
                                0x0054e31e
                                0x0054e327
                                0x0054e32d
                                0x0054e330
                                0x0054e336
                                0x0054e343
                                0x0054e34c
                                0x0054e355
                                0x0054e35e
                                0x0054e36c
                                0x0054e36e
                                0x0054e383
                                0x0054e38f
                                0x0054e392
                                0x0054e397
                                0x0054e3a4

                                APIs
                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0054E364
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0054E36E
                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0054E37B
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: 456f606df972fe7a5ca5e5b26c6cb2b21c2157e1cf4f2369bb008534290b8943
                                • Instruction ID: b27e548b2e0ca400786c36df63eff03ae692b8f1c638e5666fe603f75e92c27e
                                • Opcode Fuzzy Hash: 456f606df972fe7a5ca5e5b26c6cb2b21c2157e1cf4f2369bb008534290b8943
                                • Instruction Fuzzy Hash: 9F31D27490132D9BCB21DF24D889BCDBBB8BF58314F5046EAE41CA7251EB749B858F44
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00556384, Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00556384(int _a4) {
				void* _t14;

				if(E0055F4B5(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E005563C6(_t14, _a4);
				ExitProcess(_a4);
			}




                                0x00556391
                                0x005563ad
                                0x005563ad
                                0x005563b6
                                0x005563bf

                                APIs
                                • GetCurrentProcess.KERNEL32(?,?,00556383,?,?,?,?), ref: 005563A6
                                • TerminateProcess.KERNEL32(00000000,?,00556383,?,?,?,?), ref: 005563AD
                                • ExitProcess.KERNEL32 ref: 005563BF
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: f2f537f3469fc19e322afacf4110ab6877b9847593f67c31dd344acc412312f8
                                • Instruction ID: bad3dbd9577faadd5e9081568a73359870e1a001a245f7067a9450170a77f1a6
                                • Opcode Fuzzy Hash: f2f537f3469fc19e322afacf4110ab6877b9847593f67c31dd344acc412312f8
                                • Instruction Fuzzy Hash: 2EE0B631000198AFEF216F54EE2DA4A3F69FB55342B514825FD1987232CB7ADD89EB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0055F471, Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0055F471(void* __ecx) {
				signed int _v8;
				intOrPtr _t10;
				signed int _t18;

				_t18 =  *0x5f9f9c; // 0x1
				if(_t18 == 0) {
					_v8 = _v8 & _t18;
					_t18 = _t18 + 1;
					_t10 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t21 =  *((intOrPtr*)(_t10 + 8));
					if( *((intOrPtr*)(_t10 + 8)) >= 0) {
						E0055EF4C(_t21,  &_v8);
						if(_v8 == _t18) {
							_t18 = 2;
						}
					}
					 *0x5f9f9c = _t18;
				}
				return _t18;
			}






                                0x0055f478
                                0x0055f481
                                0x0055f489
                                0x0055f48c
                                0x0055f48d
                                0x0055f490
                                0x0055f494
                                0x0055f49a
                                0x0055f4a2
                                0x0055f4a6
                                0x0055f4a6
                                0x0055f4a2
                                0x0055f4ae
                                0x0055f4ae
                                0x0055f4b4

                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fbda5b9496a1e7ffdbbefbb77b4942e6adfca24e9012df7d77da504db62ca25
                                • Instruction ID: dc65573dda4c58129f49db9d7e27b2c55c5ef5d52941242cdcb86d01050f036e
                                • Opcode Fuzzy Hash: 2fbda5b9496a1e7ffdbbefbb77b4942e6adfca24e9012df7d77da504db62ca25
                                • Instruction Fuzzy Hash: 37F08C32610224DFCF268748C805AAAB6AAEB44B22F1140A6A944D7240C7749E04C7D0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0055F4B5, Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0055F4B5(void* __ecx) {
				char _v8;
				intOrPtr _t7;
				char _t13;

				_t13 = 0;
				_v8 = 0;
				_t7 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
				_t16 =  *((intOrPtr*)(_t7 + 8));
				if( *((intOrPtr*)(_t7 + 8)) < 0) {
					L2:
					_t13 = 1;
				} else {
					E0055EF0C(_t16,  &_v8);
					if(_v8 != 1) {
						goto L2;
					}
				}
				return _t13;
			}






                                0x0055f4c2
                                0x0055f4c4
                                0x0055f4c7
                                0x0055f4ca
                                0x0055f4cd
                                0x0055f4de
                                0x0055f4e0
                                0x0055f4cf
                                0x0055f4d3
                                0x0055f4dc
                                0x00000000
                                0x00000000
                                0x0055f4dc
                                0x0055f4e5

                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 794e4035ad947a19ea7fd98e1d0f4e34cbcc44065160e7783872e226e18c8c4c
                                • Instruction ID: 4dfe1891ab077b7504078f70e6fe07baa75e7f387aa03a1e4ecb90e2c4cd7f63
                                • Opcode Fuzzy Hash: 794e4035ad947a19ea7fd98e1d0f4e34cbcc44065160e7783872e226e18c8c4c
                                • Instruction Fuzzy Hash: 8EE08C32911238EBCB25DB88C918D8AF7ECFB84B01B1140A7B902D3100C670DE04C7D0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 004011E0, Relevance: .0, Instructions: 7COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26252e3aa6c8f425724ee4a2664ad039278ecd22f9e52a04c6f0b2ba3e2fd7a3
                                • Instruction ID: 7bb3ea306551a81a0f53bdf26b0331f7caeb7ac18ffd24526536acb85cb13af0
                                • Opcode Fuzzy Hash: 26252e3aa6c8f425724ee4a2664ad039278ecd22f9e52a04c6f0b2ba3e2fd7a3
                                • Instruction Fuzzy Hash: 16B012355001004BA74ACE24ED120A332B377B630071ACCB9E003C90B4D63E9105D504
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00562803, Relevance: 19.6, APIs: 13, Instructions: 113COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00562803(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x5edf70) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E0055D501(_t46);
							E005619AA( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E0055D501(_t47);
							E00561E5F( *((intOrPtr*)(_t74 + 0x88)));
						}
						E0055D501( *((intOrPtr*)(_t74 + 0x7c)));
						E0055D501( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E0055D501( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E0055D501( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E0055D501( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E0055D501( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E00562974( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x5ee158) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E0055D501(_t31);
							E0055D501( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xfffffe54
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E0055D501(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E0055D501(_t74);
			}















                                0x0056280b
                                0x0056280f
                                0x00562817
                                0x00562820
                                0x00562825
                                0x0056282c
                                0x00562834
                                0x0056283c
                                0x00562847
                                0x0056284d
                                0x0056284e
                                0x00562856
                                0x0056285e
                                0x00562869
                                0x0056286f
                                0x00562873
                                0x0056287e
                                0x00562884
                                0x00562825
                                0x00562885
                                0x0056288d
                                0x005628a0
                                0x005628b3
                                0x005628c1
                                0x005628cc
                                0x005628d1
                                0x005628da
                                0x005628e2
                                0x005628e3
                                0x005628e9
                                0x005628ec
                                0x005628ef
                                0x005628f6
                                0x005628f8
                                0x005628fc
                                0x00562904
                                0x0056290b
                                0x00562911
                                0x00562912
                                0x00562912
                                0x00562919
                                0x0056291b
                                0x0056291b
                                0x00562920
                                0x00562928
                                0x0056292d
                                0x0056292e
                                0x0056292e
                                0x00562931
                                0x00562934
                                0x00562937
                                0x0056293a
                                0x0056293a
                                0x0056294a

                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 00562847
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 005619C7
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 005619D9
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 005619EB
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 005619FD
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 00561A0F
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 00561A21
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 00561A33
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 00561A45
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 00561A57
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 00561A69
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 00561A7B
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 00561A8D
                                  • Part of subcall function 005619AA: _free.LIBCMT ref: 00561A9F
                                • _free.LIBCMT ref: 0056283C
                                  • Part of subcall function 0055D501: RtlFreeHeap.NTDLL(00000000,00000000,?,00559290), ref: 0055D517
                                  • Part of subcall function 0055D501: GetLastError.KERNEL32(?,?,00559290), ref: 0055D529
                                • _free.LIBCMT ref: 0056285E
                                • _free.LIBCMT ref: 00562873
                                • _free.LIBCMT ref: 0056287E
                                • _free.LIBCMT ref: 005628A0
                                • _free.LIBCMT ref: 005628B3
                                • _free.LIBCMT ref: 005628C1
                                • _free.LIBCMT ref: 005628CC
                                • _free.LIBCMT ref: 00562904
                                • _free.LIBCMT ref: 0056290B
                                • _free.LIBCMT ref: 00562928
                                • _free.LIBCMT ref: 00562940
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: 7a53281215c4f4628e913d6ea0c0e715d769ab006178bf41000a37f5f4aff1f9
                                • Instruction ID: 00fbff171b5b93d75f5d4b13939f604b85bce1e294e399cac1fc447528f48f1d
                                • Opcode Fuzzy Hash: 7a53281215c4f4628e913d6ea0c0e715d769ab006178bf41000a37f5f4aff1f9
                                • Instruction Fuzzy Hash: 07314D32600B029FEB35AA39DC49B5A7BE9BF80315F14442AE859D7161EE35FD84CB21
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00546F60, Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                C-Code - Quality: 62%
                                			E00546F60(void* __ecx, void* __eflags, signed int _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t68;
				signed int _t75;
				intOrPtr _t76;
				void* _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t83;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				signed int _t95;
				char _t97;
				signed int _t103;
				signed int _t104;
				signed int _t112;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				signed int _t118;
				void* _t119;
				void* _t120;
				void* _t127;

				_t90 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t90 = E0057113A(__ecx,  *_t90);
				_t91 = _a8;
				_t6 = _t91 + 0x10; // 0x11
				_t116 = _t6;
				_push(_t116);
				_v20 = _t116;
				_v12 =  *(_t91 + 8) ^ E005EA214;
				E00546F20(_t114, _t116,  *(_t91 + 8) ^ E005EA214);
				E0054AB5C(_a12);
				_t68 = _a4;
				_t120 = _t119 + 0x10;
				_t115 =  *((intOrPtr*)(_t91 + 0xc));
				if(( *(_t68 + 4) & 0x00000066) != 0) {
					__eflags = _t115 - 0xfffffffe;
					if(_t115 != 0xfffffffe) {
						E0054AD0C(_t91, 0xfffffffe, _t116,  &E005EA214);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t68;
					_v28 = _a12;
					 *((intOrPtr*)(_t91 - 4)) =  &_v32;
					if(_t115 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t95 = _v12;
							_t75 = _t115 + (_t115 + 2) * 2;
							_t92 =  *((intOrPtr*)(_t95 + _t75 * 4));
							_t76 = _t95 + _t75 * 4;
							_t96 =  *((intOrPtr*)(_t76 + 4));
							_v24 = _t76;
							if( *((intOrPtr*)(_t76 + 4)) == 0) {
								_t97 = _v5;
								goto L7;
							} else {
								_t77 = E0054ACBC(_t96, _t116);
								_t97 = 1;
								_v5 = 1;
								_t127 = _t77;
								if(_t127 < 0) {
									_v16 = 0;
									L13:
									_push(_t116);
									E00546F20(_t115, _t116, _v12);
									goto L14;
								} else {
									if(_t127 > 0) {
										_t78 = _a4;
										__eflags =  *_t78 - 0xe06d7363;
										if( *_t78 == 0xe06d7363) {
											__eflags =  *0x5b8c68;
											if(__eflags != 0) {
												_t87 = E0056D050(__eflags, 0x5b8c68);
												_t120 = _t120 + 4;
												__eflags = _t87;
												if(_t87 != 0) {
													_t118 =  *0x5b8c68; // 0x5470be
													 *0x57b3d4(_a4, 1);
													 *_t118();
													_t116 = _v20;
													_t120 = _t120 + 8;
												}
												_t78 = _a4;
											}
										}
										E0054ACF0(_t78, _a8, _t78);
										_t80 = _a8;
										__eflags =  *((intOrPtr*)(_t80 + 0xc)) - _t115;
										if( *((intOrPtr*)(_t80 + 0xc)) != _t115) {
											E0054AD0C(_t80, _t115, _t116,  &E005EA214);
											_t80 = _a8;
										}
										_push(_t116);
										 *((intOrPtr*)(_t80 + 0xc)) = _t92;
										E00546F20(_t115, _t116, _v12);
										E0054ACD4();
										asm("int3");
										E00496DD0(0x5e6670, 8);
										_t83 = _a4;
										__eflags = _t83;
										if(_t83 != 0) {
											__eflags =  *_t83 - 0xe06d7363;
											if( *_t83 == 0xe06d7363) {
												__eflags =  *((intOrPtr*)(_t83 + 0x10)) - 3;
												if( *((intOrPtr*)(_t83 + 0x10)) == 3) {
													__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930520;
													if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930520) {
														L28:
														_t103 =  *(_t83 + 0x1c);
														__eflags = _t103;
														if(_t103 != 0) {
															_t112 =  *(_t103 + 4);
															__eflags = _t112;
															if(_t112 == 0) {
																__eflags =  *_t103 & 0x00000010;
																if(( *_t103 & 0x00000010) != 0) {
																	_t83 =  *(_t83 + 0x18);
																	_t104 =  *_t83;
																	__eflags = _t104;
																	if(_t104 != 0) {
																		 *0x57b3d4(_t104);
																		_t83 =  *((intOrPtr*)( *((intOrPtr*)( *_t104 + 8))))();
																	}
																}
															} else {
																_v8 = _v8 & 0x00000000;
																_t83 = E0049421C( *(_t83 + 0x18), _t112);
																_v8 = 0xfffffffe;
															}
														}
													} else {
														__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930521;
														if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930521) {
															goto L28;
														} else {
															__eflags =  *((intOrPtr*)(_t83 + 0x14)) - 0x19930522;
															if( *((intOrPtr*)(_t83 + 0x14)) == 0x19930522) {
																goto L28;
															}
														}
													}
												}
											}
										}
										 *[fs:0x0] = _v20;
										return _t83;
									} else {
										goto L7;
									}
								}
							}
							goto L35;
							L7:
							_t115 = _t92;
						} while (_t92 != 0xfffffffe);
						if(_t97 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L35:
			}





































                                0x00546f67
                                0x00546f6c
                                0x00546f72
                                0x00546f7e
                                0x00546f80
                                0x00546f86
                                0x00546f86
                                0x00546f8f
                                0x00546f91
                                0x00546f94
                                0x00546f97
                                0x00546f9f
                                0x00546fa4
                                0x00546fa7
                                0x00546faa
                                0x00546fb1
                                0x0054700d
                                0x00547010
                                0x0054701f
                                0x00000000
                                0x0054701f
                                0x00000000
                                0x00546fb3
                                0x00546fb3
                                0x00546fb9
                                0x00546fbf
                                0x00546fc5
                                0x00547030
                                0x00547039
                                0x00546fc7
                                0x00546fc7
                                0x00546fc7
                                0x00546fcd
                                0x00546fd0
                                0x00546fd3
                                0x00546fd6
                                0x00546fd9
                                0x00546fde
                                0x00546ff4
                                0x00000000
                                0x00546fe0
                                0x00546fe2
                                0x00546fe7
                                0x00546fe9
                                0x00546fec
                                0x00546fee
                                0x00547004
                                0x00547024
                                0x00547024
                                0x00547028
                                0x00000000
                                0x00546ff0
                                0x00546ff0
                                0x0054703a
                                0x0054703d
                                0x00547043
                                0x00547045
                                0x0054704c
                                0x00547053
                                0x00547058
                                0x0054705b
                                0x0054705d
                                0x0054705f
                                0x0054706c
                                0x00547072
                                0x00547074
                                0x00547077
                                0x00547077
                                0x0054707a
                                0x0054707a
                                0x0054704c
                                0x00547082
                                0x00547087
                                0x0054708a
                                0x0054708d
                                0x00547099
                                0x0054709e
                                0x0054709e
                                0x005470a1
                                0x005470a5
                                0x005470a8
                                0x005470b8
                                0x005470bd
                                0x005470c5
                                0x005470ca
                                0x005470cd
                                0x005470cf
                                0x005470d1
                                0x005470d7
                                0x005470d9
                                0x005470dd
                                0x005470df
                                0x005470e6
                                0x005470fa
                                0x005470fa
                                0x005470fd
                                0x005470ff
                                0x00547101
                                0x00547104
                                0x00547106
                                0x00547131
                                0x00547134
                                0x00547136
                                0x00547139
                                0x0054713b
                                0x0054713d
                                0x00547147
                                0x0054714d
                                0x0054714d
                                0x0054713d
                                0x00547108
                                0x00547108
                                0x00547110
                                0x00547115
                                0x00547115
                                0x00547106
                                0x005470e8
                                0x005470e8
                                0x005470ef
                                0x00000000
                                0x005470f1
                                0x005470f1
                                0x005470f8
                                0x00000000
                                0x00000000
                                0x005470f8
                                0x005470ef
                                0x005470e6
                                0x005470dd
                                0x005470d7
                                0x00547152
                                0x0054715e
                                0x00546ff2
                                0x00000000
                                0x00546ff2
                                0x00546ff0
                                0x00546fee
                                0x00000000
                                0x00546ff7
                                0x00546ff7
                                0x00546ff9
                                0x00547000
                                0x00000000
                                0x00547002
                                0x00000000
                                0x00547000
                                0x00546fc5
                                0x00000000

                                APIs
                                • _ValidateLocalCookies.LIBCMT ref: 00546F97
                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00546F9F
                                • _ValidateLocalCookies.LIBCMT ref: 00547028
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00547053
                                • _ValidateLocalCookies.LIBCMT ref: 005470A8
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                • String ID: csm$csm
                                • API String ID: 1170836740-3733052814
                                • Opcode ID: 1b8ee875d6bf0853a5d0bd7cebf388cbf6ec79ff5f379b9055b379ceb910d4f5
                                • Instruction ID: ad097d29a37913176d65f2ffa8b77d4623d32d4d49a62d502fad453f381581b8
                                • Opcode Fuzzy Hash: 1b8ee875d6bf0853a5d0bd7cebf388cbf6ec79ff5f379b9055b379ceb910d4f5
                                • Instruction Fuzzy Hash: A6519F34A052099FCF14DF68D888A9D7FB5BF49328F1480A9E8195B292D731ED45CF91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0055EDC2, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0055EDC2(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x5f9ec0 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x5bbef0 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E0055D4C7(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E0055D4C7(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}













                                0x0055edcb
                                0x0055ee75
                                0x0055edd3
                                0x0055edd5
                                0x0055eddc
                                0x0055edde
                                0x0055ede4
                                0x0055edf1
                                0x0055ee06
                                0x0055ee0a
                                0x0055ee5c
                                0x0055ee5c
                                0x0055ee61
                                0x0055ee65
                                0x0055ee68
                                0x0055ee68
                                0x0055ee6e
                                0x0055ee70
                                0x0055ee85
                                0x0055ee80
                                0x0055ee84
                                0x0055ee84
                                0x0055ee72
                                0x0055ee72
                                0x00000000
                                0x0055ee72
                                0x0055ee0c
                                0x0055ee15
                                0x0055ee4c
                                0x0055ee4c
                                0x0055ee4e
                                0x0055ee50
                                0x00000000
                                0x00000000
                                0x0055ee58
                                0x00000000
                                0x0055ee58
                                0x0055ee1f
                                0x0055ee24
                                0x0055ee29
                                0x00000000
                                0x00000000
                                0x0055ee33
                                0x0055ee38
                                0x0055ee3d
                                0x00000000
                                0x00000000
                                0x0055ee42
                                0x0055ee48
                                0x00000000
                                0x0055ee48
                                0x0055ede9
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0055edef
                                0x0055ee7e
                                0x00000000

                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID:
                                • String ID: api-ms-$ext-ms-
                                • API String ID: 0-537541572
                                • Opcode ID: 874f560cad242f2b67b0b714d4584f90b8c01d184cd226b31060de94aa1a9d7b
                                • Instruction ID: 8a78de5c52774b08e333e606642d822c6e2697b0ffa79c8377d6f37fc55a0135
                                • Opcode Fuzzy Hash: 874f560cad242f2b67b0b714d4584f90b8c01d184cd226b31060de94aa1a9d7b
                                • Instruction Fuzzy Hash: 0121F631A11314ABDB268B649C67A6B3F6CBF11762F240512ED15A71A1D730EE0896E0
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0056238B, Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0056238B(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E005620D7(_t45, 7);
					E005620D7(_t45 + 0x1c, 7);
					E005620D7(_t45 + 0x38, 0xc);
					E005620D7(_t45 + 0x68, 0xc);
					E005620D7(_t45 + 0x98, 2);
					E0055D501( *((intOrPtr*)(_t45 + 0xa0)));
					E0055D501( *((intOrPtr*)(_t45 + 0xa4)));
					E0055D501( *((intOrPtr*)(_t45 + 0xa8)));
					E005620D7(_t45 + 0xb4, 7);
					E005620D7(_t45 + 0xd0, 7);
					E005620D7(_t45 + 0xec, 0xc);
					E005620D7(_t45 + 0x11c, 0xc);
					E005620D7(_t45 + 0x14c, 2);
					E0055D501( *((intOrPtr*)(_t45 + 0x154)));
					E0055D501( *((intOrPtr*)(_t45 + 0x158)));
					E0055D501( *((intOrPtr*)(_t45 + 0x15c)));
					return E0055D501( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                                0x00562391
                                0x00562396
                                0x0056239f
                                0x005623aa
                                0x005623b5
                                0x005623c0
                                0x005623ce
                                0x005623d9
                                0x005623e4
                                0x005623ef
                                0x005623fd
                                0x0056240b
                                0x0056241c
                                0x0056242a
                                0x00562438
                                0x00562443
                                0x0056244e
                                0x00562459
                                0x00000000
                                0x00562469
                                0x0056246e

                                APIs
                                  • Part of subcall function 005620D7: _free.LIBCMT ref: 005620FC
                                • _free.LIBCMT ref: 005623D9
                                  • Part of subcall function 0055D501: RtlFreeHeap.NTDLL(00000000,00000000,?,00559290), ref: 0055D517
                                  • Part of subcall function 0055D501: GetLastError.KERNEL32(?,?,00559290), ref: 0055D529
                                • _free.LIBCMT ref: 005623E4
                                • _free.LIBCMT ref: 005623EF
                                • _free.LIBCMT ref: 00562443
                                • _free.LIBCMT ref: 0056244E
                                • _free.LIBCMT ref: 00562459
                                • _free.LIBCMT ref: 00562464
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: f822696a6842fdb531ade29e4e08d539aa822c2e8f098e00fb3b9312cf5b28a6
                                • Instruction ID: f9e2096bdc1f1607eb4ba56163285a2e30fe839ac695604bd50d26a5f058bc07
                                • Opcode Fuzzy Hash: f822696a6842fdb531ade29e4e08d539aa822c2e8f098e00fb3b9312cf5b28a6
                                • Instruction Fuzzy Hash: C0114272542B15AAD930B770CC4FFCB7FAD7F80710F404C19B799AB062DA65B5448751
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0055FFD1, Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
                                Download Yara Rule
                                C-Code - Quality: 64%
                                			E0055FFD1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				long _t202;
				void* _t206;
				intOrPtr _t212;
				signed char* _t213;
				char _t216;
				signed int _t219;
				char* _t220;
				void* _t222;
				long _t228;
				intOrPtr _t229;
				char _t231;
				long _t235;
				struct _OVERLAPPED* _t243;
				signed int _t247;
				intOrPtr _t250;
				signed int _t253;
				signed int _t254;
				signed int _t256;
				struct _OVERLAPPED* _t257;
				intOrPtr _t259;
				void* _t263;
				long _t264;
				signed char _t265;
				signed int _t266;
				void* _t267;
				void* _t269;
				struct _OVERLAPPED* _t270;
				long _t271;
				signed int _t272;
				long _t276;
				signed int _t280;
				long _t281;
				struct _OVERLAPPED* _t282;
				signed int _t284;
				intOrPtr _t286;
				signed int _t289;
				signed int _t292;
				long _t293;
				long _t294;
				signed int _t295;
				intOrPtr _t296;
				signed int _t298;
				signed int _t300;
				void* _t301;
				void* _t303;

				_t298 = _t300;
				_t301 = _t300 - 0x8c;
				_t172 = E005EA214; // 0x21f212cc
				_v8 = _t172 ^ _t298;
				_t174 = _a8;
				_t264 = _a12;
				_t284 = (_t174 & 0x0000003f) * 0x38;
				_t247 = _t174 >> 6;
				_v112 = _t264;
				_v84 = _t247;
				_v80 = _t284;
				_t286 = _a16 + _t264;
				_v116 =  *((intOrPtr*)(_t284 +  *((intOrPtr*)(0x5f9cb8 + _t247 * 4)) + 0x18));
				_v104 = _t286;
				_t178 = GetConsoleCP();
				_t243 = 0;
				_v124 = _t178;
				E0054BC90( &_v72, _t264, 0);
				asm("stosd");
				_t250 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t250;
				asm("stosd");
				asm("stosd");
				_t276 = _v112;
				_v40 = _t276;
				if(_t276 >= _t286) {
					L53:
					__eflags = _v60 - _t243;
				} else {
					_t289 = _v92;
					while(1) {
						_v47 =  *_t276;
						_v76 = _t243;
						_v44 = 1;
						_t186 =  *((intOrPtr*)(0x5f9cb8 + _v84 * 4));
						_v52 = _t186;
						if(_t250 != 0xfde9) {
							goto L24;
						}
						_t266 = _v80;
						_t212 = _t186 + 0x2e + _t266;
						_t257 = _t243;
						_v108 = _t212;
						while( *((intOrPtr*)(_t212 + _t257)) != _t243) {
							_t257 =  &(_t257->Internal);
							if(_t257 < 5) {
								continue;
							}
							break;
						}
						_t213 = _v40;
						_t280 = _v104 - _t213;
						_v44 = _t257;
						if(_t257 <= 0) {
							_t259 =  *((char*)(( *_t213 & 0x000000ff) + 0x5ee198)) + 1;
							_v52 = _t259;
							__eflags = _t259 - _t280;
							if(_t259 > _t280) {
								__eflags = _t280;
								if(_t280 <= 0) {
									goto L45;
								} else {
									_t293 = _v40;
									do {
										_t267 = _t266 + _t243;
										_t216 =  *((intOrPtr*)(_t243 + _t293));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t267 +  *((intOrPtr*)(0x5f9cb8 + _v84 * 4)) + 0x2e)) = _t216;
										_t266 = _v80;
										__eflags = _t243 - _t280;
									} while (_t243 < _t280);
									goto L44;
								}
							} else {
								_t281 = _v40;
								__eflags = _t259 - 4;
								_v144 = _t243;
								_t261 =  &_v144;
								_v140 = _t243;
								_v56 = _t281;
								_t219 = (0 | _t259 == 0x00000004) + 1;
								__eflags = _t219;
								_push( &_v144);
								_v44 = _t219;
								_push(_t219);
								_t220 =  &_v56;
								goto L22;
							}
						} else {
							_t228 =  *((char*)(( *(_t266 + _v52 + 0x2e) & 0x000000ff) + 0x5ee198)) + 1;
							_v56 = _t228;
							_t229 = _t228 - _t257;
							_v52 = _t229;
							if(_t229 > _t280) {
								__eflags = _t280;
								if(_t280 > 0) {
									_t294 = _v40;
									do {
										_t269 = _t266 + _t243 + _t257;
										_t231 =  *((intOrPtr*)(_t243 + _t294));
										_t243 =  &(_t243->Internal);
										 *((char*)(_t269 +  *((intOrPtr*)(0x5f9cb8 + _v84 * 4)) + 0x2e)) = _t231;
										_t257 = _v44;
										_t266 = _v80;
										__eflags = _t243 - _t280;
									} while (_t243 < _t280);
									L44:
									_t289 = _v92;
								}
								L45:
								_t292 = _t289 + _t280;
								__eflags = _t292;
								L46:
								__eflags = _v60;
								_v92 = _t292;
							} else {
								_t270 = _t243;
								if(_t257 > 0) {
									_t296 = _v108;
									do {
										 *((char*)(_t298 + _t270 - 0xc)) =  *((intOrPtr*)(_t296 + _t270));
										_t270 =  &(_t270->Internal);
									} while (_t270 < _t257);
									_t229 = _v52;
								}
								_t281 = _v40;
								if(_t229 > 0) {
									E00548300( &_v16 + _t257, _t281, _v52);
									_t257 = _v44;
									_t301 = _t301 + 0xc;
								}
								if(_t257 > 0) {
									_t271 = _v44;
									_t282 = _t243;
									_t295 = _v80;
									do {
										_t263 = _t295 + _t282;
										_t282 =  &(_t282->Internal);
										 *(_t263 +  *((intOrPtr*)(0x5f9cb8 + _v84 * 4)) + 0x2e) = _t243;
									} while (_t282 < _t271);
									_t281 = _v40;
								}
								_v136 = _t243;
								_v120 =  &_v16;
								_t261 =  &_v136;
								_v132 = _t243;
								_push( &_v136);
								_t235 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t235;
								_push(_t235);
								_t220 =  &_v120;
								L22:
								_push(_t220);
								_push( &_v76);
								_t222 = E0055F958(_t261);
								_t303 = _t301 + 0x10;
								if(_t222 == 0xffffffff) {
									goto L53;
								} else {
									_t276 = _t281 + _v52 - 1;
									L32:
									_t276 = _t276 + 1;
									_v40 = _t276;
									_t193 = E0055F4E6(_v124, _t243,  &_v76, _v44,  &_v32, 5, _t243, _t243);
									_t301 = _t303 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L53;
									} else {
										if(WriteFile(_v116,  &_v32, _t193,  &_v100, _t243) == 0) {
											L52:
											_v96 = GetLastError();
											goto L53;
										} else {
											_t289 = _v88 - _v112 + _t276;
											_v92 = _t289;
											if(_v100 < _v56) {
												goto L53;
											} else {
												if(_v47 != 0xa) {
													L39:
													if(_t276 >= _v104) {
														goto L53;
													} else {
														_t250 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v48 = _t198;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t243) == 0) {
														goto L52;
													} else {
														if(_v100 < 1) {
															goto L53;
														} else {
															_v88 = _v88 + 1;
															_t289 = _t289 + 1;
															_v92 = _t289;
															goto L39;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L54;
						L24:
						_t253 = _v80;
						_t265 =  *((intOrPtr*)(_t253 + _t186 + 0x2d));
						__eflags = _t265 & 0x00000004;
						if((_t265 & 0x00000004) == 0) {
							_v33 =  *_t276;
							_t188 = E0055749F(_t265);
							_t254 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t254 * 2)) - _t243;
							if( *((intOrPtr*)(_t188 + _t254 * 2)) >= _t243) {
								_push(1);
								_push(_t276);
								goto L31;
							} else {
								_t202 = _t276 + 1;
								_v56 = _t202;
								__eflags = _t202 - _v104;
								if(_t202 >= _v104) {
									_t272 = _v84;
									_t256 = _v80;
									 *((char*)(_t256 +  *((intOrPtr*)(0x5f9cb8 + _t272 * 4)) + 0x2e)) = _v33;
									 *(_t256 +  *((intOrPtr*)(0x5f9cb8 + _t272 * 4)) + 0x2d) =  *(_t256 +  *((intOrPtr*)(0x5f9cb8 + _t272 * 4)) + 0x2d) | 0x00000004;
									_t292 = _t289 + 1;
									goto L46;
								} else {
									_t206 = E0055D6CB( &_v76, _t276, 2);
									_t303 = _t301 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L53;
									} else {
										_t276 = _v56;
										goto L32;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t253 + _t186 + 0x2e));
							_v23 =  *_t276;
							_push(2);
							 *(_t253 + _v52 + 0x2d) = _t265 & 0x000000fb;
							_push( &_v24);
							L31:
							_push( &_v76);
							_t190 = E0055D6CB();
							_t303 = _t301 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L53;
							} else {
								goto L32;
							}
						}
						goto L54;
					}
				}
				L54:
				if(__eflags != 0) {
					_t183 = _v72;
					_t167 = _t183 + 0x350;
					 *_t167 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t298;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E004958E2(_v8 ^ _t298);
			}


























































































                                0x0055ffd4
                                0x0055ffd6
                                0x0055ffdc
                                0x0055ffe3
                                0x0055ffe6
                                0x0055ffeb
                                0x0055fff3
                                0x0055fff6
                                0x0055fffa
                                0x0055fffd
                                0x00560007
                                0x00560011
                                0x00560013
                                0x00560016
                                0x00560019
                                0x0056001f
                                0x00560021
                                0x00560028
                                0x00560035
                                0x00560036
                                0x00560039
                                0x0056003c
                                0x0056003d
                                0x0056003e
                                0x00560041
                                0x00560046
                                0x00560352
                                0x00560352
                                0x0056004c
                                0x0056004c
                                0x0056004f
                                0x00560051
                                0x00560057
                                0x0056005a
                                0x00560061
                                0x00560068
                                0x00560071
                                0x00000000
                                0x00000000
                                0x00560077
                                0x0056007d
                                0x0056007f
                                0x00560081
                                0x00560084
                                0x00560089
                                0x0056008d
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0056008d
                                0x00560092
                                0x00560095
                                0x00560097
                                0x0056009c
                                0x0056014e
                                0x0056014f
                                0x00560152
                                0x00560154
                                0x00560302
                                0x00560304
                                0x00000000
                                0x00560306
                                0x00560306
                                0x00560309
                                0x0056030c
                                0x00560315
                                0x00560318
                                0x00560319
                                0x0056031d
                                0x00560320
                                0x00560320
                                0x00000000
                                0x00560324
                                0x0056015a
                                0x0056015a
                                0x0056015f
                                0x00560162
                                0x00560168
                                0x0056016e
                                0x00560177
                                0x0056017a
                                0x0056017a
                                0x0056017b
                                0x0056017c
                                0x0056017f
                                0x00560180
                                0x00000000
                                0x00560180
                                0x005600a2
                                0x005600b1
                                0x005600b2
                                0x005600b5
                                0x005600b7
                                0x005600bc
                                0x005602cd
                                0x005602cf
                                0x005602d1
                                0x005602d4
                                0x005602d9
                                0x005602e2
                                0x005602e5
                                0x005602e6
                                0x005602ea
                                0x005602ed
                                0x005602f0
                                0x005602f0
                                0x005602f4
                                0x005602f4
                                0x005602f4
                                0x005602f7
                                0x005602f7
                                0x005602f7
                                0x005602f9
                                0x005602f9
                                0x005602fd
                                0x005600c2
                                0x005600c2
                                0x005600c6
                                0x005600c8
                                0x005600cb
                                0x005600ce
                                0x005600d2
                                0x005600d3
                                0x005600d7
                                0x005600d7
                                0x005600da
                                0x005600df
                                0x005600eb
                                0x005600f0
                                0x005600f3
                                0x005600f3
                                0x005600f8
                                0x005600fa
                                0x005600fd
                                0x005600ff
                                0x00560102
                                0x00560105
                                0x00560108
                                0x00560110
                                0x00560114
                                0x00560118
                                0x00560118
                                0x0056011e
                                0x00560124
                                0x00560127
                                0x0056012f
                                0x00560136
                                0x0056013a
                                0x0056013b
                                0x0056013e
                                0x0056013f
                                0x00560183
                                0x00560183
                                0x00560187
                                0x00560188
                                0x0056018d
                                0x00560193
                                0x00000000
                                0x00560199
                                0x0056019d
                                0x00560226
                                0x0056022d
                                0x00560235
                                0x0056023d
                                0x00560242
                                0x00560245
                                0x0056024a
                                0x00000000
                                0x00560250
                                0x00560265
                                0x00560349
                                0x0056034f
                                0x00000000
                                0x0056026b
                                0x00560274
                                0x00560276
                                0x0056027c
                                0x00000000
                                0x00560282
                                0x00560286
                                0x005602bc
                                0x005602bf
                                0x00000000
                                0x005602c5
                                0x005602c5
                                0x00000000
                                0x005602c5
                                0x00560288
                                0x0056028a
                                0x0056028c
                                0x005602a5
                                0x00000000
                                0x005602ab
                                0x005602af
                                0x00000000
                                0x005602b5
                                0x005602b5
                                0x005602b8
                                0x005602b9
                                0x00000000
                                0x005602b9
                                0x005602af
                                0x005602a5
                                0x00560286
                                0x0056027c
                                0x00560265
                                0x0056024a
                                0x00560193
                                0x005600bc
                                0x00000000
                                0x005601a4
                                0x005601a4
                                0x005601a7
                                0x005601ab
                                0x005601ae
                                0x005601d0
                                0x005601d3
                                0x005601d8
                                0x005601dc
                                0x005601e0
                                0x0056020e
                                0x00560210
                                0x00000000
                                0x005601e2
                                0x005601e2
                                0x005601e5
                                0x005601e8
                                0x005601eb
                                0x00560326
                                0x00560329
                                0x00560336
                                0x00560341
                                0x00560346
                                0x00000000
                                0x005601f1
                                0x005601f8
                                0x005601fd
                                0x00560200
                                0x00560203
                                0x00000000
                                0x00560209
                                0x00560209
                                0x00000000
                                0x00560209
                                0x00560203
                                0x005601eb
                                0x005601b0
                                0x005601b7
                                0x005601bc
                                0x005601c2
                                0x005601c4
                                0x005601cb
                                0x00560211
                                0x00560214
                                0x00560215
                                0x0056021a
                                0x0056021d
                                0x00560220
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00560220
                                0x00000000
                                0x005601ae
                                0x0056004f
                                0x00560355
                                0x00560355
                                0x00560357
                                0x0056035a
                                0x0056035a
                                0x0056035a
                                0x0056035a
                                0x0056036c
                                0x0056036e
                                0x0056036f
                                0x00560370
                                0x0056037a

                                APIs
                                • GetConsoleCP.KERNEL32(00000020,?,00000000), ref: 00560019
                                • __fassign.LIBCMT ref: 005601F8
                                • __fassign.LIBCMT ref: 00560215
                                • WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0056025D
                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0056029D
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00560349
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: FileWrite__fassign$ConsoleErrorLast
                                • String ID:
                                • API String ID: 4031098158-0
                                • Opcode ID: 5a13c639eb1d3d8f9ea6c10a30219ac8436f47a2b3c244f5994333112885ee9b
                                • Instruction ID: 915b13585550190e3a98a9edf0b69d62d291eb87ff68d1a745201496f5fd7853
                                • Opcode Fuzzy Hash: 5a13c639eb1d3d8f9ea6c10a30219ac8436f47a2b3c244f5994333112885ee9b
                                • Instruction Fuzzy Hash: 68D19975D002599FCF15CFA8C994AEEBFB5BF49310F28016AE855EB382D630AD46CB50
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 005563C6, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON
                                Download Yara Rule
                                C-Code - Quality: 25%
                                			E005563C6(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x57b3d4(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}






                                0x005563cc
                                0x005563d0
                                0x005563db
                                0x005563e3
                                0x005563ee
                                0x005563f4
                                0x005563f8
                                0x005563ff
                                0x00556405
                                0x00556405
                                0x00556407
                                0x0055640c
                                0x00000000
                                0x00556411
                                0x00556418

                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,005563BB,?,?,00556383,?,?,?), ref: 005563DB
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005563EE
                                • FreeLibrary.KERNEL32(00000000,?,?,005563BB,?,?,00556383,?,?,?), ref: 00556411
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: 93703480c5c35d59f94857deb257376e315c0954ce5295451b99c582720ca0fc
                                • Instruction ID: bd895ea0d2170154db3ca0ae82e44559bc5affb8e2c589b54deca9f585094877
                                • Opcode Fuzzy Hash: 93703480c5c35d59f94857deb257376e315c0954ce5295451b99c582720ca0fc
                                • Instruction Fuzzy Hash: DEF08270902218FBEF119B91ED0DB9EBF68FF10756F144061A805A2160CB749E49FB91
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00561E5F, Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E00561E5F(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x5edf70; // 0x5edfc4
					if(_t23 != 0) {
						E0055D501(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x5edf74; // 0x5f98b4
					if(_t24 != 0) {
						E0055D501(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x5edf78; // 0x5f98b4
					if(_t25 != 0) {
						E0055D501(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x5edfa0; // 0x5edfc8
					if(_t26 != 0) {
						E0055D501(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x5edfa4; // 0x5f98b8
					if(_t27 != 0) {
						return E0055D501(_t6);
					}
				}
				return _t6;
			}










                                0x00561e65
                                0x00561e6a
                                0x00561e6e
                                0x00561e74
                                0x00561e77
                                0x00561e7c
                                0x00561e80
                                0x00561e86
                                0x00561e89
                                0x00561e8e
                                0x00561e92
                                0x00561e98
                                0x00561e9b
                                0x00561ea0
                                0x00561ea4
                                0x00561eaa
                                0x00561ead
                                0x00561eb2
                                0x00561eb3
                                0x00561eb6
                                0x00561ebc
                                0x00000000
                                0x00561ec4
                                0x00561ebc
                                0x00561ec7

                                APIs
                                • _free.LIBCMT ref: 00561E77
                                  • Part of subcall function 0055D501: RtlFreeHeap.NTDLL(00000000,00000000,?,00559290), ref: 0055D517
                                  • Part of subcall function 0055D501: GetLastError.KERNEL32(?,?,00559290), ref: 0055D529
                                • _free.LIBCMT ref: 00561E89
                                • _free.LIBCMT ref: 00561E9B
                                • _free.LIBCMT ref: 00561EAD
                                • _free.LIBCMT ref: 00561EBF
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 4d66c16127f8d081f1ba903f98cb722e402a0a227e931aa22c91adf3ae7f36ea
                                • Instruction ID: 3ae76318d8c32904aff0bb1b44e461fd04350b343b042793b4cdeb5cf8c816cf
                                • Opcode Fuzzy Hash: 4d66c16127f8d081f1ba903f98cb722e402a0a227e931aa22c91adf3ae7f36ea
                                • Instruction Fuzzy Hash: 8CF04973911600AB8664EB68E9CAC6B7FFDBA403113680806F859DB500DA36FC848A78
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00564F03, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMON
                                Download Yara Rule
                                C-Code - Quality: 60%
                                			E00564F03(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _t41;
				signed int _t49;
				void* _t52;
				signed int _t56;
				void* _t60;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t68;
				intOrPtr* _t71;
				intOrPtr _t85;
				intOrPtr* _t91;
				intOrPtr _t93;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 = E005EA214; // 0x21f212cc
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t68 = E00557FB9(_a16, _t93);
					_t103 = _t68 - _t93;
					_t4 = _t68 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t68;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t85 = E0055F870(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t85;
				if(_t85 == 0) {
					L39:
					return E004958E2(_v8 ^ _t96);
				} else {
					_t17 = _t85 + _t85 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t85 + _t85 & _t17;
					if(_t49 == 0) {
						_t71 = 0;
						L15:
						if(_t71 == 0) {
							L37:
							_t95 = 0;
							L38:
							E00495791(_t71);
							goto L39;
						}
						_t52 = E0055F870(_t88, 1, _a16, _t93, _t71, _t85);
						_t100 = _t98 + 0x18;
						if(_t52 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E0055F2D7(_a8, _a12, _t71, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t56 = _t95 + _t95 & _t31;
							if(_t56 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E0055F2D7(_a8, _a12, _t71, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E00495791(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t60 = E0055F4E6();
									_t95 = _t60;
									if(_t60 != 0) {
										E00495791(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t56 > 0x400) {
								_t91 = E0055D53B(_t56);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E00496950();
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t64 = E0055F2D7(_a8, _a12, _t71, _t90, _a24, _t63, 0, 0, 0);
						_t95 = _t64;
						if(_t64 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t71 = E0055D53B(_t49);
						if(_t71 == 0) {
							L13:
							_t85 = _v12;
							goto L15;
						}
						 *_t71 = 0xdddd;
						L12:
						_t71 = _t71 + 8;
						goto L13;
					}
					E00496950();
					_t71 = _t98;
					if(_t71 == 0) {
						goto L13;
					}
					 *_t71 = 0xcccc;
					goto L12;
				}
			}























                                0x00564f08
                                0x00564f09
                                0x00564f0a
                                0x00564f11
                                0x00564f16
                                0x00564f1c
                                0x00564f22
                                0x00564f28
                                0x00564f2b
                                0x00564f2b
                                0x00564f2e
                                0x00564f30
                                0x00564f30
                                0x00564f2e
                                0x00564f32
                                0x00564f37
                                0x00564f3e
                                0x00564f41
                                0x00564f41
                                0x00564f62
                                0x00564f64
                                0x00564f67
                                0x00564f6c
                                0x005650ca
                                0x005650db
                                0x00564f72
                                0x00564f75
                                0x00564f7a
                                0x00564f7c
                                0x00564f7e
                                0x00564fb5
                                0x00564fb7
                                0x00564fb9
                                0x005650bf
                                0x005650bf
                                0x005650c1
                                0x005650c2
                                0x00000000
                                0x005650c8
                                0x00564fc8
                                0x00564fcd
                                0x00564fd2
                                0x00000000
                                0x00000000
                                0x00564fd8
                                0x00564fef
                                0x00564ff3
                                0x00000000
                                0x00000000
                                0x00565001
                                0x0056503e
                                0x00565043
                                0x00565045
                                0x00565047
                                0x00565078
                                0x0056507a
                                0x0056507c
                                0x005650b8
                                0x005650b9
                                0x00000000
                                0x00565099
                                0x0056509b
                                0x0056509c
                                0x005650a0
                                0x005650dc
                                0x005650df
                                0x005650a2
                                0x005650a2
                                0x005650a3
                                0x005650a3
                                0x005650a4
                                0x005650a5
                                0x005650a6
                                0x005650a7
                                0x005650aa
                                0x005650af
                                0x005650b6
                                0x005650e5
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x005650b6
                                0x0056507c
                                0x0056504b
                                0x00565066
                                0x0056506b
                                0x00000000
                                0x00000000
                                0x0056506d
                                0x00565073
                                0x00565073
                                0x00000000
                                0x00565073
                                0x0056504d
                                0x00565052
                                0x00565056
                                0x00000000
                                0x00000000
                                0x00565058
                                0x00000000
                                0x00565058
                                0x00565003
                                0x00565008
                                0x00000000
                                0x00000000
                                0x00565010
                                0x00000000
                                0x00000000
                                0x00565027
                                0x0056502c
                                0x00565030
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00565036
                                0x00564f85
                                0x00564fa0
                                0x00564fa5
                                0x00564fb0
                                0x00564fb0
                                0x00000000
                                0x00564fb0
                                0x00564fa7
                                0x00564fad
                                0x00564fad
                                0x00000000
                                0x00564fad
                                0x00564f87
                                0x00564f8c
                                0x00564f90
                                0x00000000
                                0x00000000
                                0x00564f92
                                0x00000000
                                0x00564f92

                                APIs
                                • __freea.LIBCMT ref: 005650B9
                                  • Part of subcall function 0055D53B: RtlAllocateHeap.NTDLL(00000000,?,?,?,0055E854,00001000,00000000,?,00000000,?,00557C40,00000000,00000000,00000000,00000000,?), ref: 0055D56D
                                • __freea.LIBCMT ref: 005650C2
                                • __freea.LIBCMT ref: 005650E5
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: __freea$AllocateHeap
                                • String ID: /1V-
                                • API String ID: 2243444508-1434601844
                                • Opcode ID: 5c3466af69dc69fa3742405f88ea523ae874efc9ac9f0952b3a5827185956467
                                • Instruction ID: aebab0141147a17ab630bb1df9448088bb79222224b37f2229bca492e9ba8e58
                                • Opcode Fuzzy Hash: 5c3466af69dc69fa3742405f88ea523ae874efc9ac9f0952b3a5827185956467
                                • Instruction Fuzzy Hash: A451CE72640606AFEB219F60CC89EAB7FA9FF85764F250129FD04A7240EB35DC5187E1
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0055DB9B, Relevance: 6.1, APIs: 4, Instructions: 72COMMON
                                Download Yara Rule
                                C-Code - Quality: 79%
                                			E0055DB9B(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;

				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x5ee090; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0055F119(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E0055EAC5(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E0055F119(__eflags,  *0x5ee090, _t51);
							if(__eflags != 0) {
								E0055D9C9(_t51, 0x5f9cb4);
								E0055D501(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E0055F119(__eflags,  *0x5ee090, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E0055F119(0,  *0x5ee090, 0);
							_push(0);
							L9:
							E0055D501();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E0055F0DA(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x5ee090; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E00557B8C(_t39, _t43, _t49, _t53, _t60);
					asm("int3");
					_t5 =  *0x5ee090; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E0055F119(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E0055EAC5(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E0055F119(__eflags,  *0x5ee090, _t60);
								if(__eflags != 0) {
									E0055D9C9(_t60, 0x5f9cb4);
									E0055D501(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E0055F119(__eflags,  *0x5ee090, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E0055F119(__eflags,  *0x5ee090, _t20);
								_push(_t60);
								L25:
								E0055D501();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E0055F0DA(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x5ee090; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E00557B8C(_t39, _t43, _t49, _t53, _t60);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x5ee090; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E0055F119(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E0055EAC5(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E0055F119(__eflags,  *0x5ee090, _t54);
											if(__eflags != 0) {
												E0055D9C9(_t54, 0x5f9cb4);
												E0055D501(0);
												goto L45;
											} else {
												_t40 = 0;
												E0055F119(__eflags,  *0x5ee090, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E0055F119(0,  *0x5ee090, 0);
											_push(0);
											L41:
											E0055D501();
											goto L36;
										}
									}
								} else {
									_t54 = E0055F0DA(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x5ee090; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}























                                0x0055db9b
                                0x0055db9b
                                0x0055dba6
                                0x0055dba8
                                0x0055dbad
                                0x0055dbb0
                                0x0055dbce
                                0x0055dbd1
                                0x0055dbd6
                                0x0055dbd8
                                0x00000000
                                0x0055dbda
                                0x0055dbe6
                                0x0055dbe9
                                0x0055dbea
                                0x0055dbec
                                0x0055dc11
                                0x0055dc13
                                0x0055dc2c
                                0x0055dc33
                                0x0055dc38
                                0x00000000
                                0x0055dc15
                                0x0055dc15
                                0x0055dc1e
                                0x0055dc23
                                0x00000000
                                0x0055dc23
                                0x0055dbee
                                0x0055dbee
                                0x0055dbee
                                0x0055dbf7
                                0x0055dbfc
                                0x0055dbfd
                                0x0055dbfd
                                0x0055dc02
                                0x00000000
                                0x0055dc02
                                0x0055dbec
                                0x0055dbb2
                                0x0055dbb8
                                0x0055dbbc
                                0x0055dbc9
                                0x00000000
                                0x0055dbbe
                                0x0055dbc1
                                0x0055dc3b
                                0x0055dc3b
                                0x0055dbc3
                                0x0055dbc3
                                0x0055dbc3
                                0x0055dbc5
                                0x0055dbc5
                                0x0055dbc5
                                0x0055dbc1
                                0x0055dbbc
                                0x0055dc3e
                                0x0055dc46
                                0x0055dc48
                                0x0055dc4a
                                0x0055dc52
                                0x0055dc57
                                0x0055dc58
                                0x0055dc5d
                                0x0055dc5e
                                0x0055dc61
                                0x0055dc7b
                                0x0055dc7e
                                0x0055dc83
                                0x0055dc85
                                0x00000000
                                0x0055dc87
                                0x0055dc93
                                0x0055dc96
                                0x0055dc97
                                0x0055dc99
                                0x0055dcbc
                                0x0055dcbe
                                0x0055dcd5
                                0x0055dcdc
                                0x0055dce1
                                0x00000000
                                0x0055dcc0
                                0x0055dcc7
                                0x0055dccc
                                0x00000000
                                0x0055dccc
                                0x0055dc9b
                                0x0055dca2
                                0x0055dca7
                                0x0055dca8
                                0x0055dca8
                                0x0055dcad
                                0x00000000
                                0x0055dcad
                                0x0055dc99
                                0x0055dc63
                                0x0055dc69
                                0x0055dc6b
                                0x0055dc6d
                                0x0055dc76
                                0x00000000
                                0x0055dc6f
                                0x0055dc6f
                                0x0055dc72
                                0x0055dcec
                                0x0055dcec
                                0x0055dcf1
                                0x0055dcf4
                                0x0055dcf5
                                0x0055dcf6
                                0x0055dcfd
                                0x0055dcff
                                0x0055dd04
                                0x0055dd07
                                0x0055dd25
                                0x0055dd28
                                0x0055dd2d
                                0x0055dd2f
                                0x00000000
                                0x0055dd31
                                0x0055dd3d
                                0x0055dd41
                                0x0055dd43
                                0x0055dd68
                                0x0055dd6a
                                0x0055dd83
                                0x0055dd8a
                                0x00000000
                                0x0055dd6c
                                0x0055dd6c
                                0x0055dd75
                                0x0055dd7a
                                0x00000000
                                0x0055dd7a
                                0x0055dd45
                                0x0055dd45
                                0x0055dd45
                                0x0055dd4e
                                0x0055dd53
                                0x0055dd54
                                0x0055dd54
                                0x00000000
                                0x0055dd59
                                0x0055dd43
                                0x0055dd09
                                0x0055dd0f
                                0x0055dd11
                                0x0055dd13
                                0x0055dd20
                                0x00000000
                                0x0055dd15
                                0x0055dd15
                                0x0055dd18
                                0x0055dd92
                                0x0055dd92
                                0x0055dd1a
                                0x0055dd1a
                                0x0055dd1a
                                0x0055dd1a
                                0x0055dd1c
                                0x0055dd1c
                                0x0055dd1c
                                0x0055dd18
                                0x0055dd13
                                0x0055dd95
                                0x0055dd9d
                                0x0055dd9f
                                0x0055dd9f
                                0x0055dda6
                                0x0055dc74
                                0x0055dce4
                                0x0055dce4
                                0x0055dce6
                                0x00000000
                                0x0055dce8
                                0x0055dceb
                                0x0055dceb
                                0x0055dce6
                                0x0055dc72
                                0x0055dc6d
                                0x0055dc4c
                                0x0055dc51
                                0x0055dc51

                                APIs
                                • GetLastError.KERNEL32(?,?,?,0054E9ED,005E6810,0000000C), ref: 0055DBA0
                                • _free.LIBCMT ref: 0055DBFD
                                • _free.LIBCMT ref: 0055DC33
                                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0054E9ED,005E6810,0000000C), ref: 0055DC3E
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLast_free
                                • String ID:
                                • API String ID: 2283115069-0
                                • Opcode ID: 73c12c901184567899fff078e104079d67a6ba3a77d7e80842fa357d08f6c135
                                • Instruction ID: 7f2b4dd7ad6eb3edc8951adf8c22e9c55e7643629c50c879b11c8daf01aa069f
                                • Opcode Fuzzy Hash: 73c12c901184567899fff078e104079d67a6ba3a77d7e80842fa357d08f6c135
                                • Instruction Fuzzy Hash: 4F11E7732045076AD6212B74ACAEE2A2E6BBBC07777250636FD25861E1DE628C0D9630
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0055DCF2, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                Download Yara Rule
                                C-Code - Quality: 85%
                                			E0055DCF2(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x5ee090; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E0055F119(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E0055EAC5(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E0055F119(__eflags,  *0x5ee090, _t18);
							if(__eflags != 0) {
								E0055D9C9(_t18, 0x5f9cb4);
								E0055D501(0);
								goto L13;
							} else {
								_t13 = 0;
								E0055F119(__eflags,  *0x5ee090, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E0055F119(0,  *0x5ee090, 0);
							_push(0);
							L9:
							E0055D501();
							goto L4;
						}
					}
				} else {
					_t18 = E0055F0DA(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x5ee090; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}








                                0x0055dcfd
                                0x0055dcff
                                0x0055dd04
                                0x0055dd07
                                0x0055dd25
                                0x0055dd28
                                0x0055dd2d
                                0x0055dd2f
                                0x00000000
                                0x0055dd31
                                0x0055dd3d
                                0x0055dd41
                                0x0055dd43
                                0x0055dd68
                                0x0055dd6a
                                0x0055dd83
                                0x0055dd8a
                                0x00000000
                                0x0055dd6c
                                0x0055dd6c
                                0x0055dd75
                                0x0055dd7a
                                0x00000000
                                0x0055dd7a
                                0x0055dd45
                                0x0055dd45
                                0x0055dd45
                                0x0055dd4e
                                0x0055dd53
                                0x0055dd54
                                0x0055dd54
                                0x00000000
                                0x0055dd59
                                0x0055dd43
                                0x0055dd09
                                0x0055dd0f
                                0x0055dd13
                                0x0055dd20
                                0x00000000
                                0x0055dd15
                                0x0055dd18
                                0x0055dd92
                                0x0055dd92
                                0x0055dd1a
                                0x0055dd1a
                                0x0055dd1a
                                0x0055dd1c
                                0x0055dd1c
                                0x0055dd1c
                                0x0055dd18
                                0x0055dd13
                                0x0055dd95
                                0x0055dd9d
                                0x0055dda6

                                APIs
                                • GetLastError.KERNEL32(?,?,?,0054E7E6,0055D527,?,?,00559290), ref: 0055DCF7
                                • _free.LIBCMT ref: 0055DD54
                                • _free.LIBCMT ref: 0055DD8A
                                • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0054E7E6,0055D527,?,?,00559290), ref: 0055DD95
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: ErrorLast_free
                                • String ID:
                                • API String ID: 2283115069-0
                                • Opcode ID: 3a2b7c8c345563bf2f432c205d8fdb2a4fbc404dddb88bc8f22ddc06fc1141b2
                                • Instruction ID: a9ac066ccf442755b8f711bdde975358803cc9fea619522e213bd0dd02a99bfb
                                • Opcode Fuzzy Hash: 3a2b7c8c345563bf2f432c205d8fdb2a4fbc404dddb88bc8f22ddc06fc1141b2
                                • Instruction Fuzzy Hash: A511CD7320050669D6212774DCAEE261F76FBD07777240536FD25861E2D9624C0D9130
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 0056C5C5, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                Download Yara Rule
                                C-Code - Quality: 100%
                                			E0056C5C5(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x5ee880, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E0056C5AE();
					E0056C570();
					_t13 = WriteConsoleW( *0x5ee880, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}




                                0x0056c5e2
                                0x0056c5e6
                                0x0056c5f3
                                0x0056c5f8
                                0x0056c613
                                0x0056c613
                                0x0056c619

                                APIs
                                • WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,0056B250,00000000,00000001,00000000,?,?,005603A6,00000000,00000020,?), ref: 0056C5DC
                                • GetLastError.KERNEL32(?,0056B250,00000000,00000001,00000000,?,?,005603A6,00000000,00000020,?,00000000,?,?,005608FA,00000000), ref: 0056C5E8
                                  • Part of subcall function 0056C5AE: CloseHandle.KERNEL32(FFFFFFFE,0056C5F8,?,0056B250,00000000,00000001,00000000,?,?,005603A6,00000000,00000020,?,00000000,?), ref: 0056C5BE
                                • ___initconout.LIBCMT ref: 0056C5F8
                                  • Part of subcall function 0056C570: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0056C59F,0056B23D,?,?,005603A6,00000000,00000020,?,00000000), ref: 0056C583
                                • WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,0056B250,00000000,00000001,00000000,?,?,005603A6,00000000,00000020,?,00000000), ref: 0056C60D
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                • String ID:
                                • API String ID: 2744216297-0
                                • Opcode ID: 8daaacdfd5d2bc719874df8612f7908019b98406115a2db26cfc79a5310360cc
                                • Instruction ID: 375c0550cb161cd05fcc0cb0a6e6008a5defca2bca719201028fbd36f6f964db
                                • Opcode Fuzzy Hash: 8daaacdfd5d2bc719874df8612f7908019b98406115a2db26cfc79a5310360cc
                                • Instruction Fuzzy Hash: A1F03036410195BBDF222FD5EC09A993F66FF583A1F404020FE5986130C73299A0FB94
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00563099, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON
                                Download Yara Rule
                                C-Code - Quality: 91%
                                			E00563099(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _t51;
				signed int _t60;
				signed int _t61;
				short _t64;
				signed char _t66;
				signed int _t67;
				signed char* _t76;
				signed char* _t77;
				int _t80;
				signed int _t85;
				signed char* _t86;
				short* _t87;
				signed int _t88;
				signed char _t89;
				signed int _t90;
				signed int _t92;
				signed int _t93;
				short _t95;
				signed int _t96;
				intOrPtr _t99;
				signed int _t100;

				_t51 = E005EA214; // 0x21f212cc
				_v8 = _t51 ^ _t100;
				_t99 = _a8;
				_t80 = E00562C2E(__eflags, _a4);
				if(_t80 == 0) {
					L36:
					E00562C9F(_t99);
					goto L37;
				} else {
					_t95 = 0;
					_t85 = 0;
					_t57 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t57 + 0x5ee6d0)) != _t80) {
						_t85 = _t85 + 1;
						_t57 = _t57 + 0x30;
						_v32 = _t85;
						if(_t57 < 0xf0) {
							continue;
						} else {
							if(_t80 == 0xfde8 || IsValidCodePage(_t80 & 0x0000ffff) == 0) {
								L22:
							} else {
								if(_t80 != 0xfde9) {
									_t13 =  &_v28; // 0x562ee7
									_t57 = GetCPInfo(_t80, _t13);
									__eflags = _t57;
									if(_t57 == 0) {
										__eflags =  *0x5f9fac - _t95; // 0x0
										if(__eflags != 0) {
											goto L36;
										} else {
											goto L22;
										}
									} else {
										_t14 = _t99 + 0x18; // 0x560045
										E00548E00(_t95, _t14, _t95, 0x101);
										 *(_t99 + 4) = _t80;
										__eflags = _v28 - 2;
										 *((intOrPtr*)(_t99 + 0x21c)) = _t95;
										if(_v28 == 2) {
											__eflags = _v22;
											_t76 =  &_v22;
											if(_v22 != 0) {
												while(1) {
													_t89 = _t76[1];
													__eflags = _t89;
													if(_t89 == 0) {
														goto L18;
													}
													_t92 = _t89 & 0x000000ff;
													_t90 =  *_t76 & 0x000000ff;
													while(1) {
														__eflags = _t90 - _t92;
														if(_t90 > _t92) {
															break;
														}
														 *(_t99 + _t90 + 0x19) =  *(_t99 + _t90 + 0x19) | 0x00000004;
														_t90 = _t90 + 1;
														__eflags = _t90;
													}
													_t76 =  &(_t76[2]);
													__eflags =  *_t76;
													if( *_t76 != 0) {
														continue;
													}
													goto L18;
												}
											}
											L18:
											_t25 = _t99 + 0x1a; // 0x560047
											_t77 = _t25;
											_t88 = 0xfe;
											do {
												 *_t77 =  *_t77 | 0x00000008;
												_t77 =  &(_t77[1]);
												_t88 = _t88 - 1;
												__eflags = _t88;
											} while (_t88 != 0);
											_t26 = _t99 + 4; // 0xc033a47d
											 *((intOrPtr*)(_t99 + 0x21c)) = E00562BF0( *_t26);
											_t95 = 1;
										}
										goto L8;
									}
								} else {
									 *(_t99 + 4) = 0xfde9;
									 *((intOrPtr*)(_t99 + 0x21c)) = _t95;
									 *((intOrPtr*)(_t99 + 0x18)) = _t95;
									 *((short*)(_t99 + 0x1c)) = _t95;
									L8:
									 *((intOrPtr*)(_t99 + 8)) = _t95;
									_t12 = _t99 + 0xc; // 0x560039
									_t96 = _t12;
									asm("stosd");
									asm("stosd");
									asm("stosd");
									L9:
									E00562D04(_t80, _t92, _t96, _t99, _t99);
									L37:
								}
							}
						}
						goto L38;
					}
					_t28 = _t99 + 0x18; // 0x560045
					E00548E00(_t95, _t28, _t95, 0x101);
					_t60 = _v32 * 0x30;
					__eflags = _t60;
					_v36 = _t60;
					_t61 = _t60 + 0x5ee6e0;
					_v32 = _t61;
					do {
						__eflags =  *_t61;
						_t86 = _t61;
						if( *_t61 != 0) {
							while(1) {
								_t66 = _t86[1];
								__eflags = _t66;
								if(_t66 == 0) {
									break;
								}
								_t93 =  *_t86 & 0x000000ff;
								_t67 = _t66 & 0x000000ff;
								while(1) {
									__eflags = _t93 - _t67;
									if(_t93 > _t67) {
										break;
									}
									__eflags = _t93 - 0x100;
									if(_t93 < 0x100) {
										_t34 = _t95 + 0x5ee6c8; // 0x8040201
										 *(_t99 + _t93 + 0x19) =  *(_t99 + _t93 + 0x19) |  *_t34;
										_t93 = _t93 + 1;
										__eflags = _t93;
										_t67 = _t86[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t86 =  &(_t86[2]);
								__eflags =  *_t86;
								if( *_t86 != 0) {
									continue;
								}
								break;
							}
							_t61 = _v32;
						}
						_t95 = _t95 + 1;
						_t61 = _t61 + 8;
						_v32 = _t61;
						__eflags = _t95 - 4;
					} while (_t95 < 4);
					 *(_t99 + 4) = _t80;
					 *((intOrPtr*)(_t99 + 8)) = 1;
					 *((intOrPtr*)(_t99 + 0x21c)) = E00562BF0(_t80);
					_t46 = _t99 + 0xc; // 0x560039
					_t87 = _t46;
					_t92 = _v36 + 0x5ee6d4;
					_t96 = 6;
					do {
						_t64 =  *_t92;
						_t92 = _t92 + 2;
						 *_t87 = _t64;
						_t49 = _t87 + 2; // 0x8babab84
						_t87 = _t49;
						_t96 = _t96 - 1;
						__eflags = _t96;
					} while (_t96 != 0);
					goto L9;
				}
				L38:
				return E004958E2(_v8 ^ _t100);
			}





























                                0x005630a1
                                0x005630a8
                                0x005630ad
                                0x005630b9
                                0x005630be
                                0x00563274
                                0x00563275
                                0x00000000
                                0x005630c4
                                0x005630c4
                                0x005630c6
                                0x005630c8
                                0x005630ca
                                0x005630cd
                                0x005630d9
                                0x005630da
                                0x005630dd
                                0x005630e5
                                0x00000000
                                0x005630e7
                                0x005630ed
                                0x005631c4
                                0x00563105
                                0x0056310c
                                0x00563134
                                0x00563139
                                0x0056313f
                                0x00563141
                                0x005631b8
                                0x005631be
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00563143
                                0x00563148
                                0x0056314d
                                0x00563155
                                0x00563158
                                0x0056315c
                                0x00563162
                                0x00563164
                                0x00563168
                                0x0056316b
                                0x0056316d
                                0x0056316d
                                0x00563170
                                0x00563172
                                0x00000000
                                0x00000000
                                0x00563174
                                0x00563177
                                0x00563182
                                0x00563182
                                0x00563184
                                0x00000000
                                0x00000000
                                0x0056317c
                                0x00563181
                                0x00563181
                                0x00563181
                                0x00563186
                                0x00563189
                                0x0056318c
                                0x00000000
                                0x00000000
                                0x00000000
                                0x0056318c
                                0x0056316d
                                0x0056318e
                                0x0056318e
                                0x0056318e
                                0x00563191
                                0x00563196
                                0x00563196
                                0x00563199
                                0x0056319a
                                0x0056319a
                                0x0056319a
                                0x0056319f
                                0x005631a9
                                0x005631b2
                                0x005631b2
                                0x00000000
                                0x00563162
                                0x0056310e
                                0x0056310e
                                0x00563111
                                0x00563117
                                0x0056311a
                                0x0056311e
                                0x0056311e
                                0x00563123
                                0x00563123
                                0x00563126
                                0x00563127
                                0x00563128
                                0x00563129
                                0x0056312a
                                0x0056327a
                                0x0056327c
                                0x0056310c
                                0x005630ed
                                0x00000000
                                0x005630e5
                                0x005631d1
                                0x005631d6
                                0x005631de
                                0x005631de
                                0x005631e2
                                0x005631e5
                                0x005631eb
                                0x005631ee
                                0x005631ee
                                0x005631f1
                                0x005631f3
                                0x005631f5
                                0x005631f5
                                0x005631f8
                                0x005631fa
                                0x00000000
                                0x00000000
                                0x005631fc
                                0x005631ff
                                0x0056321b
                                0x0056321b
                                0x0056321d
                                0x00000000
                                0x00000000
                                0x00563204
                                0x0056320a
                                0x0056320c
                                0x00563212
                                0x00563216
                                0x00563216
                                0x00563217
                                0x00000000
                                0x00563217
                                0x00000000
                                0x0056320a
                                0x0056321f
                                0x00563222
                                0x00563225
                                0x00000000
                                0x00000000
                                0x00000000
                                0x00563225
                                0x00563227
                                0x00563227
                                0x0056322a
                                0x0056322b
                                0x0056322e
                                0x00563231
                                0x00563231
                                0x00563237
                                0x0056323a
                                0x00563249
                                0x00563252
                                0x00563252
                                0x00563257
                                0x0056325d
                                0x0056325e
                                0x0056325e
                                0x00563261
                                0x00563264
                                0x00563267
                                0x00563267
                                0x0056326a
                                0x0056326a
                                0x0056326a
                                0x00000000
                                0x0056326f
                                0x0056327d
                                0x0056328b

                                APIs
                                  • Part of subcall function 00562C2E: GetOEMCP.KERNEL32(00000000,00562EA0,0056002D,00000000,00000020,00000020,00000000,?,0056002D), ref: 00562C59
                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00562EE7,?,00000000,0056002D,558B0000,?,?,?,?,00000020), ref: 005630F7
                                • GetCPInfo.KERNEL32(00000000,.V,?,?,00562EE7,?,00000000,0056002D,558B0000,?,?,?,?,00000020,00000000), ref: 00563139
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: CodeInfoPageValid
                                • String ID: .V
                                • API String ID: 546120528-1832806769
                                • Opcode ID: 2b595058a5e4660fb40aefa1302ecc985d952b1e725d9b4cec6e01184b60a9ae
                                • Instruction ID: d2434fc39ee20208ca9be0887bbc54c1c618a6430d5194454e05bed3e0ff3085
                                • Opcode Fuzzy Hash: 2b595058a5e4660fb40aefa1302ecc985d952b1e725d9b4cec6e01184b60a9ae
                                • Instruction Fuzzy Hash: DB5153749006459FDB21CF76C8556BABFF5FFA2300F14486ED0868B262D7349B46CB90
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00562D04, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                                Download Yara Rule
                                C-Code - Quality: 97%
                                			E00562D04(void* __ebx, signed int __edx, void* __edi, void* __esi, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				signed int _t58;
				char _t61;
				char _t67;
				signed char _t68;
				signed int _t69;
				signed int _t79;
				char _t84;
				signed int _t87;
				signed char _t88;
				char _t89;
				signed int _t90;
				void* _t91;
				intOrPtr _t97;
				signed int _t100;
				signed int _t102;

				_t90 = __edx;
				_t100 = _t102;
				_t58 = E005EA214; // 0x21f212cc
				_v8 = _t58 ^ _t100;
				_t2 =  &_a4; // 0x56312f
				_t97 =  *_t2;
				if( *(_t97 + 4) == 0xfde9 || GetCPInfo( *(_t97 + 4),  &_v1820) == 0) {
					__eflags = 0;
					_t84 = 0;
					do {
						_t46 = _t84 - 0x61; // -97
						_t91 = _t46;
						_t47 = _t91 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t91 - 0x19;
							if(_t91 > 0x19) {
								_t61 = 0;
							} else {
								 *(_t97 + 0x19 + _t84) =  *(_t97 + 0x19 + _t84) | 0x00000020;
								_t54 = _t84 - 0x20; // -32
								_t61 = _t54;
							}
						} else {
							 *(_t97 + _t84 + 0x19) =  *(_t97 + _t84 + 0x19) | 0x00000010;
							_t52 = _t84 + 0x20; // 0x20
							_t61 = _t52;
						}
						 *((char*)(_t97 + _t84 + 0x119)) = _t61;
						_t84 = _t84 + 1;
						__eflags = _t84 - 0x100;
					} while (_t84 < 0x100);
					goto L27;
				} else {
					_t67 = 0;
					do {
						 *((char*)(_t100 + _t67 - 0x104)) = _t67;
						_t67 = _t67 + 1;
					} while (_t67 < 0x100);
					_t68 = _v1814;
					_t87 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t111 = _t68;
						if(_t68 == 0) {
							break;
						}
						_t90 =  *(_t87 + 1) & 0x000000ff;
						_t69 = _t68 & 0x000000ff;
						while(1) {
							__eflags = _t69 - _t90;
							if(_t69 > _t90) {
								break;
							}
							__eflags = _t69 - 0x100;
							if(_t69 >= 0x100) {
								break;
							}
							 *((char*)(_t100 + _t69 - 0x104)) = 0x20;
							_t69 = _t69 + 1;
							__eflags = _t69;
						}
						_t87 = _t87 + 2;
						__eflags = _t87;
						_t68 =  *_t87;
					}
					E00562683(0, _t90, 0x100, _t97, _t111, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t97 + 4), 0);
					E005650ED(0, 0x100, _t97, _t111, 0,  *((intOrPtr*)(_t97 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t97 + 4), 0);
					E005650ED(0, 0x100, _t97, _t111, 0,  *((intOrPtr*)(_t97 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t97 + 4), 0);
					_t79 = 0;
					do {
						_t88 =  *(_t100 + _t79 * 2 - 0x704) & 0x0000ffff;
						if((_t88 & 0x00000001) == 0) {
							__eflags = _t88 & 0x00000002;
							if((_t88 & 0x00000002) == 0) {
								_t89 = 0;
							} else {
								 *(_t97 + _t79 + 0x19) =  *(_t97 + _t79 + 0x19) | 0x00000020;
								_t89 =  *((intOrPtr*)(_t100 + _t79 - 0x304));
							}
						} else {
							 *(_t97 + _t79 + 0x19) =  *(_t97 + _t79 + 0x19) | 0x00000010;
							_t89 =  *((intOrPtr*)(_t100 + _t79 - 0x204));
						}
						 *((char*)(_t97 + _t79 + 0x119)) = _t89;
						_t79 = _t79 + 1;
					} while (_t79 < 0x100);
					L27:
					return E004958E2(_v8 ^ _t100);
				}
			}

























                                0x00562d04
                                0x00562d07
                                0x00562d0f
                                0x00562d16
                                0x00562d1b
                                0x00562d1b
                                0x00562d26
                                0x00562e38
                                0x00562e3f
                                0x00562e41
                                0x00562e41
                                0x00562e41
                                0x00562e44
                                0x00562e47
                                0x00562e4a
                                0x00562e56
                                0x00562e59
                                0x00562e68
                                0x00562e5b
                                0x00562e60
                                0x00562e63
                                0x00562e63
                                0x00562e63
                                0x00562e4c
                                0x00562e4c
                                0x00562e51
                                0x00562e51
                                0x00562e51
                                0x00562e6a
                                0x00562e71
                                0x00562e72
                                0x00562e72
                                0x00000000
                                0x00562d44
                                0x00562d4b
                                0x00562d4d
                                0x00562d4d
                                0x00562d54
                                0x00562d55
                                0x00562d59
                                0x00562d5f
                                0x00562d65
                                0x00562d8d
                                0x00562d8d
                                0x00562d8f
                                0x00000000
                                0x00000000
                                0x00562d6e
                                0x00562d72
                                0x00562d84
                                0x00562d84
                                0x00562d86
                                0x00000000
                                0x00000000
                                0x00562d77
                                0x00562d79
                                0x00000000
                                0x00000000
                                0x00562d7b
                                0x00562d83
                                0x00562d83
                                0x00562d83
                                0x00562d88
                                0x00562d88
                                0x00562d8b
                                0x00562d8b
                                0x00562da7
                                0x00562dc8
                                0x00562df0
                                0x00562df8
                                0x00562dfa
                                0x00562dfa
                                0x00562e05
                                0x00562e15
                                0x00562e18
                                0x00562e28
                                0x00562e1a
                                0x00562e1a
                                0x00562e1f
                                0x00562e1f
                                0x00562e07
                                0x00562e07
                                0x00562e0c
                                0x00562e0c
                                0x00562e2a
                                0x00562e31
                                0x00562e32
                                0x00562e76
                                0x00562e84
                                0x00562e84

                                APIs
                                • GetCPInfo.KERNEL32(0000FDE9,?,00560039,0056002D,00000000), ref: 00562D36
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: Info
                                • String ID: $/1V-
                                • API String ID: 1807457897-4142512953
                                • Opcode ID: f2be5198adcf7d21119b7f66d411d57945494a1778183a75b1bbb62d99da5868
                                • Instruction ID: 36b9913c4c4b337251c0a7fdee68d25709ca0254d19094a28dd9274ec4442399
                                • Opcode Fuzzy Hash: f2be5198adcf7d21119b7f66d411d57945494a1778183a75b1bbb62d99da5868
                                • Instruction Fuzzy Hash: 7E414871504A989BDB228A28CC88BFA7FFDFB55304F2448BCE58AC7143D235AD45DB20
                                Uniqueness

                                Uniqueness Score: -1.00%

                                Function 00562683, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                Download Yara Rule
                                C-Code - Quality: 88%
                                			E00562683(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, intOrPtr _a12, intOrPtr _a16, short* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				void* _v44;
				signed int _t30;
				signed int _t36;
				signed int _t40;
				int _t43;
				intOrPtr _t56;
				int _t58;
				short* _t60;
				signed int _t61;
				void* _t62;
				short* _t63;

				_t30 = E005EA214; // 0x21f212cc
				_v8 = _t30 ^ _t61;
				E0054BC90( &_v32, __edx, _a4);
				_t48 = _a24;
				if(_a24 == 0) {
					_t48 =  *((intOrPtr*)(_v28 + 8));
				}
				_t58 = 0;
				_t36 = E0055F870(_t48, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_t63 = _t62 + 0x18;
				_v16 = _t36;
				if(_t36 == 0) {
					L16:
					if(_v20 != 0) {
						 *(_v32 + 0x350) =  *(_v32 + 0x350) & 0xfffffffd;
					}
					return E004958E2(_v8 ^ _t61);
				} else {
					_t56 = _t36 + _t36;
					_v12 = _t56;
					asm("sbb eax, eax");
					_t40 = _t36 & _t56 + 0x00000008;
					if(_t40 == 0) {
						_t60 = 0;
						L12:
						if(_t60 != 0) {
							E00548E00(_t58, _t60, _t58, _t56);
							_t43 = E0055F870(_t48, 1, _a12, _a16, _t60, _v16);
							if(_t43 != 0) {
								_t58 = GetStringTypeW(_a8, _t60, _t43, _a20);
							}
						}
						E00495791(_t60);
						goto L16;
					}
					if(_t40 > 0x400) {
						_t60 = E0055D53B(_t40);
						if(_t60 == 0) {
							L10:
							_t56 = _v12;
							goto L12;
						}
						 *_t60 = 0xdddd;
						L9:
						_t60 =  &(_t60[4]);
						goto L10;
					}
					E00496950();
					_t60 = _t63;
					if(_t60 == 0) {
						goto L10;
					}
					 *_t60 = 0xcccc;
					goto L9;
				}
			}




















                                0x0056268b
                                0x00562692
                                0x0056269e
                                0x005626a3
                                0x005626a8
                                0x005626ad
                                0x005626ad
                                0x005626b2
                                0x005626cb
                                0x005626d0
                                0x005626d3
                                0x005626d8
                                0x00562762
                                0x00562766
                                0x0056276b
                                0x0056276b
                                0x00562785
                                0x005626de
                                0x005626de
                                0x005626e4
                                0x005626e9
                                0x005626eb
                                0x005626ed
                                0x00562724
                                0x00562726
                                0x00562728
                                0x0056272d
                                0x0056273f
                                0x00562749
                                0x00562759
                                0x00562759
                                0x00562749
                                0x0056275c
                                0x00000000
                                0x00562761
                                0x005626f4
                                0x0056270f
                                0x00562714
                                0x0056271f
                                0x0056271f
                                0x00000000
                                0x0056271f
                                0x00562716
                                0x0056271c
                                0x0056271c
                                0x00000000
                                0x0056271c
                                0x005626f6
                                0x005626fb
                                0x005626ff
                                0x00000000
                                0x00000000
                                0x00562701
                                0x00000000
                                0x00562701

                                APIs
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,0000FDE9), ref: 00562753
                                • __freea.LIBCMT ref: 0056275C
                                  • Part of subcall function 0055D53B: RtlAllocateHeap.NTDLL(00000000,?,?,?,0055E854,00001000,00000000,?,00000000,?,00557C40,00000000,00000000,00000000,00000000,?), ref: 0055D56D
                                Strings
                                Memory Dump Source
                                • Source File: 00000006.00000002.708694911.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                • Associated: 00000006.00000002.708977030.00000000005FF000.00000040.00020000.sdmp Download File
                                Similarity
                                • API ID: AllocateHeapStringType__freea
                                • String ID: /1V-
                                • API String ID: 4073780324-1434601844
                                • Opcode ID: 98491d3f0e30d25bd4187e759b59956626844c3020911463c44467c2056fe0d8
                                • Instruction ID: 1f58d95448a3185267b5af4f7ba574429bbdde5da652f5fd6848e011010c5206
                                • Opcode Fuzzy Hash: 98491d3f0e30d25bd4187e759b59956626844c3020911463c44467c2056fe0d8
                                • Instruction Fuzzy Hash: 0531FE7290060AABDB21AF61DC84EAF7FA9FF80310F194528FC04A7251DB34CD51CBA0
                                Uniqueness

                                Uniqueness Score: -1.00%